CVE-2023-46841

Recent x86 CPUs offer functionality named Control-flow Enforcement<br /> Technology (CET). A sub-feature of this are Shadow Stacks (CET-SS).<br /> CET-SS is a hardware feature designed to protect against Return Oriented<br /> Programming attacks. When enabled, traditional stacks holding both data<br /> and return addresses are accompanied by so called "shadow stacks",<br /> holding little more than return addresses. Shadow stacks aren&amp;#39;t<br /> writable by normal instructions, and upon function returns their<br /> contents are used to check for possible manipulation of a return address<br /> coming from the traditional stack.<br /> <br /> In particular certain memory accesses need intercepting by Xen. In<br /> various cases the necessary emulation involves kind of replaying of<br /> the instruction. Such replaying typically involves filling and then<br /> invoking of a stub. Such a replayed instruction may raise an<br /> exceptions, which is expected and dealt with accordingly.<br /> <br /> Unfortunately the interaction of both of the above wasn&amp;#39;t right:<br /> Recovery involves removal of a call frame from the (traditional) stack.<br /> The counterpart of this operation for the shadow stack was missing.