Bugzilla – Bug 1209019
VUL-0: CVE-2022-42331: xen: x86: speculative vulnerability in 32bit SYSCALL path (XSA-429)
Last modified: 2023-04-27 16:30:34 UTC
Created attachment 865334 [details] Attached patches Xen Security Advisory CVE-2022-42331 / XSA-429 x86: speculative vulnerability in 32bit SYSCALL path *** EMBARGOED UNTIL 2023-03-21 12:00 UTC *** ISSUE DESCRIPTION ================= Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be attacked with a variety of speculative attacks. IMPACT ====== An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. Only x86 CPUs are potentially vulnerable. CPUs of other architectures are not vulnerable. The problematic codepath is only reachable on x86 CPUs which follow AMD's behaviour with respect to SYSCALL instructions from compatibility mode segments. This means that AMD and Hygon CPUs are potentially vulnerable, whereas Intel CPUs are not. Other vendors have not been checked. Only PV guests can leverage the vulnerability. On Xen 4.16 and later, the vulnerability is only present if 32bit PV guest support is compiled in - i.e. CONFIG_PV32=y. On Xen 4.15 and older, all supported build configurations are vulnerable. The vulnerability is only present when booting on hardware that supports SMEP or SMAP (Supervisor Mode Execution/Access Prevention). This is believed to be some Family 0x16 models, and all later CPUs. MITIGATION ========== Not running untrusted PV guests will avoid the issue. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa429.patch xen-unstable - Xen 4.16 xsa429-4.15.patch Xen 4.15 - Xen 4.14 $ sha256sum xsa429* 2d7be90d917c475ab5217e657d2b44f5d8b107d9023dca034fcfb7feab07b2f0 xsa429.meta 36ed36dbfaad9e5df5fa87b9a3d9e9c531f476f97eeb2afe280aa238032a0540 xsa429.patch 7ac3d4182585e5d2d39231f10e7c0c9fcb972c82cf81cb884e95b628187de3a7 xsa429-4.15.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html
(In reply to Carlos López from comment #0) > VULNERABLE SYSTEMS > ================== > > All versions of Xen are vulnerable. Imo this isn't correct - the offending code doesn't exist in 4.4 and older. This is under discussion upstream.
Xen Security Advisory CVE-2022-42331 / XSA-429 version 2 x86: speculative vulnerability in 32bit SYSCALL path *** EMBARGOED UNTIL 2023-03-21 12:00 UTC *** UPDATES IN VERSION 2 ==================== Update affected versions. ISSUE DESCRIPTION ================= Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be attacked with a variety of speculative attacks. IMPACT ====== An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests. VULNERABLE SYSTEMS ================== Xen versions 4.5 through 4.17 are vulnerable. Older versions are not vulnerable. Only x86 CPUs are potentially vulnerable. CPUs of other architectures are not vulnerable. The problematic codepath is only reachable on x86 CPUs which follow AMD's behaviour with respect to SYSCALL instructions from compatibility mode segments. This means that AMD and Hygon CPUs are potentially vulnerable, whereas Intel CPUs are not. Other vendors have not been checked. Only PV guests can leverage the vulnerability. On Xen 4.16 and later, the vulnerability is only present if 32bit PV guest support is compiled in - i.e. CONFIG_PV32=y. On Xen 4.15 and older, all supported build configurations are vulnerable. The vulnerability is only present when booting on hardware that supports SMEP or SMAP (Supervisor Mode Execution/Access Prevention). This is believed to be some Family 0x16 models, and all later CPUs. MITIGATION ========== Not running untrusted PV guests will avoid the issue. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa429.patch xen-unstable - Xen 4.16 xsa429-4.15.patch Xen 4.15 - Xen 4.14 $ sha256sum xsa429* 2d7be90d917c475ab5217e657d2b44f5d8b107d9023dca034fcfb7feab07b2f0 xsa429.meta 36ed36dbfaad9e5df5fa87b9a3d9e9c531f476f97eeb2afe280aa238032a0540 xsa429.patch 7ac3d4182585e5d2d39231f10e7c0c9fcb972c82cf81cb884e95b628187de3a7 xsa429-4.15.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html
(In reply to Jan Beulich from comment #3) > (In reply to Carlos López from comment #0) > > VULNERABLE SYSTEMS > > ================== > > > > All versions of Xen are vulnerable. > > Imo this isn't correct - the offending code doesn't exist in 4.4 and older. > This is under discussion upstream. Right, so SUSE:SLE-12-SP2:Update and newer (which I see are already submitted).
Public: https://www.openwall.com/lists/oss-security/2023/03/21/3
SUSE-SU-2023:0862-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1209017, 1209018, 1209019, 1209188 CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): xen-4.13.4_20-150200.3.71.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): xen-4.13.4_20-150200.3.71.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): xen-4.13.4_20-150200.3.71.1 SUSE Enterprise Storage 7 (src): xen-4.13.4_20-150200.3.71.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0859-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1209017, 1209018, 1209019, 1209188 CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334 Sources used: SUSE OpenStack Cloud 9 (src): xen-4.11.4_38-2.89.1 SUSE OpenStack Cloud Crowbar 9 (src): xen-4.11.4_38-2.89.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): xen-4.11.4_38-2.89.1 SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): xen-4.11.4_38-2.89.1 SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): xen-4.11.4_38-2.89.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0858-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1209017, 1209018, 1209019, 1209188 CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): xen-4.12.4_34-150100.3.86.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): xen-4.12.4_34-150100.3.86.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): xen-4.12.4_34-150100.3.86.1 SUSE CaaS Platform 4.0 (src): xen-4.12.4_34-150100.3.86.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0848-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1209017, 1209018, 1209019, 1209188 CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334 Sources used: openSUSE Leap Micro 5.3 (src): xen-4.16.3_06-150400.4.25.1 openSUSE Leap 15.4 (src): xen-4.16.3_06-150400.4.25.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): xen-4.16.3_06-150400.4.25.1 SUSE Linux Enterprise Micro 5.3 (src): xen-4.16.3_06-150400.4.25.1 Basesystem Module 15-SP4 (src): xen-4.16.3_06-150400.4.25.1 Server Applications Module 15-SP4 (src): xen-4.16.3_06-150400.4.25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0847-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1209017, 1209018, 1209019, 1209188 CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334 Sources used: SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): xen-4.14.5_12-150300.3.48.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): xen-4.14.5_12-150300.3.48.1 SUSE Linux Enterprise Real Time 15 SP3 (src): xen-4.14.5_12-150300.3.48.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): xen-4.14.5_12-150300.3.48.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): xen-4.14.5_12-150300.3.48.1 SUSE Manager Proxy 4.2 (src): xen-4.14.5_12-150300.3.48.1 SUSE Manager Retail Branch Server 4.2 (src): xen-4.14.5_12-150300.3.48.1 SUSE Manager Server 4.2 (src): xen-4.14.5_12-150300.3.48.1 SUSE Enterprise Storage 7.1 (src): xen-4.14.5_12-150300.3.48.1 SUSE Linux Enterprise Micro 5.1 (src): xen-4.14.5_12-150300.3.48.1 SUSE Linux Enterprise Micro 5.2 (src): xen-4.14.5_12-150300.3.48.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): xen-4.14.5_12-150300.3.48.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0846-1: An update that solves two vulnerabilities and has one fix can now be installed. Category: security (important) Bug References: 1209017, 1209019, 1209188 CVE References: CVE-2022-42331, CVE-2022-42332 Sources used: SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): xen-4.7.6_32-43.104.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0845-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1209017, 1209018, 1209019, 1209188 CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): xen-4.12.4_34-3.88.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): xen-4.12.4_34-3.88.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): xen-4.12.4_34-3.88.1 SUSE Linux Enterprise Server 12 SP5 (src): xen-4.12.4_34-3.88.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done, closing.
SUSE-SU-2023:0848-2: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1209017, 1209018, 1209019, 1209188 CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334 Sources used: SUSE Linux Enterprise Micro for Rancher 5.4 (src): xen-4.16.3_06-150400.4.25.1 SUSE Linux Enterprise Micro 5.4 (src): xen-4.16.3_06-150400.4.25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.