x86: mishandling of debug exceptions

ISSUE DESCRIPTION

When switching stacks, it is critical to have a matching stack segment and stack pointer. To allow an atomic update from what would otherwise be two adjacent instructions, an update which changes the stack segment (either a mov or pop instruction with %ss encoded as the destination register) sets the movss shadow for one instruction.
The exact behaviour of the movss shadow is poorly understood.
In practice, a movss shadow delays some debug exceptions (e.g. from a hardware breakpoint) until the subsequent instruction has completed. If the subsequent instruction normally transitions to supervisor mode (e.g. a system call), then the debug exception will be taken after the transition to ring0 is completed.
For most transitions to supervisor mode, this only confuses Xen into printing a lot of debugging information. For the syscall instruction however, the exception gets taken before the syscall handler can move off the guest stack.

IMPACT

A malicious PV guest can escalate their privilege to that of the hypervisor.

VULNERABLE SYSTEMS

All versions of Xen are vulnerable.
Only x86 systems are vulnerable. ARM systems are not vulnerable.
Only x86 PV guests can exploit the vulnerability. x86 HVM and PVH guests cannot exploit the vulnerability.
An attacker needs to be able to control hardware debugging facilities to exploit the vulnerability, but such permissions are typically available to unprivileged users.