I/O port access privilege escalation in x86-64 Linux

ISSUE DESCRIPTION

IRET and POPF do not modify EFLAGS.IOPL when executed by code at a privilege level other than zero. Since PV Xen guests run at privilege level 3 (for 64-bit ones; 32-bit ones run at privilege level 1), to compensate for this the context switching of EFLAGS.IOPL requires the guest to make use of a dedicated hypercall (PHYSDEVOP_set_iopl). The invocation of this hypercall, while present in the 32-bit context switch path, is missing from its 64-bit counterpart.

IMPACT

User mode processes not supposed to be able to access I/O ports may be granted such permission, potentially resulting in one or more of in-guest privilege escalation, guest crashes (Denial of Service), or in-guest information leaks.

VULNERABLE SYSTEMS

All upstream x86-64 Linux versions operating as PV Xen guests are vulnerable.
ARM systems are not vulnerable. x86 HVM guests are not vulnerable. 32-bit Linux guests are not vulnerable.
x86-64 Linux versions derived from linux-2.6.18-xen.hg (XenoLinux) are not vulnerable.
We believe that non-Linux guests are not vulnerable, as we are not aware of any with an analogous bug.