Xen Test Framework

Advisory: XSA-168

This vulnerability only affects VT-x hardware, and can only exploited by a guest running with shadow paging.

The invlpg (and invlpga on AMD) instructions are specified to be nops for non-canonical addresses. When using HAP, the instructions are not intercepted, and dealt with by hardware.

However with shadow paging, the instructions are intercepted to allow the shadow subsystem to performance maintenance of the shadows themselves. On VT-x hardware, this ends up turning into a invvpid in Xen, which does suffer a #GP on a non-canonical address.

To cause Xen to execute an invvpid instruction, the address (omitting the sign extension) must be a small page. This is covered in XTF because the single 4K page at NULL is unmapped.

The testcase attempts to execute such an invlpg instruction. If running in shadow mode, on VT-x hardware, on a vulnerable version, Xen will crash with a #GP fault. If not, the test will exit cleanly. The test is unable to distinguish between a fixed Xen and a test misconfiguration.

See also