When emulating certain PV guest operations, descriptor table accesses are performed by the emulating code. Such accesses should respect the guest specified limits. Without this, emulation of 32-bit guest user mode calls through call gates would allow guest user mode to install and then use descriptors of their choice, as long as the guest kernel did not itself install an LDT.
Only 32-bit PV guest user mode can leverage this vulnerability.
Upstream advisory and patches:
Created xen tracking bugs for this issue:
Affects: fedora-all [bug 1771341]