x86: speculative vulnerability in 32bit SYSCALL path

ISSUE DESCRIPTION

Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late.
In some configurations, there is an unprotected RET instruction which can be attacked with a variety of speculative attacks.

IMPACT

An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests.

VULNERABLE SYSTEMS

Xen versions 4.5 through 4.17 are vulnerable. Older versions are not vulnerable.
Only x86 CPUs are potentially vulnerable. CPUs of other architectures are not vulnerable.
The problematic codepath is only reachable on x86 CPUs which follow AMD’s behaviour with respect to SYSCALL instructions from compatibility mode segments. This means that AMD and Hygon CPUs are potentially vulnerable, whereas Intel CPUs are not. Other vendors have not been checked.
Only PV guests can leverage the vulnerability.
On Xen 4.16 and later, the vulnerability is only present if 32bit PV guest support is compiled in - i.e. CONFIG_PV32=y. On Xen 4.15 and older, all supported build configurations are vulnerable.
The vulnerability is only present when booting on hardware that supports SMEP or SMAP (Supervisor Mode Execution/Access Prevention). This is believed to be some Family 0x16 models, and all later CPUs.