x86 HVM: Overflow of sh_ctxt->seg_reg[]

ISSUE DESCRIPTION

x86 HVM guests running with shadow paging use a subset of the x86 emulator to handle the guest writing to its own pagetables. There are situations a guest can provoke which result in exceeding the space allocated for internal state.

IMPACT

A malicious HVM guest administrator can cause Xen to fail a bug check, causing a denial of service to the host.

VULNERABLE SYSTEMS

All versions of Xen are vulnerable.
The vulnerability is only exposed to HVM guests on x86 hardware, which are configured to run with shadow paging.
The vulnerability is not exposed to x86 PV guests, x86 HVM guests running with hardware assisted paging, or ARM guests.
x86 HVM guests run in HAP mode by default on modern CPUs.
To discover whether your HVM guests are using HAP, or shadow page tables: request debug key q' (from the Xen console, or with xl debug-keys q’). This will print (to the console, and visible in xl dmesg'), debug information for every domain, containing something like this: (XEN) General information for domain 2: (XEN) refcnt=1 dying=2 pause_count=2 (XEN) nr_pages=2 xenheap_pages=0 shared_pages=0 paged_pages=0 dirty_cpus={} max_pages=262400 (XEN) handle=ef58ef1a-784d-4e59-8079-42bdee87f219 vm_assist=00000000 (XEN) paging assistance: hap refcounts translate external ^^^ The presence of hap’ here indicates that the host is not vulnerable to this domain. For an HVM domain the presence of `shadow’ indicates that the domain can exploit the vulnerability.