ISSUE DESCRIPTION

Modern superscalar processors may employ sophisticated decoding and caching of the instruction stream to improve performance. However, a consequence is that self-modifying code updates may not take effect instantly.
Whatever the architectural guarantees, some CPUs have microarchitectural behaviour whereby the stale instruction stream may be speculatively decoded and executed.
Speculation of this form can suffer from type confusion in registers, and potentially leak data.
For more details, see: <a href=“https://www.vusec.net/projects/fpvi-scsb”>https://www.vusec.net/projects/fpvi-scsb</a> <a href=“https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1003”>https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1003</a> <a href=“https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/speculative-code-store-bypass.html”>https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/speculative-code-store-bypass.html</a> <a href=“https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/floating-point-value-injection.html”>https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/floating-point-value-injection.html</a> <a href=“https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions#scsb”>https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions#scsb</a> <a href=“https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions#fvpi”>https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions#fvpi</a>

IMPACT

In attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests.

VULNERABLE SYSTEMS

Systems running all versions of Xen are affected.
Whether a CPU is potentially vulnerable depends on its microarchitecture. Consult your hardware vendor.
Xen running on ARM does not have runtime self-modying code, so is believed to be not vulnerable, irrespective of any hardware susceptibility.
Xen running on x86 does have runtime self-modying code as part of emulation, and is believed to be potentially vulnerable.
Xen is not vulnerable if retpoline or lfence mitigations for Spectre v2 protection are active. Protections depend on compiler support (as indicated by INDIRECT_THUNK), and a runtime setting (BTI-Thunk):

xl dmesg | grep -e INDIRECT_THUNK -e BTI-Thunk (XEN) Compiled-in support: INDIRECT_THUNK SHADOW_PAGING (XEN) Xen settings: BTI-Thunk RETPOLINE, SPEC_CTRL: IBRS+ SSBD-, Other: SRB_LOCK+ IBPB L1D_FLUSH VERW BRANCH_HARDEN

BTI-Thunk as either RETPOLINE or LFENCE prevents the vulnerability.