Advisory: XSA-196

Xen change 36ebf14ebe contained a bug when calculating the correct size of an IDT entry.

This means that a 16 or 32bit code segment running under a 64bit kernel will cause the x86 emulator to look at the wrong location in the IDT when performing the DPL/Presence checks. As #OF is typically a DPL3 descriptor, guest userspace can end up invoking #DF, reserved for a critical malfunction.

This vulnerability is restricted to AMD Hardware lacking NRip support. More modern AMD hardware, and all Intel hardware bypass the buggy logic in Xen.

See also: tests/xsa-196/main.c