The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative
Return Stack Overflow) are not IRQ-safe. It was believed that the
mitigations always operated in contexts with IRQs disabled.
However, the original XSA-254 fix for Meltdown (XPTI) deliberately left
interrupts enabled on two entry paths; one unconditionally, and one
conditionally on whether XPTI was active.
As BTC/SRSO and Meltdown affect different CPU vendors, the mitigations
are not active together by default. Therefore, there is a race
condition whereby a malicious PV guest can bypass BTC/SRSO protections
and launch a BTC/SRSO attack against Xen.
Metrics
Affected Vendors & Products
References
Link | Providers |
---|---|
https://xenbits.xenproject.org/xsa/advisory-446.html |
History
No history.
MITRE
Status: PUBLISHED
Assigner: XEN
Published: 2024-01-05T16:34:59.036Z
Updated: 2024-08-02T20:53:21.940Z
Reserved: 2023-10-27T07:55:35.332Z
Link: CVE-2023-46836
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2024-01-05T17:15:11.197
Modified: 2024-01-11T17:09:02.020
Link: CVE-2023-46836
Redhat
No data.