[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [oss-security] Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions

To: oss-security@xxxxxxxxxxxxxxxxxx
From: Salvatore Bonaccorso <carnil@xxxxxxxxxx>
Date: Tue, 12 Jul 2022 21:34:30 +0200
Cc: xen-announce@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, xen-users@xxxxxxxxxxxxx, "Xen.org security team" <security-team-members@xxxxxxx>
Delivery-date: Tue, 12 Jul 2022 19:34:37 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi,

On Tue, Jul 12, 2022 at 09:27:07PM +0200, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Tue, Jul 12, 2022 at 04:36:10PM +0000, Xen.org security team wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> > 
> >  Xen Security Advisory CVE-2022-23816,CVE-2022-23825,CVE-2022-29900 / 
> > XSA-407
> > 
> >    Retbleed - arbitrary speculative code execution with return instructions
> > 
> > ISSUE DESCRIPTION
> > =================
> > 
> > Researchers at ETH Zurich have discovered Retbleed, allowing for
> > arbitrary speculative execution in a victim context.
> > 
> > For more details, see:
> >   https://comsec.ethz.ch/retbleed
> > 
> > ETH Zurich have allocated CVE-2022-29900 for AMD and CVE-2022-29901 for
> > Intel.
> > 
> > Despite the similar preconditions, these are very different
> > microarchitectural behaviours between vendors.
> > 
> > On AMD CPUs, Retbleed is one specific instance of a more general
> > microarchitectural behaviour called Branch Type Confusion.  AMD have
> > assigned CVE-2022-23816 (Retbleed) and CVE-2022-23825 (Branch Type
> > Confusion).
> > 
> > For more details, see:
> >   https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037
> 
> Is it confirmed that AMD is not using CVE-2022-29900? The above
> amd-sb-1037 references as well both CVE-2022-23825 (Branch Type
> Confusion) and CVE-2022-29900 (RETbleed), so I assume they agreed to
> use CVE-2022-29900 for retbleed?
> 
> So should the Xen advisory as well use CVE-2022-23825,CVE-2022-29900
> and CVE-2022-29901?

Nevermind, I missunderstood the wording and the advisory just mentions
all the related CVEs correctly and made a thinko. It might turn out
that CVE-2022-23816 will not be used, but then the title would read
only as 

Xen Security Advisory CVE-2022-23825,CVE-2022-29900 / XSA-407

So please disregard the question above.

Salvatore

Follow-Ups:
- Re: [oss-security] Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions
  - From: Andrew Cooper

References:
- Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions
  - From: Xen . org security team
- Re: [oss-security] Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions
  - From: Salvatore Bonaccorso

Prev by Date: Re: Build warnings in Xen 5.15.y and 5.10.y with retbleed backports
Next by Date: [xen-unstable-smoke test] 171602: tolerable all pass - PUSHED
Previous by thread: Re: [oss-security] Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions
Next by thread: Re: [oss-security] Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.