Mailing List Archive

Xen Security Advisory 289 v2 - Spectre V1 gadgets exploitable with L1TF
Hash: SHA256

Xen Security Advisory XSA-289
version 2

Spectre V1 gadgets exploitable with L1TF


Include references for `smatch' in 0000-Cover-Letter.txt.
Correct embargo end date in 0000-Cover-Letter.txt.

Public release.


Previously reported vulnerabilities CVE-2017-5753 / XSA-254 (Spectre V1)
and CVE-2018-3646 / XSA-273 (L1TF) can, when combined, be leveraged to
more easily gather leaked information. The Spectre V1 approach would be
used to bring data into the cache on on hyperthread of a given CPU core,
while L1TF would be utilized to read out the cached data on another
hyperthread of the same CPU core.

A number of specific exploitable gadgets have been identified.

There are no new vulnerabilities. There is only new information about
existing vulnerabilities: specifically, confirmation that existing,
previously disclosed, vulnerabilities, can be exploited in specific
ways. (Previously, it was merely expected, and stated in XSA-254 and
XSA-273, that such the vulnerabilities would be exploitable.)


An attacker can potentially read arbitrary host RAM. This includes data
belonging to Xen, data belonging to other guests, and data belonging to
different security contexts within the same guest.

An attacker could be a guest kernel (which can manipulate the pagetables
directly), or could be guest userspace either directly (e.g. with
mprotect() or similar system call) or indirectly (by gaming the guest
kernel's paging subsystem).

See XSA-254 and XSA-273 for more general information about the
underlying vulnerabilities.


Systems running all versions of Xen are affected.

Only x86 processors are vulnerable. ARM processors are not known to be

Only systems with Symmetric Multi Threading (SMT, aka hyperthreading)
available and enabled are vulnerable.

Only Intel Core based processors (from at least Merom onwards) are
potentially affected. Other processor designs (Intel Atom/Knights
range), and other manufacturers (AMD) are not known to be affected.


As discussed in XSA-273, disabling SMT / hyperthreading will avoid the
L1TF vulnerability. It will therefore prevent the use of the
exploitable code patterns discussed in this advisory. Disabling SMT
may be achieved via a BIOS option (preferred) or the "smt=0"
hypervisor command line option.


This issue was discovered by Norbert Manthey, Julian Stecklina, and
Pawel Wieczorkiewicz of the Xen Security Team at Amazon.


These are hardware bugs, so technically speaking they cannot be
properly fixed in software.

See XSA-273 and XSA-254 for a fuller discussion of the general
situation, background, etc.


For the specific technical details of the now-known-explitable code
patterns, please see the attached patches.

These patches are intended by their authors to mitigate these
vulnerabilities. In some form they are likely to be included in
future Xen releases. We very much welcome this contribution to the
Xen community's response to Spectre/L1TF.


* These patches have not been validated by the Xen Project
Security Team. Work is ongoing.

* We expect that there may be other exploitable code patterns and
gadgets, similar to but beyond those disclosed here.

* Should further such exploitable code patterns be discovered, we
will not necessarily issue a further advisory, or update this
advisory. Instead, we would usually recommend that any
improvements to reduce the exploitability be handled in public, in
accordance with the public status of the underlying vulnerabilities
XSA-273 and XSA-254.

* We therefore do not recommend responding to this advisory by
applying these patches. Instead, we recommend using hardware
without this bug, or failing that, disabling hyperthreading (SMT)
as discussed in XSA-273.

$ sha256sum xsa289*/*
fb58117afd3d69b2bc67001b759bcb8b27d5eddf14bb69596e01b5735a46fc83 xsa289/0000-Cover-Letter.txt
8051f6ac3f945d80368e745fff9568688a5f3ec3d34e88e1f965fe74853a60ac xsa289/0001-lfence-add-function-that-returns-int.patch
bc0a26533d56fff11081661546c0b0c0bf3b216dc18b72944dfeef36adb254d4 xsa289/0002-is_hvm-pv_domain-block-speculation.patch
ffb445c40064c65b167b5badbb73bf5e00689494a11269684a5e432c96bb5d74 xsa289/0003-is_control_domain-block-speculation.patch
2952ac3f46256a85670b18a3d100d2fc6429fa98bb07dd55abe7ee939f30cb3e xsa289/0004-x86-hvm-block-speculative-accesses.patch
c73ceacd649ebc4bc054e6e181283c1c58e3bed3e1d1309e5780e5efbd85461a xsa289/0005-nospec-introduce-method-for-static-arrays.patch
52af8d264e770055d1e3937de0e2ebca408f2a7ec6b8d4fd67270594e2fa17e7 xsa289/0006-x86-hvm-block-speculative-out-of-bound-accesses.patch
6beb965c15b36cc81ba756202f046e5757f6c69b0983abd98e51710b03c9851b xsa289/0007-xen-evtchn-block-speculative-out-of-bound-accesses.patch
e48aaee8cf62ee7fc5df9fd07e2b687e53a8e056001d4e6434525ac68346ee18 xsa289/0008-common-gant_table-block-speculative-out-of-bound-acc.patch
8f4fad87aff662901d848add571f5e3d0c08de444cc514391f6f4a133eff14b5 xsa289/0009-x86-hvm-emulate-block-speculative-out-of-bound-acces.patch
43e61e91318c44a56f954c058ce85616df46e5ca424fcad066e631c16add2956 xsa289/0010-x86-vioapic-block-speculative-out-of-bound-accesses.patch
394cdb4c7e15cc2cbaa383b724707a8a87f9e19f729561fd3cf02c3551003911 xsa289/0011-x86-hvm-hpet-block-speculative-out-of-bound-accesses.patch
54a3f85f887b9ce596b5908a62e3efff76c79502941b71fd520a4170299e21c0 xsa289/0012-common-memory-block-speculative-out-of-bound-accesse.patch
e87a89f333873a3b96318adfdd5fde8317b3a2062e7f330fc5398e0e5eade213 xsa289/0013-x86-CPUID-block-speculative-out-of-bound-accesses.patch
94957ed06308e9af120373be6807fd3b044de8a35b7088c10c78b496596664f2 xsa289/
8569b7be345e01365ea4ecdd22ed00b21343d4234d83f5ce4bb11191c918354e xsa289/sorted-gadgets.txt


Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy: