The grant unmapping hypercall (GNTTABOP_unmap_grant_ref) is not a
simple revert of the changes done by the grant mapping hypercall
(GNTTABOP_map_grant_ref).
Instead, it is possible to partially (or even not) clear some flags.
This will leave the grant is mapped until a future call where all
the flags would be cleared.
XSA-380 introduced a refcounting that is meant to only be dropped
when the grant is fully unmapped. Unfortunately, unmap_common() will
decrement the refcount for every successful call.
A consequence is a domain would be able to underflow the refcount
and trigger a BUG().
Looking at the code, it is not clear to me why a domain would
want to partially clear some flags in the grant-table. But as
this is part of the ABI, it is better to not change the behavior
for now.
Fix it by checking if the maptrack handle has been released before
decrementing the refcounting.
This is CVE-2022-23034 / XSA-394.
Fixes: 9781b51efde2 ("gnttab: replace mapkind()")
Signed-off-by: Julien Grall <jgrall@amazon.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
if ( put_handle )
put_maptrack_handle(lgt, op->handle);
- /* See the respective comment in map_grant_ref(). */
- if ( rc == GNTST_okay && ld != rd && gnttab_need_iommu_mapping(ld) )
+ /*
+ * map_grant_ref() will only increment the refcount (and update the
+ * IOMMU) once per mapping. So we only want to decrement it once the
+ * maptrack handle has been put, alongside the further IOMMU update.
+ *
+ * For the second and third check, see the respective comment in
+ * map_grant_ref().
+ */
+ if ( put_handle && ld != rd && gnttab_need_iommu_mapping(ld) )
{
void **slot;
union maptrack_node node;
projects / xen.git / commitdiff