The Xen x86 emulator erroneously failed to consider the unusability
of segments when performing memory accesses.
The intended behaviour is as follows: The user data segment (%ds,
%es, %fs and %gs) selectors may be NULL in 32-bit to prevent access.
In 64-bit, NULL has a special meaning for user segments, and there
is no way of preventing access. However, in both 32-bit and 64-bit,
a NULL LDT system segment is intended to prevent access.
On Intel hardware, loading a NULL selector zeros the base as well
as most attributes, but sets the limit field to its largest possible
value. On AMD hardware, loading a NULL selector zeros the attributes,
leaving the stale base and limit intact.
Xen may erroneously permit the access using unexpected base/limit
values.
Ability to exploit this vulnerability on Intel is easy, but on AMD
depends in a complicated way on how the guest kernel manages LDTs.
An unprivileged guest user program may be able to elevate its
privilege to that of the guest operating system.