From the Fedora bugzilla:
On AMD processors supporting XSAVE/XRSTOR (family 15h and up), when an exception is pending, these instructions save/restore only the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR. This allows one domain to determine portions of the state of floating point instructions of other domains.
A malicious domain may be able to leverage this to obtain sensitive information such as cryptographic keys from another domain. (CVE-2013-2076)
Processors do certain validity checks on the data passed to XRSTOR. While the hypervisor controls the placement of that memory block, it doesn't restrict the contents in any way. Thus the hypervisor exposes itself to a fault occurring on XRSTOR. Other than for FXRSTOR, which behaves similarly, there was no exception recovery code attached to XRSTOR.
Malicious or buggy unprivileged user space can cause the entire host to crash. (CVE-2013-2077)
Processors do certain validity checks on the register values passed to XSETBV. For the PV emulation path for that instruction the hypervisor code didn't check for certain invalid bit combinations, thus exposing itself to a fault occurring when invoking that instruction on behalf of the guest.
Malicious or buggy unprivileged user space can cause the entire host to crash. (CVE-2013-2078) | 