Excessive checking in compatibility mode hypercall argument translation

ISSUE DESCRIPTION

The hypercall argument translation needed for 32-bit guests running on 64-bit hypervisors performs checks on the final register state. These checks cover all registers potentially holding hypercall arguments, not just the ones actually doing so for the hypercall being processed, since the code was originally intended for use only by PV guests.
While this is not a problem for PV guests (as they can’t enter 64-bit mode and hence can’t alter the high halves of any of the registers), the subsequent reuse of the same functionality for HVM guests exposed those checks to values (specifically, unexpected values for the high halves of registers not holding hypercall arguments) controlled by guest software.

IMPACT

A buggy or malicious HVM guest can crash the host.

VULNERABLE SYSTEMS

Xen 3.3 and onward are vulnerable.
Only x86 systems are vulnerable. ARM systems are not vulnerable.