Advisory: XSA-454

Intel and AMD both state that upper half of the GPRs are undefined after leaving 64bit mode. Despite this, they're typically preserved until the next explicit write of the GPR, because this is the simplest strategy.

At the time of XSA-454, HYPERCALL_memory_op()'s compatibility handler makes an unconditional hypercall continuation after the native handler returns, in order to simplify later logic in some subops.

This means that hypercall_xlat_continuation() can the preserved upper bits of the GPRs while the vCPU is compatibility mode, and it makes some incorrect assertions about GPR state using BUG_ON().

Pick a simple subop (XENMEM_maximum_ram_page takes no argument) and set an upper bit in %rbx (becomes the cmd parameter in Xen). This is sufficient to trigger the bad BUG_ON().

Note: The fixes for XSA-454 both truncated all registers for compatibility mode guests, and swapped the BUG_ON() for a domain_crash(). This test can't distinguish between domain_crash() and BUG_ON(), but as both patches were taken together, this shouldn't matter.

See also: tests/xsa-454/main.c