https://xenbits.xen.org/xsa/advisory-454.html

x86 HVM hypercalls may trigger Xen bug check

ISSUE DESCRIPTION
=================

Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and
other modes.  This in particular means that they may set registers used
to pass 32-bit-mode hypercall arguments to values outside of the range
32-bit code would be able to set them to.

When processing of hypercalls takes a considerable amount of time,
the hypervisor may choose to invoke a hypercall continuation.  Doing so
involves putting (perhaps updated) hypercall arguments in respective
registers.  For guests not running in 64-bit mode this further involves
a certain amount of translation of the values.

Unfortunately internal sanity checking of these translated values
assumes high halves of registers to always be clear when invoking a
hypercall.  When this is found not to be the case, it triggers a
consistency check in the hypervisor and causes a crash.

IMPACT
======

A HVM or PVH guest can cause a hypervisor crash, causing a Denial of
Service (DoS) of the entire host.


https://xenbits.xen.org/xsa/advisory-455.html

x86: Incorrect logic for BTC/SRSO mitigations


ISSUE DESCRIPTION
=================

Because of a logical error in XSA-407 (Branch Type Confusion), the
mitigation is not applied properly when it is intended to be used.
XSA-434 (Speculative Return Stack Overflow) uses the same
infrastructure, so is equally impacted.

For more details, see:
  https://xenbits.xen.org/xsa/advisory-407.html
  https://xenbits.xen.org/xsa/advisory-434.html

IMPACT
======

XSAs 407 and 434 are unmitigated, even when the patches are in place.