XSA-339

Advisory: XSA-339

Xen, in the fix for XSA-44, started raising #GP in the guest for a SYSENTER with NT set. This is buggy to begin with, but combined with separate bug for 32bit PV guests, which caused the fault to be raised twice.

Execute SYSENTER, with NT set, and try to sift through the many possible results.

1. On AMD/Hygon hardware, SYSENTER is unusable, and will result in #UD directly in userspace.
2. On versions of Xen without XSA-44 fixed, Xen will crash.
3. On versions of Xen with XSA-44, 339 and the buggy #GP behaviour fixed, the SYSENTER will execute normally and land at the registered callback. Fix up user state and return with no fault latched.
4. On versions of Xen with XSA-44 and 339 fixed, a #GP will be delivered with SYSENTER semantics. Fix up user state, and return with a #GP fault latched (if case 5 not already latched).
5. On versions of Xen with XSA-44 fixed, but 339 unfixed, a second #GP fault will be delivered on top of case 4, pointing at the #GP fault handler. Note this with EXINFO_AVAIL0, and treat it as having trap semantics, so that returning from it will then continue running case 4.

See also

tests/xsa-339/main.c