Xen Test Framework

Advisory: XSA-279

When PCID support was added to Xen to mitigate some of the performance hit from the Meltdown protection, Xen's internal TLB flushing changed from using INVLPG to using INVPCID. These instructions differ in how they handle non-canonical addresses, with the latter raising a #GP[0] fault.

One path passed an un-audited guest value into Xen's internal TLB flushing logic, which used to be safe, but no longer is.

Deliberately try to invalidate a non-canonical address. If Xen is using the INVPCID instruction for TLB management (at the time of writing, Haswell and later hardware, PCID or INVPCID not explicitly disabled on the command line, and XPTI activated for the domain), and is vulnerable, it will die with an unhandled #GP[0] fault.

See also