Xen PV Guest Non-SELFSNOOP CPU Memory Corruption Exploit

On CPUs without SELFSNOOP support, a Xen PV domain that has access to a PCI device which grants the domain the ability to set arbitrary cache attributes on all its pages can trick Xen into validating an L2 pagetable that contains a cacheline that is marked as clean in the cache but actually diffe...

Xen PV Guest Non-SELFSNOOP CPU Memory Corruption

Xen: PV guest on non-SELFSNOOP CPUs can validate non-coherent L2 pagetable I'm not sure whether there are any major users of unshimmed Xen PV left, but https://xenbits.xen.org/docs/unstable/support-matrix.html says it's still a security-supported usecase for 64-bit guests. Tested on Debian's Xen...