Bug 1214082

Summary: VUL-0: CVE-2023-20569: xen: x86/AMD: Speculative Return Stack Overflow (XSA-434)
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carnold, ddavis, gianluca.gabrielli, ivan.ivanov, jbeulich, meissner, mhocko, mkoutny, nborisov, nik.borisov, security-team, thomas.leroy, tiwai, vbabka
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/372386/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1213287    
Bug Blocks:    

Description Carlos López 2023-08-08 19:30:21 UTC 
+++ This bug was initially created as a clone of Bug #1213287 +++

            Xen Security Advisory CVE-2023-20569 / XSA-434

               x86/AMD: Speculative Return Stack Overflow

ISSUE DESCRIPTION
=================

Researchers from ETH Zurich have extended their prior research (XSA-422,
Branch Type Confusion, a.k.a Retbleed) and have discovered INCEPTION,
also know as RAS (Return Address Stack) Poisoning, and Speculative
Return Stack Overflow.

The RAS is updated when a CALL instruction is predicted, rather than at
a later point in the pipeline.  However, the RAS is still fundamentally
a circular stack.

It is possible to poison the branch type and target predictions such
that, at a point of the attackers choosing, the branch predictor
predicts enough CALLs back-to-back to wrap around the entire RAS and
overwrite a correct return prediction with one of the attackers
choosing.

This allows the attacker to control RET speculation in a victim context,
and leak arbitrary data as a result.

For more details, see:
  https://comsec.ethz.ch/inception
  https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-7005

IMPACT
======

An attacker might be able to infer the contents of memory belonging to
other guests.

VULNERABLE SYSTEMS
==================

Only CPUs from AMD are believed to be potentially vulnerable.  CPUs from
other manufacturers are not believed to be impacted.

At the time of writing, all in-support AMD CPUs (that is, Zen1 thru Zen4
microarchitectures) are believed to be potentially vulnerable.  Older
CPUs have not been analysed.

By default following XSA-422, Xen mitigates BTC on AMD Zen2 and older
CPUs by issuing an IBPB on entry to Xen.  On Zen2 and older CPUs, this
is believed to be sufficient to protect against SRSO too.

AMD Zen3 and Zen4 CPUs are susceptible to SRSO too.  All versions of Xen
are vulnerable on these CPUs.

MITIGATION
==========

On Zen3 and Zen4, there is no mitigation.

RESOLUTION
==========

AMD are producing microcode updates for Zen3 and Zen4.  Consult your
dom0 OS vendor.

With the microcode update applied, booting Xen with
`spec-ctrl=ibpb-entry` is sufficient to protect against SRSO.

The appropriate set of patches will default to using IBPB-on-entry on
Zen3 and Zen4 CPUs, as well as synthesise new CPUID bits for guests to
use in order to determine their susceptibility in a migration-safe way.

The patches for this issue interact texturally but not logically with
the fixes for XSA-435, which itself has complexities.  See XSA-435 for
details of how to obtain the fixes.
Comment 2 Maintenance Automation 2023-08-23 20:30:32 UTC 
SUSE-SU-2023:3395-1: An update that solves three vulnerabilities and has one fix can now be installed.

Category: security (moderate)
Bug References: 1027519, 1213616, 1214082, 1214083
CVE References: CVE-2022-40982, CVE-2023-20569, CVE-2023-20593
Sources used:
openSUSE Leap 15.4 (src): xen-4.16.5_02-150400.4.31.1
openSUSE Leap Micro 5.3 (src): xen-4.16.5_02-150400.4.31.1
openSUSE Leap Micro 5.4 (src): xen-4.16.5_02-150400.4.31.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): xen-4.16.5_02-150400.4.31.1
SUSE Linux Enterprise Micro 5.3 (src): xen-4.16.5_02-150400.4.31.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): xen-4.16.5_02-150400.4.31.1
SUSE Linux Enterprise Micro 5.4 (src): xen-4.16.5_02-150400.4.31.1
Basesystem Module 15-SP4 (src): xen-4.16.5_02-150400.4.31.1
Server Applications Module 15-SP4 (src): xen-4.16.5_02-150400.4.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Maintenance Automation 2023-08-28 12:30:25 UTC 
SUSE-SU-2023:3447-1: An update that solves three vulnerabilities and has two fixes can now be installed.

Category: security (moderate)
Bug References: 1027519, 1212684, 1213616, 1214082, 1214083
CVE References: CVE-2022-40982, CVE-2023-20569, CVE-2023-20593
Sources used:
Server Applications Module 15-SP5 (src): xen-4.17.2_02-150500.3.6.1
openSUSE Leap 15.5 (src): xen-4.17.2_02-150500.3.6.1
Basesystem Module 15-SP5 (src): xen-4.17.2_02-150500.3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Maintenance Automation 2023-08-28 12:30:30 UTC 
SUSE-SU-2023:3446-1: An update that solves three vulnerabilities and has two fixes can now be installed.

Category: security (moderate)
Bug References: 1027519, 1204489, 1213616, 1214082, 1214083
CVE References: CVE-2022-40982, CVE-2023-20569, CVE-2023-20593
Sources used:
SUSE Manager Proxy 4.2 (src): xen-4.14.6_02-150300.3.51.1
SUSE Manager Retail Branch Server 4.2 (src): xen-4.14.6_02-150300.3.51.1
SUSE Manager Server 4.2 (src): xen-4.14.6_02-150300.3.51.1
SUSE Linux Enterprise Micro 5.1 (src): xen-4.14.6_02-150300.3.51.1
SUSE Linux Enterprise Micro 5.2 (src): xen-4.14.6_02-150300.3.51.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): xen-4.14.6_02-150300.3.51.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Maintenance Automation 2023-08-30 20:30:06 UTC 
SUSE-SU-2023:3496-1: An update that solves three vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1027519, 1213616, 1214082, 1214083
CVE References: CVE-2022-40982, CVE-2023-20569, CVE-2023-20593
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): xen-4.13.5_02-150200.3.74.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): xen-4.13.5_02-150200.3.74.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): xen-4.13.5_02-150200.3.74.1
SUSE Enterprise Storage 7 (src): xen-4.13.5_02-150200.3.74.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Maintenance Automation 2023-08-30 20:30:09 UTC 
SUSE-SU-2023:3495-1: An update that solves three vulnerabilities can now be installed.

Category: security (important)
Bug References: 1213616, 1214082, 1214083
CVE References: CVE-2022-40982, CVE-2023-20569, CVE-2023-20593
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): xen-4.12.4_36-3.91.2
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): xen-4.12.4_36-3.91.2
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): xen-4.12.4_36-3.91.2
SUSE Linux Enterprise Server 12 SP5 (src): xen-4.12.4_36-3.91.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2023-08-30 20:30:12 UTC 
SUSE-SU-2023:3494-1: An update that solves three vulnerabilities can now be installed.

Category: security (important)
Bug References: 1213616, 1214082, 1214083
CVE References: CVE-2022-40982, CVE-2023-20569, CVE-2023-20593
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): xen-4.12.4_36-150100.3.89.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): xen-4.12.4_36-150100.3.89.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): xen-4.12.4_36-150100.3.89.1
SUSE CaaS Platform 4.0 (src): xen-4.12.4_36-150100.3.89.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Charles Arnold 2023-10-25 20:03:41 UTC 
Submission done.
Comment 13 Marcus Meissner 2024-01-24 10:14:13 UTC 
done