Memory accessible by 64-bit PV guests under live migration

ISSUE DESCRIPTION

On some hardware, during live migration of 64-bit PV guests, some parts of the guest’s shadow pagetables are mistakenly filled in with hypervisor mappings. This causes Xen to crash when those mappings are later cleared. Before the crash, a malicious guest could use hypercalls to cause Xen to read and write the parts of memory pointed to by the stray mappings.

IMPACT

A malicious 64-bit PV guest, on a vulnerable host system, that can arrange for itself to be live-migrated, could read or write memory at high physical addresses on the host.
Note that once such a guest begins live migration the host is likely to eventually crash, either when the live migration completes or on an earlier page fault. This crash could be avoided if the malicious guest uses its improperly escalated privilege to prevent it.

VULNERABLE SYSTEMS

Xen 4.3.x and xen-unstable are vulnerable. Xen 4.2.x and earlier releases are not vulnerable.
In addition, only hosts with RAM extending past 5TB are affected.
On any host that is affected (and has not yet been successfully attacked), live migration of a 64-bit PV guest will deterministically crash the host. If you can migrate a 64-bit PV guest from from host A to host B, without crashing host A, then host A is not affected by this bug.