ISSUE DESCRIPTION
=================

The x86 instruction CMPXCHG8B is supposed to ignore legacy operand
size overrides; it only honors the REX.W override (making it
CMPXCHG16B).  So, the operand size is always 8 or 16.

When support for CMPXCHG16B emulation was added to the instruction
emulator, this restriction on the set of possible operand sizes was
relied on in some parts of the emulation; but a wrong, fully general,
operand size value was used for other parts of the emulation.

As a result, if a guest uses a supposedly-ignored operand size prefix,
a small amount of hypervisor stack data is leaked to the guests: a 96
bit leak to guests running in 64-bit mode; or, a 32 bit leak to other
guests.

IMPACT
======

A malicious unprivileged guest may be able to obtain sensitive
information from the host.

VULNERABLE SYSTEMS
==================

Xen versions 3.3 through 4.7 are affected. Xen master and Xen 4.8 as
well as Xen versions 3.2 and earlier are not affected.

Only x86 systems are affected. ARM systems are not affected.

On Xen 4.6 and earlier the vulnerability is exposed to all HVM guest
user processes, including unprivileged processes.

On Xen 4.7, the vulnerability is exposed only to HVM guest user
processes granted a degree of privilege (such as direct hardware
access) by the guest administrator; or, to all user processes when the
VM has been explicitly configured with a non-default cpu vendor string
(in xm/xl, this would be done with a `cpuid=' domain config option).

MITIGATION
==========

There is no known mitigation.

External References:

http://xenbits.xen.org/xsa/advisory-200.html

Acknowledgements:

Name: the Xen project