XSA-265

Advisory: XSA-265

One of the fixes for XSA-260 introduced logic to try and prevent livelocks of #DB exceptions in hypervisor context. However, it failed to account for the fact that some dr6 bits are sticky and never cleared by hardware.

This test sets the sticky %dr6.DB bit, then uses a MovSS shadow to deliver a #DB exception in hypervisor context. A vulnerable Xen will trigger the safety check and crash.

See also

tests/xsa-265/main.c