CVE-2013-1432
http://xenbits.xen.org/xsa/advisory-58.html
Page reference counting error due to XSA-45/CVE-2013-1918 fixes
The XSA-45/CVE-2013-1918 patch making error handling paths preemptible broke page reference counting by not retaining a reference on pages stored for deferred cleanup. This would lead to the hypervisor prematurely attempting to free the page, generally crashing upon finding the page still in use.
improper error handling (page ref count error)
http://xenbits.xen.org/xsa/xsa58-4.2.patch
x86: fix page refcount handling in page table pin error path
In the original patch 7 of the series addressing XSA-45 I mistakenly took the addition of the call to get_page_light() in alloc_page_type() to cover two decrements that would happen: One for the PGT_partial bit that is getting set along with the call, and the other for the page reference the caller hold (and would be dropping on its error path). But of course the additional page reference is tied to the PGT_partial bit, and hence any caller of a function that may leave ->arch.old_guest_table non-NULL for error cleanup purposes has to make sure a respective page reference gets retained.
Similar issues were then also spotted elsewhere: In effect all callers of get_page_type_preemptible() need to deal with errors in similar ways. To make sure error handling can work this way without leaking page references, a respective assertion gets added to that function.
Malicious or buggy PV guest kernels can mount a denial of service attack affecting the whole system.
DoS