CVE-2013-1964
http://xenbits.xen.org/xsa/advisory-50.html
grant table hypercall acquire/release imbalance
When releasing a non-v1 non-transitive grant after doing a grant copy operation, Xen incorrectly recurses (as if for a transitive grant) and releases an unrelated grant reference.
logic error (incorrect recursion?)
http://xenbits.xen.org/xsa/xsa50-4.1.patch
Fix rcu domain locking for transitive grants
When acquiring a transitive grant for copy then the owning domain needs to be locked down as well as the granting domain. This was being done, but the unlocking was not. The acquire code now stores the struct domain * of the owning domain (rather than the domid) in the active entry in the granting domain. The release code then does the unlock on the owning domain. Note that I believe I also fixed a bug where, for non-transitive grants the active entry contained a reference to the acquiring domain rather than the granting domain. From my reading of the code this would stop the release code for transitive grants from terminating its recursion correctly.
A malicious guest administrator can cause undefined behaviour; depending on the dom0 kernel a host crash is possible
DoS