Hypervisor crash due to missing exception recovery on XRSTOR

ISSUE DESCRIPTION

Processors do certain validity checks on the data passed to XRSTOR. While the hypervisor controls the placement of that memory block, it doesn’t restrict the contents in any way. Thus the hypervisor exposes itself to a fault occurring on XRSTOR. Other than for FXRSTOR, which behaves similarly, there was no exception recovery code attached to XRSTOR.

IMPACT

Malicious or buggy unprivileged user space can cause the entire host to crash.

VULNERABLE SYSTEMS

Xen 4.0 and onwards are vulnerable when run on systems with processors supporting XSAVE. Only PV guests can exploit the vulnerability; for HVM guests only the control tools have access to the respective hypervisor functions.
In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is disabled by default; therefore systems running these versions are not vulnerable unless support is explicitly enabled using the “xsave” hypervisor command line option.
Systems using processors not supporting XSAVE are not vulnerable.
Xen 3.x and earlier are not vulnerable.