Speculative Store Bypass

ISSUE DESCRIPTION

Contemporary high performance processors may use a technique commonly known as Memory Disambiguation, whereby speculative execution may proceed past unresolved stores. This opens a speculative sidechannel in which loads from an address which have had a recent store can observe and operate on the older, stale, value.
For more details, see: <a href=“https://bugs.chromium.org/p/project-zero/issues/detail?id=1528”>https://bugs.chromium.org/p/project-zero/issues/detail?id=1528</a> <a href=“https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html”>https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html</a> <a href=“https://www.amd.com/securityupdates”>https://www.amd.com/securityupdates</a>

IMPACT

An attacker who can locate or create a suitable code gadget in a different privilege context may be able to infer the content of arbitrary memory accessible to that other privilege context.
At the time of writing, there are no known vulnerable gadgets in the compiled hypervisor code. Xen has no interfaces which allow JIT code to be provided. Therefore we believe that the hypervisor itself is not vulnerable. Additionally, we do not think there is a viable information leak by one Xen guest against another non-cooperating guest.
However, in most configurations, within-guest information leak is possible. Mitigation for this generally depends on guest changes (for which you must consult your OS vendor) and on hypervisor support, provided in this advisory.

VULNERABLE SYSTEMS

Systems running all versions of Xen are affected.
Processors from all vendors are affected to different extents.
Further communication will be made for Arm. See <a href=“https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability”>https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability</a> for more details.