One of the two changes for XSA-346 introduced an on-stack array. The check for guarding against overrunning this array was off by one, allowing for corruption of the first stack slot immediately following this array. Upstream fix: https://xenbits.xen.org/xsa/xsa355.patch
Acknowledgments: Name: the Xen project
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1902769]
External References: https://xenbits.xen.org/xsa/advisory-355.html
Mitigation: Avoid passing through physical devices to untrusted guests.
*** Bug 1903746 has been marked as a duplicate of this bug. ***