Xen Test Framework
|
Advisory: XSA-204
SYSCALL (unlike most instructions) evaluates its singlestep action based on the resulting EFLAGS.TF, not the starting EFLAGS.TF. As the #DB is raised after the CPL change and before the OS can switch stack, it is a large risk for privilege escalation. This is also undocumented behaviour.
This test masks TF in MSR_FMASK, enables TF and forces a SYSCALL instruction through the emulator.
If vulnerable to XSA-204, a single #DB will be rased at the start of entry_SYSCALL_64(). If not vulnerable, no #DB will be seen at all.