When guest user code running inside a Xen guest operating system attempts to execute a syscall or sysenter instruction, but when the guest operating system has not registered a handler for that instruction, a General Protection Fault may need to be injected into the guest.
It has been discovered that the code in Xen which does this fails to clear a flag requesting exception injection, with the result that a future exception taken by the guest and handled entirely inside Xen will also be injected into the guest despite Xen having handled it already, probably crashing the guest.
An unprivileged local user on 32-bit or 64-bit PV guest could potentially use this flaw to crash the guest.
Red Hat would like to thank the Xen for reporting this issue.
This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5 as we did not have support for sysenter and compat (32bit) version of syscall instructions for PV guests running on the Xen hypervisor (introduced in upstream changeset 16207:aeebd173c3fa).
This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG as we did not have support for Xen hypervisor.
CERT contacted us and moved the embargo to 12th June 2012