x86 CMPXCHG8B emulation fails to ignore operand size override

ISSUE DESCRIPTION

The x86 instruction CMPXCHG8B is supposed to ignore legacy operand size overrides; it only honors the REX.W override (making it CMPXCHG16B). So, the operand size is always 8 or 16.
When support for CMPXCHG16B emulation was added to the instruction emulator, this restriction on the set of possible operand sizes was relied on in some parts of the emulation; but a wrong, fully general, operand size value was used for other parts of the emulation.
As a result, if a guest uses a supposedly-ignored operand size prefix, a small amount of hypervisor stack data is leaked to the guests: a 96 bit leak to guests running in 64-bit mode; or, a 32 bit leak to other guests.

IMPACT

A malicious unprivileged guest may be able to obtain sensitive information from the host.

VULNERABLE SYSTEMS

Xen versions 3.3 through 4.7 are affected. Xen master and Xen 4.8 as well as Xen versions 3.2 and earlier are not affected.
Only x86 systems are affected. ARM systems are not affected.
On Xen 4.6 and earlier the vulnerability is exposed to all HVM guest user processes, including unprivileged processes.
On Xen 4.7, the vulnerability is exposed only to HVM guest user processes granted a degree of privilege (such as direct hardware access) by the guest administrator; or, to all user processes when the VM has been explicitly configured with a non-default cpu vendor string (in xm/xl, this would be done with a `cpuid=’ domain config option).