Information leak through fbld instruction emulation
The emulation of the fbld instruction (which is used during I/O emulation) uses the wrong variable for the source effective address. As a result, the actual address used is an uninitialised bit pattern from the stack.
A malicious guest might be able to find out information about the contents of the hypervisor stack, by observing which values are actually being used by fbld and inferring what the address must have been. Depending on the actual values on the stack this attack might be very difficult to carry out.
logic error (use wrong variable)
x86: properly set up fbld emulation operand address
--- a/xen/arch/x86/x86_emulate/x86_emulate.c +++ b/xen/arch/x86/x86_emulate/x86_emulate.c @@ -3156,11 +3156,11 @@ x86_emulate( break; case 4: /* fbld m80dec */ ea.bytes = 10; - dst = ea; + src = ea; if ( (rc = ops->read(src.mem.seg, src.mem.off, &src.val, src.bytes, ctxt)) != 0 ) goto done; - emulate_fpu_insn_memdst("fbld", src.val); + emulate_fpu_insn_memsrc("fbld", src.val); break; case 5: /* fild m64i */ ea.bytes = 8;
A malicious guest might conceivably gain access to sensitive data relating to other guests.