Xen Security Advisory 312 v1 - arm: a CPU may speculate past the ERET instruction
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory XSA-312
arm: a CPU may speculate past the ERET instruction
Some CPUs can speculate past an ERET instruction and potentially perform
speculative accesses to memory before processing the exception return.
Since the register state is often controlled by lower privilege level
(i.e guest kernel/userspace) at the point of the ERET, this could
potentially be used as part of a side-channel attack.
An attacker, which could include a malicious untrusted user process on
a trusted guest, or an untrusted guest, may be able to use it as part of
side-channel attack to read host memory.
System running all version of Xen are affected.
Whether an individual Arm-based CPU is vulnerable depends on its
speculation properties. Consult your CPU vendor.
x86 systems are not vulnerable.
There is no mitigation available.
NOTE REGARDING LACK OF EMBARGO
This was reported publicly, as affecting other Open Source projects,
before the Xen Project Security Team was made aware.
Applying the appropriate attached patch resolves this issue.
Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball. Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.