Linux Kernel Grant Reference Leak Vulnerability in Xen Grant Device

A vulnerability in the Linux kernel's handling of grant mappings in the Xen grant device can lead to leaked grant references. This issue arises when a grant mapping operation fails partially, leaving some entries in the map_ops array invalid while all entries in the kmap_ops array remain valid. Consequently, the logic in the gntdev_map_grant_pages function becomes flawed, mismanaging the live_grants counter, which tracks active grant references. In Qubes OS v4.1, this vulnerability manifests as warning messages related to pending grant references, particularly after rapid resizing of GUI VM windows, due to the improper handling of grant mappings during such actions.

Impact

The vulnerability causes grant references to be leaked, which can lead to undefined behavior in the system. In Qubes OS v4.1, this leakage disrupts the X11 GUI isolation by leaving pending grant references that should have been cleared, especially after rapid window resizing actions.

Reproduction

To reproduce this vulnerability, grant pages can be mapped from a virtual machine (VM) to the dom0 (administrative domain) while using Qubes OS v4.1. After granting the pages, the VM windows can be rapidly resized, which causes some of the grant-mapping operations to fail. This partial failure can be observed through warning messages in the Linux kernel, indicating that grant references are still pending, despite the expectation that they should have been cleared.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version of the kernel where this issue has been fixed.