x86: inconsistent cachability flags on guest mappings

ISSUE DESCRIPTION

Multiple mappings of the same physical page with different cachability setting can cause problems. While one category (risk of using stale data) affects only guests themselves (and hence avoiding this can be left for them to control), the other category being Machine Check exceptions can be fatal to entire hosts. According to the information we were able to gather, only mappings of MMIO pages may surface this second category, but even for them there were cases where the hypervisor did not properly enforce consistent cachability.

IMPACT

A malicious guest administrator might be able to cause a reboot, denying service to the entire host.

VULNERABLE SYSTEMS

All Xen versions are affected.
Only x86 guests given control over some physical device can trigger this vulnerability.
x86 systems are vulnerable. ARM systems are not vulnerable.
The vulnerability depends on the system response to mapping the same memory with different cacheability. On some systems this is harmless; on others, depending on CPU and chipset, it may be fatal.