nested virtualization on 32-bit exposes host crash

ISSUE DESCRIPTION

When performing nested virtualisation Xen would incorrectly map guest pages for extended periods using an interface which is only intended for transient mappings. In some configurations there are a limited number of slots available for these transient mappings and exhausting them leads to a host crash and therefore a Denial of Service attack.

IMPACT

A malicious guest administrator can, by enabling nested virtualisation from within the guest, trigger the issue.
Their ability to do this will depend on the number of VCPUs the domain is configured with. Domains with smaller numbers of VCPUs (e.g. less than 16) are not able to create sufficient mappings via this method to trigger the issue.

VULNERABLE SYSTEMS

32 bit hypervisors running HVM guests on either Intel or AMD are vulnerable.
Only Xen version 4.2.x is vulnerable.
Nested virtualisation was introduced as an experimental feature in Xen 4.2 and therefore versions of Xen prior to that are not vulnerable.
The 32 bit hypervisor has been removed in Xen unstable and therefore is not vulnerable.