When guest user code running inside a Xen guest operating system attempts to execute a syscall or sysenter instruction, but when the guest operating system has not registered a handler for that instruction, a General Protection Fault may need to be injected into the guest.
It has been discovered that the code in Xen which does this fails to clear a flag requesting exception injection, with the result that a future exception taken by the guest and handled entirely inside Xen will also be injected into the guest despite Xen having handled it already, probably crashing the guest.
An unprivileged local user on 32-bit or 64-bit PV guest could potentially use this flaw to crash the guest.
Upstream fixes:
http://xenbits.xensource.com/hg/staging/xen-unstable.hg/rev/80f4113be500http://xenbits.xensource.com/hg/staging/xen-unstable.hg/rev/569d6f05e1ef
Acknowledgements:
Red Hat would like to thank the Xen for reporting this issue.
Statement:
Not vulnerable.
This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5 as we did not have support for sysenter and compat (32bit) version of syscall instructions for PV guests running on the Xen hypervisor (introduced in upstream changeset 16207:aeebd173c3fa).
This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG as we did not have support for Xen hypervisor.