Paolo Bonzini found a bug in Xen hypervisor that can be used to crash the guest. Malicious guest userspace process can trick the hypervisor into emulating instruction that causes the crash if it has access to an MMIO region. The bug can be exploited because of an inconsistency between instruction decoding tables and the actual MMIO instruction decoder implementation.
This issue does not affect upstream.
This issue affects 32bit guests only.
Lifting embargo
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0398 https://rhn.redhat.com/errata/RHSA-2010-0398.html
in kernel-2.6.18-199.el5 You can download this test kernel from http://people.redhat.com/jwilson/el5 Please update the appropriate value in the Verified field (cf_verified) to indicate this fix has been successfully verified. Include a comment with verification details.