Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 928620 (CVE-2023-28746, CVE-2023-46841, CVE-2024-2193, XSA-451, XSA-452, XSA-453) - <app-emulation/xen-4.17.4_pre2: multiple vulnerabilities
Summary: <app-emulation/xen-4.17.4_pre2: multiple vulnerabilities
Alias: CVE-2023-28746, CVE-2023-46841, CVE-2024-2193, XSA-451, XSA-452, XSA-453
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa? cleanup]
Keywords: PullRequest
Depends on: 928665
  Show dependency tree
Reported: 2024-04-05 07:05 UTC by Tomáš Mózes
Modified: 2024-04-06 06:17 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tomáš Mózes 2024-04-05 07:05:41 UTC

x86: shadow stack vs exceptions from emulation stubs

Recent x86 CPUs offer functionality named Control-flow Enforcement
Technology (CET).  A sub-feature of this are Shadow Stacks (CET-SS).
CET-SS is a hardware feature designed to protect against Return Oriented
Programming attacks. When enabled, traditional stacks holding both data
and return addresses are accompanied by so called "shadow stacks",
holding little more than return addresses.  Shadow stacks aren't
writable by normal instructions, and upon function returns their
contents are used to check for possible manipulation of a return address
coming from the traditional stack.

In particular certain memory accesses need intercepting by Xen.  In
various cases the necessary emulation involves kind of replaying of
the instruction.  Such replaying typically involves filling and then
invoking of a stub.  Such a replayed instruction may raise an
exceptions, which is expected and dealt with accordingly.

Unfortunately the interaction of both of the above wasn't right:
Recovery involves removal of a call frame from the (traditional) stack.
The counterpart of this operation for the shadow stack was missing.

x86: Register File Data Sampling

Intel have disclosed RFDS, Register File Data Sampling, affecting some
Atom cores.

This came from internal validation work.  There is no information
provided about how an attacker might go about inferring data from the
register files.

GhostRace: Speculative Race Conditions

Researchers at VU Amsterdam and IBM Research have discovered GhostRace;
an analysis of the behaviour of synchronisation primitives under
speculative execution.

Synchronisation primitives are typically formed as an unbounded loop
which waits until a resource is available to be accessed.  This means
there is a conditional branch which can be microarchitecturally bypassed
using Spectre-v1 techniques, allowing an attacker to speculatively
execute critical regions.

Therefore, while a critical region might be safe architecturally, it can
still suffer from data races under speculation with unsafe consequences.

The GhostRace paper focuses on Speculative Concurrent Use-After-Free
issues, but notes that there are many other types of speculative data
hazard to be explored.
Comment 1 Larry the Git Cow gentoo-dev 2024-04-05 15:59:57 UTC
The bug has been referenced in the following commit(s):

commit dc44fdfb57631d91873825fd0a3412bd813b6780
Author:     Tomáš Mózes <>
AuthorDate: 2024-04-05 07:57:33 +0000
Commit:     Florian Schmaus <>
CommitDate: 2024-04-05 15:59:39 +0000

    app-emulation/xen: add 4.17.4_pre2
    Fixes XSA-451, XSA-452, XSA-453
    Signed-off-by: Tomáš Mózes <>
    Signed-off-by: Florian Schmaus <>

 app-emulation/xen/Manifest               |   1 +
 app-emulation/xen/xen-4.17.4_pre2.ebuild | 179 +++++++++++++++++++++++++++++++
 2 files changed, 180 insertions(+)

commit c12cea4a6ddfbad3a990e594ce72f8cfa034b168
Author:     Tomáš Mózes <>
AuthorDate: 2024-04-05 07:55:53 +0000
Commit:     Florian Schmaus <>
CommitDate: 2024-04-05 15:59:38 +0000

    app-emulation/xen-tools: add 4.17.4_pre2
    Fixes XSA-451, XSA-452, XSA-453
    Signed-off-by: Tomáš Mózes <>
    Signed-off-by: Florian Schmaus <>

 app-emulation/xen-tools/Manifest                   |   2 +
 .../xen-tools/xen-tools-4.17.4_pre2.ebuild         | 524 +++++++++++++++++++++
 2 files changed, 526 insertions(+)