xen-kernel -- x86 64-bit bit test instruction emulation broken
The Xen Project reports:
The x86 instructions BT, BTC, BTR, and BTS, when used with a
destination memory operand and a source register rather than an
immediate operand, access a memory location offset from that
specified by the memory operand as specified by the high bits of
the register source.
A malicious guest can modify arbitrary memory, allowing for
arbitrary code execution (and therefore privilege escalation
affecting the whole host), a crash of the host (leading to a DoS),
or information leaks. The vulnerability is sometimes exploitable
by unprivileged guest user processes.
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright