Xen Incomplete IBPB for vCPU Isolation Vulnerability

A vulnerability exists in Xen hypervisor versions 4.6 and newer on x86 systems, where the context switch logic improperly manages Indirect Branch Prediction Barrier (IBPB) for virtual CPU (vCPU) isolation. This flaw allows guest kernels to incorrectly isolate tasks, potentially leading to information leaks between processes. The issue arises because Xen skips IBPB when a vCPU returns to a previously used CPU, which, while maintaining isolation between vCPUs, disrupts task isolation within the guest kernel. As a result, sensitive information from one task can be exposed to another.

Impact

The vulnerability could be exploited by guest processes to access private information belonging to other entities within the same guest.

Remediation

To address this vulnerability, apply the patch available as 'xsa479.patch' for Xen 4.18.x. This patch resolves the issue by ensuring proper IBPB management for vCPU isolation. Note that after applying the patch, it is recommended to update to the tip of the stable branch, as patches for released versions may not apply cleanly to the most recent release tarball.