Xen Test Framework
XSA-260

Advisory: XSA-260

The mov and pop instructions, when encoded with an %ss destination register, set the movss shadow in hardware, which prevents interrupts/exceptions from being delivered until the following instruction boundary. This is intended to allow adjacent updates to %ss and %esp to occur atomically WRT asynchronous uses of the stack.

#DB exceptions differ in whether they are discarded or deferred, and breakpoint exceptions triggered by the mov/pop instructions themselves are deferred until the end of the subsequent instruction. If the subsequent instruction transitions into supervisor mode, the #DB is delivered after the privilege change.

The syscall instruction doesn't switch stack itself, which is open to (ab)use from guest context if Xen doesn't arrange for a stack switch on #DB via other means (IST entry for 64bit, Task Gate for 32bit).

This test arranges for such an exploit attempt, but deliberately corrupts the stack point (by inverting the top bit) to increase the chances of a crash. The 64bit test will reliably #DF a vulnerable OS (trying to use a non-canonical stack pointer), while the 32bit test (subject to availability of the instruction) will cause a #DF if %esp ends up on an unmapped address.

See also
tests/xsa-260/main.c