CVE-2023-46841 x86: shadow stack vs exceptions from emulation stubs

2024-03-2010:40:36

XEN

github.com

x86

cet-ss

return oriented programming

AI Score

6.7

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Recent x86 CPUs offer functionality named Control-flow Enforcement
Technology (CET). A sub-feature of this are Shadow Stacks (CET-SS).
CET-SS is a hardware feature designed to protect against Return Oriented
Programming attacks. When enabled, traditional stacks holding both data
and return addresses are accompanied by so called “shadow stacks”,
holding little more than return addresses. Shadow stacks aren’t
writable by normal instructions, and upon function returns their
contents are used to check for possible manipulation of a return address
coming from the traditional stack.

In particular certain memory accesses need intercepting by Xen. In
various cases the necessary emulation involves kind of replaying of
the instruction. Such replaying typically involves filling and then
invoking of a stub. Such a replayed instruction may raise an
exceptions, which is expected and dealt with accordingly.

Unfortunately the interaction of both of the above wasn’t right:
Recovery involves removal of a call frame from the (traditional) stack.
The counterpart of this operation for the shadow stack was missing.

CNA Affected

[
  {
    "vendor": "Xen",
    "product": "Xen",
    "versions": [
      {
        "status": "unknown",
        "version": "consult Xen advisory XSA-451"
      }
    ],
    "defaultStatus": "unknown"
  }
]