A flaw was found in the way xen_failsafe_callback() handled failed iret,
which causes the stack pointer to be wrong when entering the
iret_exc error path. An unprivileged local guest user in the 32-bit PV
Xen domain could use this flaw to crash the guest.
Red Hat would like to thank the Andrew Cooper of Citrix for reporting this issue.
Created attachment 679616 [details]
Upstream proposed patch
Created kernel tracking bugs for this issue
Affects: fedora-all [bug 896051]
This issue did not affect Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG 2.
I'm brewing a build with the proposed patch:
and taking a stab at writing a reproducer.
kernel-3.7.2-204.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
kernel-3.7.3-101.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:0496 https://rhn.redhat.com/errata/RHSA-2013-0496.html