Hypervisor crash due to missing exception recovery on XSETBV

ISSUE DESCRIPTION

Processors do certain validity checks on the register values passed to XSETBV. For the PV emulation path for that instruction the hypervisor code didn’t check for certain invalid bit combinations, thus exposing itself to a fault occurring when invoking that instruction on behalf of the guest.

IMPACT

Malicious or buggy unprivileged user space can cause the entire host to crash.

VULNERABLE SYSTEMS

Xen 4.1 and onwards are vulnerable when run on systems with processors supporting XSAVE. Only PV guests can exploit the vulnerability.
In Xen 4.1 XSAVE support is disabled by default; therefore systems running these versions are not vulnerable unless support is explicitly enabled using the “xsave” hypervisor command line option.
Systems using processors not supporting XSAVE are not vulnerable.
Xen 3.x and earlier are not vulnerable. In particular, Xen 4.0.x is not vulnerable because XSAVE support there covers only HVM guests.