xen-kernel -- x86 task switch to VM86 mode mis-handled
The Xen Project reports:
LDTR, just like TR, is purely a protected mode facility. Hence even
when switching to a VM86 mode task, LDTR loading needs to follow
protected mode semantics. This was violated by the code.
On SVM (AMD hardware): a malicious unprivileged guest process can
escalate its privilege to that of the guest operating system.
On both SVM and VMX (Intel hardware): a malicious unprivileged
guest process can crash the guest.
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright