Merged today to the Linux kernel are fixes for two vulnerabilities with the Xen hypervisor. One of them concerns a malicious network backend being able to crash a guest after a suspend/resume cycle of a Linux guest. The other more pressing issue addressed is a Xen hypercall page being unsafe against speculative CPU attacks.
This merge to the Git codebase for Linux 6.13 and to be back-ported to existing stable and affected series takes care of fixing the two vulnerabilities. XSA-465 is the the ticket tracking the Xen netfront crash while XSA-466 is for the disclosure around speculation mitigations not necessarily being correctly handled.
XSA-466 carries the CVE-2024-53241 number and is described on Xen.org for how mitigations applied by the Linux guest OS might not be fully functional:
“Xen guests need to use different processor instructions to make explicit calls into the Xen hypervisor depending on guest type and/or CPU vendor. In order to hide those differences, the hypervisor can fill a hypercall page with the needed instruction sequences, allowing the guest operating system to call into the hypercall page instead of having to choose the correct instructions.
The hypercall page contains whole functions, which are written by the hypervisor and executed by the guest. With the lack of an interface between the guest OS and the hypervisor specifying how a potential modification of those functions should look like, the Xen hypervisor has no knowledge how any potential mitigation should look like or which hardening features should be put into place.
This results in potential vulnerabilities if the guest OS is using any speculative mitigation that performs a compiler transform on “ret” instructions in order to work (e.g. the Linux kernel rethunk or safe-ret mitigations).
Furthermore, the hypercall page has no provision for Control-flow Integrity schemes (e.g. kCFI/CET-IBT/FineIBT), and will simply malfunction in such configurations.”
To address this Xen has added new hypercall functions to use in place of the existing hypercall page, thereby avoiding use of naked RET instructions that could escape CPU speculative execution protections.
The patches are marked for back-porting to the stable Linux LTS series as well.
