We have discovered two bugs in the code unmapping grant references.
* When a grant had been mapped twice by a backend domain, and then
unmapped by two concurrent unmap calls, the frontend may be informed
that the page had no further mappings when the first call completed rather
than when the second call completed.
* A race triggerable by an unprivileged guest could cause a grant
maptrack entry for grants to be "freed" twice. The ultimate effect of
this would be for maptrack entries for a single domain to be re-used.
For the first issue, for a short window of time, a malicious backend
could still read and write memory that the frontend thought was its
own again. Depending on the usage, this could be either an
information leak, or a backend-to-frontend privilege escalation.
The second issue is more difficult to analyze. It can probably cause
reference counts to leak, preventing memory from being freed on domain
destruction (denial-of-service), but information leakage or host
privilege escalation cannot be ruled out.
All versions of Xen are vulnerable.
Both ARM and x86 are vulnerable.
On x86, systems with either PV or HVM guests are vulnerable.
Name: the Xen project
Upstream: Jann Horn (Google)
Created xen tracking bugs for this issue:
Affects: fedora-all [bug 1463247]