CVE-2023-46841

EUVD-2023-51007
Recent x86 CPUs offer functionality named Control-flow Enforcement
Technology (CET).  A sub-feature of this are Shadow Stacks (CET-SS).
CET-SS is a hardware feature designed to protect against Return Oriented
Programming attacks. When enabled, traditional stacks holding both data
and return addresses are accompanied by so called "shadow stacks",
holding little more than return addresses.  Shadow stacks aren't
writable by normal instructions, and upon function returns their
contents are used to check for possible manipulation of a return address
coming from the traditional stack.

In particular certain memory accesses need intercepting by Xen.  In
various cases the necessary emulation involves kind of replaying of
the instruction.  Such replaying typically involves filling and then
invoking of a stub.  Such a replayed instruction may raise an
exceptions, which is expected and dealt with accordingly.

Unfortunately the interaction of both of the above wasn't right:
Recovery involves removal of a call frame from the (traditional) stack.
The counterpart of this operation for the shadow stack was missing.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CISA-ADPADP
6.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 19%
Affected Products (NVD)
VendorProductVersion
xenxen
4.14.0 ≤
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
xen
bookworm
vulnerable
bookworm (security)
4.17.5+23-ga4e5191dc0-1
fixed
bullseye
vulnerable
bullseye (security)
vulnerable
buster
not-affected
sid
4.19.1-1
fixed
trixie
4.17.3+36-g54dacb5c02-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
xen
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
mantic
ignored
noble
needs-triage
oracular
needs-triage
trusty
ignored
xenial
needs-triage
References
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/
https://xenbits.xenproject.org/xsa/advisory-451.html
http://xenbits.xen.org/xsa/advisory-451.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HES2IJXZY3H7HBPP4NVSVYYNGW254DMI/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/
https://xenbits.xenproject.org/xsa/advisory-451.html