It accidentally failed to ignore operand size information from the instruction stream, which could lead to leaks of 32 or 96 bits of hypervisor memory contents to a guest.
I thought so too at first, but I'd expect non-x86 host systems running x86 guests to be vulnerable if that were the case. The advisory seems to indicate otherwise.
There are some instructions that are not privileged but may leak information about the host environment to the VM. Such instructions are referred to as sensitive instructions. To prevent sensitive instructions from being misused inside the VM, they are emulated.
Another explanation is that some older x86 processors may not have full hardware virtualization support, so Xen emulates the instructions to support a wider number of host configurations.
The x86 instruction set wasn't designed with hardware virtualisation in mind. Some of its instructions are defined to leak state from higher privileged levels into lower privileged levels. As hypervisor Xen must preserve these semantics. One way to achieve this is to trap all possible leaks and emulate the leak in the hypervisor. This is what Xen tried and failed to implement correctly.
An other possible solution to similar problems is to complicate the CPU even further and have it virtualise the corner cases in hardware or microcode.
11 comments
[ 3.3 ms ] story [ 43.3 ms ] thread"The Intel Quark series processors are also affected by this bug. [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738575]"
It accidentally failed to ignore operand size information from the instruction stream, which could lead to leaks of 32 or 96 bits of hypervisor memory contents to a guest.
The patch is pretty straight-forward:
I assume (didn't read the full code) that op_bytes came from the instruction stream.That said, those who believe the x86 instruction set is too complex do have one more argument now.
Anyway, I've done some digging and found an explanation here: https://insinuator.net/2015/02/the-dangers-of-x86-emulation-...
tl;dr: it falls back to emulation for very specific cases that cannot be handled by hardware-assisted virtualization
Another explanation is that some older x86 processors may not have full hardware virtualization support, so Xen emulates the instructions to support a wider number of host configurations.
I may be completely wrong though.
An other possible solution to similar problems is to complicate the CPU even further and have it virtualise the corner cases in hardware or microcode.