oss-sec mailing list archives
Re: Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions
From: Andrew Cooper <Andrew.Cooper3 () citrix com>
Date: Wed, 13 Jul 2022 09:27:34 +0000
On 12/07/2022 20:34, Salvatore Bonaccorso wrote:
Hi, On Tue, Jul 12, 2022 at 09:27:07PM +0200, Salvatore Bonaccorso wrote:Hi, On Tue, Jul 12, 2022 at 04:36:10PM +0000, Xen.org security team wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-23816,CVE-2022-23825,CVE-2022-29900 / XSA-407 Retbleed - arbitrary speculative code execution with return instructions ISSUE DESCRIPTION ================= Researchers at ETH Zurich have discovered Retbleed, allowing for arbitrary speculative execution in a victim context. For more details, see: https://comsec.ethz.ch/retbleed ETH Zurich have allocated CVE-2022-29900 for AMD and CVE-2022-29901 for Intel. Despite the similar preconditions, these are very different microarchitectural behaviours between vendors. On AMD CPUs, Retbleed is one specific instance of a more general microarchitectural behaviour called Branch Type Confusion. AMD have assigned CVE-2022-23816 (Retbleed) and CVE-2022-23825 (Branch Type Confusion). For more details, see: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037Is it confirmed that AMD is not using CVE-2022-29900? The above amd-sb-1037 references as well both CVE-2022-23825 (Branch Type Confusion) and CVE-2022-29900 (RETbleed), so I assume they agreed to use CVE-2022-29900 for retbleed? So should the Xen advisory as well use CVE-2022-23825,CVE-2022-29900 and CVE-2022-29901?Nevermind, I missunderstood the wording and the advisory just mentions all the related CVEs correctly and made a thinko. It might turn out that CVE-2022-23816 will not be used, but then the title would read only as Xen Security Advisory CVE-2022-23825,CVE-2022-29900 / XSA-407 So please disregard the question above.
/sigh AMD changed the CVE in the bulletin between the final draft, and what went public. CVE-2022-23816 has been referenced by multiple other vendors too, so is definitely out in the world. Hopefully MITRE will close out one of CVE-2022-23816 and CVE-2022-29900 as a dup of the other. For now, I think the least confusing option is to keep both referenced. ~Andrew
Current thread:
- Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions Xen . org security team (Jul 12)
- Re: Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions Salvatore Bonaccorso (Jul 12)
- Re: Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions Salvatore Bonaccorso (Jul 12)
- Re: Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions Andrew Cooper (Jul 13)
- Re: Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions Salvatore Bonaccorso (Jul 12)
- Re: Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions Salvatore Bonaccorso (Jul 12)