Advisory: XSA-200

Before XSA-200, the instruction emulator in Xen had a bug where it incorrectly honoured the legacy operand-side override prefix for cmpxchg8b. This caused it to only read a subset of memory operand, but write back all register state properly, leaking a certain quantity of the hypervisor stack into the guest.

In Xen 4.8 development cycle, the bug was mitigated by accidentally causing such an instruction to suffer an unconditional #UD exception.

Construct such a cmpxchg8b which should unconditionally fail and write mem into prev, checking whether mem had been read correctly. As there is a slim chance that the stack rubble matches 0xc2, repeat the operation up to 10 times.

See also: tests/xsa-200/main.c