CVE-2024-53241: x86/xen: don't do PV iret hypercall through hypercall page
In the Linux kernel, the following vulnerability has been resolved:
x86/xen: don't do PV iret hypercall through hypercall page
Instead of jumping to the Xen hypercall page for doing the iret hypercall, directly code the required sequence in xen-asm.S.
This is done in preparation of no longer using hypercall page at all, as it has shown to cause problems with speculation mitigations.
This is part of XSA-466 / CVE-2024-53241.
Other sources
Xen guests need to use different processor instructions to make explicit calls into the Xen hypervisor depending on guest type and/or CPU vendor. In order to hide those differences, the hypervisor can fill a hypercall page with the needed instruction sequences, allowing the guest operating system to call into the hypercall page instead of having to choose the correct instructions.
The hypercall page contains whole functions, which are written by the hypervisor and executed by the guest. With the lack of an interface between the guest OS and the hypervisor specifying how a potential modification of those functions should look like, the Xen hypervisor has no knowledge how any potential mitigation should look like or which hardening features should be put into place.
This results in potential vulnerabilities if the guest OS is using any speculative mitigation that performs a compiler transform on "ret" instructions in order to work (e.g. the Linux kernel rethunk or safe-ret mitigations).
Furthermore, the hypercall page has no provision for Control-flow Integrity schemes (e.g. kCFI/CET-IBT/FineIBT), and will simply malfunction in such configurations.
— Red Hat
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2024-53241?
CVE-2024-53241 has been classified with a moderate severity level.
How do I fix CVE-2024-53241?
To mitigate CVE-2024-53241, users should update their Linux Kernel to the latest stable version that includes the patch.
What systems are affected by CVE-2024-53241?
CVE-2024-53241 affects the Linux Kernel across various distributions that utilize the affected versions.
Is CVE-2024-53241 under active exploitation?
As of now, there is no public indication that CVE-2024-53241 is being actively exploited in the wild.
What are the potential impacts of CVE-2024-53241?
The potential impacts of CVE-2024-53241 could include system instability or vulnerabilities that may be exploited by malicious actors.