xen-kernel -- x86 CMPXCHG8B emulation fails to ignore operand size override

2016-12-13T00:00:00
ID 80A897A2-C1A6-11E6-AE1B-002590263BF5
Type freebsd
Reporter FreeBSD
Modified 2016-12-13T00:00:00

Description

The Xen Project reports:

The x86 instruction CMPXCHG8B is supposed to ignore legacy operand size overrides; it only honors the REX.W override (making it CMPXCHG16B). So, the operand size is always 8 or 16. When support for CMPXCHG16B emulation was added to the instruction emulator, this restriction on the set of possible operand sizes was relied on in some parts of the emulation; but a wrong, fully general, operand size value was used for other parts of the emulation. As a result, if a guest uses a supposedly-ignored operand size prefix, a small amount of hypervisor stack data is leaked to the guests: a 96 bit leak to guests running in 64-bit mode; or, a 32 bit leak to other guests. A malicious unprivileged guest may be able to obtain sensitive information from the host.