Linux Patched For Unsafe Xen Behavior Around CPU Speculative Attack Protections

Written by Michael Larabel in Virtualization on 17 December 2024 at 04:36 PM EST. 13 Comments
VIRTUALIZATION
Merged today to the Linux kernel are fixes for two vulnerabilities with the Xen hypervisor. One of them concerns a malicious network backend being able to crash a guest after a suspend/resume cycle of a Linux guest. The other more pressing issue addressed is a Xen hypercall page being unsafe against speculative CPU attacks.

This merge to the Git codebase for Linux 6.13 and to be back-ported to existing stable and affected series takes care of fixing the two vulnerabilities. XSA-465 is the the ticket tracking the Xen netfront crash while XSA-466 is for the disclosure around speculation mitigations not necessarily being correctly handled.

XSA-466 carries the CVE-2024-53241 number and is described on Xen.org for how mitigations applied by the Linux guest OS might not be fully functional:
"Xen guests need to use different processor instructions to make explicit calls into the Xen hypervisor depending on guest type and/or CPU vendor. In order to hide those differences, the hypervisor can fill a hypercall page with the needed instruction sequences, allowing the guest operating system to call into the hypercall page instead of having to choose the correct instructions.

The hypercall page contains whole functions, which are written by the hypervisor and executed by the guest. With the lack of an interface between the guest OS and the hypervisor specifying how a potential modification of those functions should look like, the Xen hypervisor has no knowledge how any potential mitigation should look like or which hardening features should be put into place.

This results in potential vulnerabilities if the guest OS is using any speculative mitigation that performs a compiler transform on "ret" instructions in order to work (e.g. the Linux kernel rethunk or safe-ret mitigations).

Furthermore, the hypercall page has no provision for Control-flow Integrity schemes (e.g. kCFI/CET-IBT/FineIBT), and will simply malfunction in such configurations."

To address this Xen has added new hypercall functions to use in place of the existing hypercall page, thereby avoiding use of naked RET instructions that could escape CPU speculative execution protections.

Xen logo


The patches are marked for back-porting to the stable Linux LTS series as well.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week