Xen Test Framework
XSA-296

Advisory: XSA-296

Before XSA-296, Xen used BUG() for format string checking in the hypercall continuation setup logic. This BUG() was reachable via the VCPUOP_initialise hypercall for PV guests.

To tickle a continuation, we set up the new vCPU's pagetables to require validation. In order to "force" a continuation, (ab)use the fact we can send ourselves an event by writing into evtchn 2L block. This causes hypercall_preempt_check() in Xen to return true.

This leaves a 1-instruction race window where, if Xen takes a real interrupt, the pending evtchn would be delivered before issuing the VCPUOP_initialise hypercall.

For 64bit PV guests, we can actually spot this as a side effect of the SYSCALL ABI, and restart if it occurs. For 32bit PV guests, there is no way to distinguish, so we have to live with the race.

See also
tests/xsa-296/main.c