Multiple mappings of the same physical page with different cachability setting can cause problems. While one category (risk of using stale data) affects only guests themselves (and hence avoiding this can be left for them to control), the other category being Machine Check exceptions can be fatal to entire hosts. According to the information we were able to gather, only mappings of MMIO pages may surface this second category, but even for them there were cases where the hypervisor did not properly enforce consistent cachability.
A malicious guest administrator might be able to cause a reboot, denying service to the entire host.
Only x86 guests given control over some physical device can trigger this vulnerability. ARM systems are not vulnerable.
The vulnerability depends on the system response to mapping the same memory with different cacheability. On some systems this is harmless; on others, depending on CPU and chipset, it may be fatal.
Not handing physical devices to guests will also avoid this issue.
Red Hat would like to thank the Xen project for reporting this issue.
Created xen tracking bugs for this issue:
Affects: fedora-all [bug 1309324]
xen-4.5.2-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
xen-4.5.2-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.