Xen Test Framework
|
Advisory: XSA-296
Before XSA-296, Xen used BUG() for format string checking in the hypercall continuation setup logic. This BUG() was reachable via the VCPUOP_initialise hypercall for PV guests.
To tickle a continuation, we set up the new vCPU's pagetables to require validation. With PV-L1TF protections in place, we can force a continuation by writing the first L1TF-vulnerable PTE for the domain.
For less buggy (or unprotected) hardware, we have to be a bit more cunning and (ab?)use the fact we can send ourselves an event by writing into evtchn 2L block, rather than using a hypercall.
This leaves a 1-instruction race window where, if Xen takes a real interrupt, the pending evtchn would be delivered before issuing the VCPUOP_initialise hypercall.
For 64bit PV guests, we can actually spot this as a side effect of the SYSCALL ABI, and restart if it occurs. For 32bit PV guests, there is no way to distinguish, so we have to live with the race.