Bug 1219885 (CVE-2023-46841)

Summary: VUL-0: CVE-2023-46841: xen: x86: shadow stack vs exceptions from emulation stubs
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: camila.matos, carnold, jbeulich
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/393883/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-46841:6.5:(AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Attached patches
v2 patches

Description Carlos López 2024-02-13 14:18:47 UTC 
Created attachment 872714 [details]
Attached patches

Xen Security Advisory CVE-2023-46841 / XSA-451

         x86: shadow stack vs exceptions from emulation stubs

              *** EMBARGOED UNTIL 2024-02-27 12:00 UTC ***

ISSUE DESCRIPTION
=================

Recent x86 CPUs offer functionality named Control-flow Enforcement
Technology (CET).  A sub-feature of this are Shadow Stacks (CET-SS).
CET-SS is a hardware feature designed to protect against Return Oriented
Programming attacks. When enabled, traditional stacks holding both data
and return addresses are accompanied by so called "shadow stacks",
holding little more than return addresses.  Shadow stacks aren't
writable by normal instructions, and upon function returns their
contents are used to check for possible manipulation of a return address
coming from the traditional stack.

In particular certain memory accesses need intercepting by Xen.  In
various cases the necessary emulation involves kind of replaying of
the instruction.  Such replaying typically involves filling and then
invoking of a stub.  Such a replayed instruction may raise an
exceptions, which is expected and dealt with accordingly.

Unfortunately the interaction of both of the above wasn't right:
Recovery involves removal of a call frame from the (traditional) stack.
The counterpart of this operation for the shadow stack was missing.

IMPACT
======

An unprivileged guest can cause a hypervisor crash, causing a Denial of
Service (DoS) of the entire host.

VULNERABLE SYSTEMS
==================

Xen 4.14 and onwards are vulnerable.  Xen 4.13 and older are not
vulnerable.

Only x86 systems with CET enabled are vulnerable.  x86 systems with CET
unavailable or disabled are not vulnerable.  Arm systems are not
vulnerable.

Only HVM or PVH guests can leverage the vulnerability.  PV guests cannot
leverage the vulnerability.

MITIGATION
==========

While in principle it is possible to disable use of CET on capable
systems using the "cet=no-shstk" command line option, doing so disables
an important security feature and may therefore not be advisable.

RESOLUTION
==========

Applying the appropriate (set of) attached patch(es) resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa451-?.patch         xen-unstable
xsa451-4.18.patch      Xen 4.18.x
xsa451-4.17.patch      Xen 4.17.x
xsa451-4.16.patch      Xen 4.16.x
xsa451-4.15.patch      Xen 4.15.x

$ sha256sum xsa451*
34f5c2e86e2a952210edf54df338844b8dfd2a5fd10df65a5ab2319ef49374af  xsa451-1.patch
42f67740e46063f8d13f8f7382cdacac24f4817ef3147e555e765df75e62f8be  xsa451-2.patch
e338418ff197b835465faa1d4e97e934582465c448fd91604d39709ba46c7842  xsa451-3.patch
77b06373286788448336b50efd2d636fc1ba177a4599f62f6f00f90013356f2a  xsa451-4.15.patch
ae07e7cc28ab366301bf5bba5e5eff433a3f38c21a479ed050d61636761fdb92  xsa451-4.16.patch
d8ef9f727187bd90434aad185958115dd7b57a59e3cef7e4399fb62d59d58da0  xsa451-4.17.patch
f1fd87ed1c76cb94b53a62ffe4dfc23a2bb102a10d9142feaba521e7cc3de210  xsa451-4.18.patch
Comment 1 Carlos López 2024-02-13 15:26:51 UTC 
(In reply to Carlos López from comment #0)
> VULNERABLE SYSTEMS
> ==================
> 
> Xen 4.14 and onwards are vulnerable.  Xen 4.13 and older are not
> vulnerable.

Tracking SUSE:SLE-15-SP3:Update and newer as affected.
Comment 4 Carlos López 2024-02-27 12:19:40 UTC 
Created attachment 873037 [details]
v2 patches

            Xen Security Advisory CVE-2023-46841 / XSA-451
                               version 2

         x86: shadow stack vs exceptions from emulation stubs

UPDATES IN VERSION 2
====================

Largely cosmetic adjustment in patches.

Public release.

(...)

xsa451-?.patch         xen-unstable
xsa451-4.18.patch      Xen 4.18.x
xsa451-4.17.patch      Xen 4.17.x
xsa451-4.16.patch      Xen 4.16.x
xsa451-4.15.patch      Xen 4.15.x

$ sha256sum xsa451*
446178a9a37646e62622988efffa3d1ffa0b579fc089ab79138507acfd3440c0  xsa451-1.patch
614ab6925ea60f36212f0cd01929f3a97161de1828040770792e146c170bfea2  xsa451-2.patch
ad529273d7dc97bff239f1727a9702eb24d41b723d2a3077a1fecc4684900f91  xsa451-3.patch
2c68480657220cfab92fe9821ce201ff7c9e0b541619a1add541f3d66fa13e9d  xsa451-4.15.patch
fa8ab72e61fae0130fb81b0a7ce508fdb3bcb3c800b0ab7684aa6595cbad88ea  xsa451-4.16.patch
e41cab6471586a5f50e10eb26895fec624cc6d8fd3b4ff71495466df8aaa19e5  xsa451-4.17.patch
d6b76a8db6c80c0684fc94becc2e23091c8f1dcbebc726438dbb1a6cde543335  xsa451-4.18.patch
Comment 5 Carlos López 2024-02-27 12:20:23 UTC 
Public:
https://xenbits.xen.org/xsa/advisory-451.html
Comment 7 OBSbugzilla Bot 2024-03-01 19:35:01 UTC 
This is an autogenerated message for OBS integration:
This bug (1219885) was mentioned in
https://build.opensuse.org/request/show/1154130 Factory / xen
Comment 8 Maintenance Automation 2024-03-11 12:30:11 UTC 
SUSE-SU-2024:0830-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1027519, 1218851, 1219080, 1219885
CVE References: CVE-2023-46839, CVE-2023-46840, CVE-2023-46841
Sources used:
openSUSE Leap 15.5 (src): xen-4.17.3_06-150500.3.24.1
SUSE Linux Enterprise Micro 5.5 (src): xen-4.17.3_06-150500.3.24.1
Basesystem Module 15-SP5 (src): xen-4.17.3_06-150500.3.24.1
Server Applications Module 15-SP5 (src): xen-4.17.3_06-150500.3.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2024-03-22 12:31:44 UTC 
SUSE-SU-2024:0935-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1219885
CVE References: CVE-2023-46841
Maintenance Incident: [SUSE:Maintenance:32847](https://smelt.suse.de/incident/32847/)
Sources used:
SUSE Linux Enterprise Micro 5.2 (src):
 xen-4.14.6_12-150300.3.66.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 xen-4.14.6_12-150300.3.66.1
openSUSE Leap 15.3 (src):
 xen-4.14.6_12-150300.3.66.1
SUSE Linux Enterprise Micro 5.1 (src):
 xen-4.14.6_12-150300.3.66.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2024-03-22 12:31:46 UTC 
SUSE-SU-2024:0934-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1219885
CVE References: CVE-2023-46841
Maintenance Incident: [SUSE:Maintenance:32846](https://smelt.suse.de/incident/32846/)
Sources used:
openSUSE Leap 15.4 (src):
 xen-4.16.5_14-150400.4.49.1
openSUSE Leap Micro 5.3 (src):
 xen-4.16.5_14-150400.4.49.1
openSUSE Leap Micro 5.4 (src):
 xen-4.16.5_14-150400.4.49.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 xen-4.16.5_14-150400.4.49.1
SUSE Linux Enterprise Micro 5.3 (src):
 xen-4.16.5_14-150400.4.49.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 xen-4.16.5_14-150400.4.49.1
SUSE Linux Enterprise Micro 5.4 (src):
 xen-4.16.5_14-150400.4.49.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2024-04-08 12:31:24 UTC 
SUSE-SU-2024:1102-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1027519, 1219885, 1221332, 1221334
CVE References: CVE-2023-28746, CVE-2023-46841, CVE-2024-2193
Maintenance Incident: [SUSE:Maintenance:33142](https://smelt.suse.de/incident/33142/)
Sources used:
openSUSE Leap 15.5 (src):
 xen-4.17.3_08-150500.3.27.1
SUSE Linux Enterprise Micro 5.5 (src):
 xen-4.17.3_08-150500.3.27.1
Basesystem Module 15-SP5 (src):
 xen-4.17.3_08-150500.3.27.1
Server Applications Module 15-SP5 (src):
 xen-4.17.3_08-150500.3.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Charles Arnold 2024-04-11 20:14:57 UTC 
This has been released to all relevant distros.