diff --git a/xen.spec b/xen.spec index b55151b..10fc3d9 100644 --- a/xen.spec +++ b/xen.spec @@ -67,7 +67,7 @@ Summary: Xen is a virtual machine monitor Name: xen Version: 4.11.3 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ Source0: https://downloads.xenproject.org/release/xen/%{version}/xen-%{version}.tar.gz @@ -133,6 +133,7 @@ Patch50: xsa310-0001-x86-mm-Set-old_guest_table-when-destroying-vcpu-page.patch Patch51: xsa310-0002-x86-mm-alloc-free_lN_table-Retain-partial_flags-on-E.patch Patch52: xsa310-0003-x86-mm-relinquish_memory-Grab-an-extra-type-ref-when.patch Patch53: xsa311-4.11.patch +Patch54: xsa312-4.11.patch %if %build_qemutrad @@ -346,6 +347,7 @@ manage Xen virtual machines. %patch51 -p1 %patch52 -p1 %patch53 -p1 +%patch54 -p1 # qemu-xen-traditional patches pushd tools/qemu-xen-traditional @@ -945,6 +947,10 @@ fi %endif %changelog +%changelog +* Tue Jan 14 2020 Michael Young - 4.11.3-3 +- arm: a CPU may speculate past the ERET instruction [XSA-312] + * Thu Dec 12 2019 Michael Young - 4.11.3-2 - denial of service in find_next_bit() [XSA-307, CVE-2019-19581, CVE-2019-19582] (#1782211) diff --git a/xsa312-4.11.patch b/xsa312-4.11.patch new file mode 100644 index 0000000..553578a --- /dev/null +++ b/xsa312-4.11.patch @@ -0,0 +1,99 @@ +From 35cb81a9967a061df7d0eb8c387395f1c1984454 Mon Sep 17 00:00:00 2001 +From: Julien Grall +Date: Thu, 19 Dec 2019 08:12:21 +0000 +Subject: [PATCH] xen/arm: Place a speculation barrier sequence following an + eret instruction + +Some CPUs can speculate past an ERET instruction and potentially perform +speculative accesses to memory before processing the exception return. +Since the register state is often controlled by lower privilege level +at the point of an ERET, this could potentially be used as part of a +side-channel attack. + +Newer CPUs may implement a new SB barrier instruction which acts +as an architected speculation barrier. For current CPUs, the sequence +DSB; ISB is known to prevent speculation. + +The latter sequence is heavier than SB but it would never be executed +(this is speculation after all!). + +Introduce a new macro 'sb' that could be used when a speculation barrier +is required. For now it is using dsb; isb but this could easily be +updated to cater SB in the future. + +This is XSA-312. + +Signed-off-by: Julien Grall +--- + xen/arch/arm/arm32/entry.S | 2 ++ + xen/arch/arm/arm64/entry.S | 3 +++ + xen/include/asm-arm/macros.h | 9 +++++++++ + 3 files changed, 14 insertions(+) + +diff --git a/xen/arch/arm/arm32/entry.S b/xen/arch/arm/arm32/entry.S +index 16d9f93653..464c8b8645 100644 +--- a/xen/arch/arm/arm32/entry.S ++++ b/xen/arch/arm/arm32/entry.S +@@ -1,4 +1,5 @@ + #include ++#include + #include + #include + #include +@@ -379,6 +380,7 @@ return_to_hypervisor: + add sp, #(UREGS_SP_usr - UREGS_sp); /* SP, LR, SPSR, PC */ + clrex + eret ++ sb + + /* + * struct vcpu *__context_switch(struct vcpu *prev, struct vcpu *next) +diff --git a/xen/arch/arm/arm64/entry.S b/xen/arch/arm/arm64/entry.S +index 12df95e901..a42c51e489 100644 +--- a/xen/arch/arm/arm64/entry.S ++++ b/xen/arch/arm/arm64/entry.S +@@ -2,6 +2,7 @@ + #include + #include + #include ++#include + #include + + /* +@@ -288,6 +289,7 @@ guest_sync: + */ + mov x1, xzr + eret ++ sb + + 1: + /* +@@ -413,6 +415,7 @@ return_from_trap: + ldr lr, [sp], #(UREGS_SPSR_el1 - UREGS_LR) /* CPSR, PC, SP, LR */ + + eret ++ sb + + /* + * This function is used to check pending virtual SError in the gap of +diff --git a/xen/include/asm-arm/macros.h b/xen/include/asm-arm/macros.h +index 5d837cb38b..539f613ee5 100644 +--- a/xen/include/asm-arm/macros.h ++++ b/xen/include/asm-arm/macros.h +@@ -13,4 +13,13 @@ + # error "unknown ARM variant" + #endif + ++ /* ++ * Speculative barrier ++ * XXX: Add support for the 'sb' instruction ++ */ ++ .macro sb ++ dsb nsh ++ isb ++ .endm ++ + #endif /* __ASM_ARM_MACROS_H */ +-- +2.17.1 +