ISSUE DESCRIPTION
=================

The Page Size (PS) page table entry bit exists at all page table levels
other than L1.  Its meaning is reserved in L4, and conditionally
reserved in L3 and L2 (depending on hardware capabilities).  The
software page table walker in the hypervisor, however, so far ignored
that bit in L4 and (on respective hardware) L3 entries, resulting in
pages to be treated as page tables which the guest OS may not have
designated as such.  If the page in question is writable by an
unprivileged user, then that user will be able to map arbitrary guest
memory.

IMPACT
======

On vulnerable OSes, guest user mode code may be able to establish
mappings of arbitrary memory inside the guest, allowing it to elevate
its privileges inside the guest.

VULNERABLE SYSTEMS
==================

All Xen versions expose the vulnerability.

ARM systems are not vulnerable.  x86 PV guests are not vulnerable.

To be vulnerable, a system must have both a vulnerable hypervisor, and
a vulnerable guest operating system, i.e. ones which make non-standard
use of the PS bit.  We are not aware of any vulnerable guest operating
systems, but we cannot rule it out.  We have checked with maintainers
of the following operating systems, all of whom have said that to the
best of their knowledge their operating system is not vulnerable:
Linux, FreeBSD, NetBSD, and OpenBSD.  Nor has it been observed in
common proprietary operating systems.

MITIGATION
==========

Running only PV guests will avoid this issue.

External References:

http://xenbits.xen.org/xsa/advisory-176.html

Acknowledgements:

Name: the Xen project