FreeBSD: VID-50ac2e96-ba4d-11e6-ae1b-002590263bf5 (CVE-2016-9386): xen-kernel -- x86 null segments not always treated as unusable

The Xen Project reports: The Xen x86 emulator erroneously failed to consider the unusability of segments when performing memory accesses. The intended behaviour is as follows: The user data segment (%ds, %es, %fs and %gs) selectors may be NULL in 32-bit to prevent access. In 64-bit, NULL has a special meaning for user segments, and there is no way of preventing access. However, in both 32-bit and 64-bit, a NULL LDT system segment is intended to prevent access. On Intel hardware, loading a NULL selector zeros the base as well as most attributes, but sets the limit field to its largest possible value. On AMD hardware, loading a NULL selector zeros the attributes, leaving the stale base and limit intact. Xen may erroneously permit the access using unexpected base/limit values. Ability to exploit this vulnerability on Intel is easy, but on AMD depends in a complicated way on how the guest kernel manages LDTs. An unprivileged guest user program may be able to elevate its privilege to that of the guest operating system.