Grant table version switch list corruption vulnerability
Downgrading the grant table version of a guest involves freeing its status pages. This freeing was incomplete - the page(s) are freed back to the allocator, but not removed from the domain’s tracking list. This would cause list corruption, eventually leading to a hypervisor crash.
gnttab: fix releasing of memory upon switches between versions
gnttab_unpopulate_status_frames() incompletely freed the pages previously used as status frame in that they did not get removed from the domain’s xenpage_list, thus causing subsequent list corruption when those pages did get allocated again for the same or another purpose.
Similarly, grant_table_create() and gnttab_grow_table() both improperly clean up in the event of an error - pages already shared with the guest can’t be freed by just passing them to free_xenheap_page(). Fix this by sharing the pages only after all allocations succeeded.
A malicious guest administrator can cause Xen to crash, leading to a denial of service attack.