The emulation of the fbld instruction (which is used during I/O emulation) uses the wrong variable for the source effective address. As a result, the actual address used is an uninitialised bit pattern from the stack. A malicious guest might be able to find out information about the contents of the hypervisor stack, by observing which values are actually being used by fbld and inferring what the address must have been. Depending on the actual values on the stack this attack might be very difficult to carry out. A malicious guest could use this flaw to access memory bytes related to other guests.
Statement: This issue does not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5. This issue does not affect the versions of the Linux kernel package as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG as it does not have support for Xen hypervisor.
Acknowledgement: Red Hat would like to thank the Xen project for reporting this issue.
This is now public: http://www.openwall.com/lists/oss-security/2013/09/30/3
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1013748]