grant table entry swaps have inadequate bounds checking

The grant table hypercall’s GNTTABOP_swap_grant_ref sub-operation does not perform adequate checks on the input grant references.

lack of check (bound check)



xen/gnttab: Validate input to GNTTABOP_swap_grant_ref

this introduces a new GNTTABOP to swap grant refs. However, it fails to validate the two refs passed from the guest.

The result is that passing out-of-range refs can cause Xen to read past the end of the grant_table->active[] array, and deference whatever it finds. Typically, this results in Xen trying to deference a low pointer and fail with a page-fault.

--- a/xen/common/grant_table.c  Wed Sep 05 12:29:52 2012 +0100
+++ b/xen/common/grant_table.c  Wed Sep 05 12:30:26 2012 +0100
@@ -2339,6 +2339,12 @@ __gnttab_swap_grant_ref(grant_ref_t ref_
+    /* Bounds check on the grant refs */
+    if ( unlikely(ref_a >= nr_grant_entries(d->grant_table)))
+        PIN_FAIL(out, GNTST_bad_gntref, "Bad ref-a (%d).\n", ref_a);
+    if ( unlikely(ref_b >= nr_grant_entries(d->grant_table)))
+        PIN_FAIL(out, GNTST_bad_gntref, "Bad ref-b (%d).\n", ref_b);
     act = &active_entry(gt, ref_a);
     if ( act->pin )
         PIN_FAIL(out, GNTST_eagain, "ref a %ld busy\n", (long)ref_a);


A malicious guest kernel or administrator can crash the host.

It may be possible for an attacker to swap a valid grant reference, which they control, with an invalid one allowing them to write abitrary values to hypervisor memory. This could potentially lead to a privilege escalation.

DoS, privilege escalation