Advisory: XSA-213

Before XSA-213, Xen would allow the use of __HYPERCALL_iret in a multicall. __HYPERCALL_iret switches the guest from kernel mode into user mode, but the multicall continues irrespective, with no further privilege checks.

Some hypercalls expect on being run in kernel mode, and their reference counting depends on this. It has never been expecting for user code to execute hypercalls, so the fix is to terminate the multicall once an iret has been encountered.

This PoC mixes an iret and xen_version hypercall in a multicall, to check whether the multicall terminates before executing the xen_version part.

See also: tests/xsa-213/main.c