====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN014
_____________________________________________________________________

DATE                : 15/01/2020

HARDWARE PLATFORM(S): arm.

OPERATING SYSTEM(S): Systems running Xen.

=====================================================================
https://xenbits.xen.org/xsa/advisory-312.html
_____________________________________________________________________

                    Xen Security Advisory XSA-312

          arm: a CPU may speculate past the ERET instruction

ISSUE DESCRIPTION
=================

Some CPUs can speculate past an ERET instruction and potentially perform
speculative accesses to memory before processing the exception return.
Since the register state is often controlled by lower privilege level
(i.e guest kernel/userspace) at the point of the ERET, this could
potentially be used as part of a side-channel attack.

IMPACT
======

An attacker, which could include a malicious untrusted user process on
a trusted guest, or an untrusted guest, may be able to use it as part of
side-channel attack to read host memory.

VULNERABLE SYSTEMS
==================

System running all version of Xen are affected.

Whether an individual Arm-based CPU is vulnerable depends on its
speculation properties.  Consult your CPU vendor.

x86 systems are not vulnerable.

MITIGATION
==========

There is no mitigation available.

NOTE REGARDING LACK OF EMBARGO
==============================

This was reported publicly, as affecting other Open Source projects,
before the Xen Project Security Team was made aware.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa312.patch           xen-unstable, Xen 4.13 - 4.12
xsa312-4.11.patch      Xen 4.11 - 4.10
xsa312-4.9.patch       Xen 4.9

$ sha256sum xsa312*
112c9d77f964174db5709c758626a2bd5fec9bfdacc89fbc96f1ddd44aca6bbf
xsa312.meta
9b2078d448e4815c9ddc6554bf869d64412dc787b1b94830a24e47df6a9f30e7
xsa312.patch
29b95d6ea0295e124c3cfd5b1611ae341bb195d1c441ee69976e2f74cde652a8
xsa312-4.9.patch
8d64b3039c570f4b5c82abbbcf2714ec3b60db55fe3e1b3bb838df7dfaf627e9
xsa312-4.11.patch
$
=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================