"value":"All versions of Xen are vulnerable.\n\nOnly x86 PV guests can trigger this vulnerability.\n\nTo exploit the vulnerability, there needs to be an undue delay at just\nthe wrong moment in _get_page_type(). The degree to which an x86 PV\nguest can practically control this race condition is unknown."
}
]
}
}
},
"credit":{
"credit_data":{
"description":{
"description_data":[
{
"lang":"eng",
"value":"This issue was discovered by Jann Horn of Google Project Zero."
"value":"x86 pv: Race condition in typeref acquisition Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, the logic for acquiring a type reference has a race condition, whereby a safely TLB flush is issued too early and creates a window where the guest can re-establish the read/write mapping before writeability is prohibited."
