Linux Kernel Xen gntdev Driver VMA Splitting Vulnerability

A vulnerability in the Linux kernel's gntdev driver for paravirtualized Xen domains has been addressed. The issue arose when a user process mapped two pages from another Xen domain and then unmaped them one after the other before exiting. This sequence caused a 'bad page map' error, as the kernel failed to properly manage the unmapping of the granted pages. The problem was exacerbated by the fact that the gntdev mapping could be associated with multiple virtual memory areas (VMAs), leading to incorrect handling of the mappings. The vulnerability has been fixed by modifying the gntdev driver to better manage VMA splitting, ensuring that mappings are correctly tracked and unmaped.

Impact

The vulnerability could lead to a general protection fault in the affected Xen PV domain, caused by improper unmapping of grant pages, which is reported by the Xen hypervisor if built with debug support.

Reproduction

To reproduce the vulnerability, create a gntdev mapping with two grant mappings (two pages) shared from another Xen domain. Then, unmap one page, followed by the second page, and finally exit the user process. This sequence will trigger the vulnerability, causing the kernel to log a 'bad page map' error and the Xen hypervisor to report an attempt to unmap a grant PTE, leading to a general protection fault in the domain.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.