-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2023-34320 / XSA-436
arm: Guests can trigger a deadlock on Cortex-A77
Cortex-A77 cores (r0p0 and r1p0) are affected by erratum 1508412
where software, under certain circumstances, could deadlock a core
due to the execution of either a load to device or non-cacheable memory,
and either a store exclusive or register read of the Physical
Address Register (PAR_EL1) in close proximity.
A (malicious) guest that doesn't include the workaround for erratum
1508412 could deadlock the core. This will ultimately result to
a deadlock of the system.
Systems running all version of Xen are affected.
This bug is specific to Arm Cortex-A77 cores r0p0 and r1p0.
There are no known mitigations.
NOTE REGARDING LACK OF EMBARGO
This issue has been publicly documented.
To handle properly the erratum, it is necessary to have an updated
firmware and that both the hypervisor and guest OSes have the workaround.
This means it is not possible to security support Xen on the Cortex-A77,
even on systems which have the workaround enabled.
Applying the attached patches will document the situation and also
add the workaround in Xen if someone wish to run on Cortex-A77 with
only trusted guests.
Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball. Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.
xsa436/xsa436.patch xen-unstable - Xen 4.17.x
xsa436/xsa436-4.16.patch Xen 4.16.x
xsa436/xsa436-4.15.patch Xen 4.15.x
$ sha256sum xsa436* xsa436*/*
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
Created xen tracking bugs for this issue:
Affects: fedora-all [bug 2228238]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.