CVE-2022-50257
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-50257
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50257.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-50257
- Downstream
- Related
- Published
- 2025-09-15T14:02:42Z
- Modified
- 2025-10-16T09:55:06.738535Z
- Summary
- xen/gntdev: Prevent leaking grants
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
xen/gntdev: Prevent leaking grants
Prior to this commit, if a grant mapping operation failed partially, some of the entries in the mapops array would be invalid, whereas all of the entries in the kmapops array would be valid. This in turn would cause the following logic in gntdevmapgrant_pages to become invalid:
for (i = 0; i < map->count; i++) { if (map->mapops[i].status == GNTSTokay) { map->unmapops[i].handle = map->mapops[i].handle; if (!useptemod) alloced++; } if (useptemod) { if (map->kmapops[i].status == GNTSTokay) { if (map->mapops[i].status == GNTSTokay) alloced++; map->kunmapops[i].handle = map->kmapops[i].handle; } } } ... atomicadd(alloced, &map->livegrants);
Assume that useptemod is true (i.e., the domain mapping the granted pages is a paravirtualized domain). In the code excerpt above, note that the "alloced" variable is only incremented when both kmapops[i].status and mapops[i].status are set to GNTSTokay (i.e., both mapping operations are successful). However, as also noted above, there are cases where a grant mapping operation fails partially, breaking the assumption of the code excerpt above.
The aforementioned causes map->livegrants to be incorrectly set. In some cases, all of the mapops mappings fail, but all of the kmapops mappings succeed, meaning that livegrants may remain zero. This in turn makes it impossible to unmap the successfully grant-mapped pages pointed to by kmapops, because unmapgrant_pages has the following snippet of code at its beginning:
if (atomicread(&map->livegrants) == 0) return; /* Nothing to do */
In other cases where only some of the mapops mappings fail but all kmapops mappings succeed, livegrants is made positive, but when the user requests unmapping the grant-mapped pages, _unmapgrantpagesdone will then make map->livegrants negative, because the latter function does not check if all of the pages that were requested to be unmapped were actually unmapped, and the same function unconditionally subtracts "data->count" (i.e., a value that can be greater than map->livegrants) from map->livegrants. The side effects of a negative live_grants value have not been studied.
The net effect of all of this is that grant references are leaked in one of the above conditions. In Qubes OS v4.1 (which uses Xen's grant mechanism extensively for X11 GUI isolation), this issue manifests itself with warning messages like the following to be printed out by the Linux kernel in the VM that had granted pages (that contain X11 GUI window data) to dom0: "g.e. 0x1234 still pending", especially after the user rapidly resizes GUI VM windows (causing some grant-mapping operations to partially or completely fail, due to the fact that the VM unshares some of the pages as part of the window resizing, making the pages impossible to grant-map from dom0).
The fix for this issue involves counting all successful mapops and kmapops mappings separately, and then adding the sum to livegrants. During unmapping, only the number of successfully unmapped grants is subtracted from livegrants. The code is also modified to check for negative live_grants values after the subtraction and warn the user.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/0991028cd49567d7016d1b224fe0117c35059f86
- https://git.kernel.org/stable/c/0bccddd9b8f03ad57bb738f0d3da8845d4e1e579
- https://git.kernel.org/stable/c/1cb73704cb4778299609634a790a80daba582f7d
- https://git.kernel.org/stable/c/273f6a4f71be12e2ec80a4919837d6e4fa933a04
- https://git.kernel.org/stable/c/3d056d81b93a787613eda44aeb21fc14c3392b34
- https://git.kernel.org/stable/c/49bb053b1ec367b6883030eb2cca696e91435679
- https://git.kernel.org/stable/c/49db6cb81400ba863e1a85e55fcdf1031807c23f
- https://git.kernel.org/stable/c/b043f2cab100bed3e0a999dcf38cc05b1e4a7e41
- https://git.kernel.org/stable/c/cb1ccfe7655380f77a58b340072f5f40bc285902
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced36cd49b071fceca70326d9db786aa15e9fffd677Fixedb043f2cab100bed3e0a999dcf38cc05b1e4a7e41
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced2fe26a9a70482bea7827803fdec98050fec68b20Fixed49bb053b1ec367b6883030eb2cca696e91435679
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced73e9e72247b98da65bc32d41a961e820cca5f503Fixedcb1ccfe7655380f77a58b340072f5f40bc285902
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedee25841221c17228cbd30262a90f3b03ad80cdf6Fixed3d056d81b93a787613eda44aeb21fc14c3392b34
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced79963021fd718b74bed4cbc98f5f49d3ba6fb48cFixed49db6cb81400ba863e1a85e55fcdf1031807c23f
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced87a54feba68f5e47925c8e49100db9b2a8add761Fixed1cb73704cb4778299609634a790a80daba582f7d
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceddbe97cff7dd9f0f75c524afdd55ad46be3d15295Fixed0bccddd9b8f03ad57bb738f0d3da8845d4e1e579
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceddbe97cff7dd9f0f75c524afdd55ad46be3d15295Fixed273f6a4f71be12e2ec80a4919837d6e4fa933a04
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceddbe97cff7dd9f0f75c524afdd55ad46be3d15295Fixed0991028cd49567d7016d1b224fe0117c35059f86
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedd4a49d20cd7cdb6bd075cd04c2cd00a7eba907ed
Affected versions
v2.*
v3.*
v4.*
v5.*
v6.*
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.9.332
- Type
- ECOSYSTEM
- Events
-
Introduced4.10.0Fixed4.14.298
- Type
- ECOSYSTEM
- Events
-
Introduced4.15.0Fixed4.19.264
- Type
- ECOSYSTEM
- Events
-
Introduced4.20.0Fixed5.4.223
- Type
- ECOSYSTEM
- Events
-
Introduced5.5.0Fixed5.10.153
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.75
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed5.19.17
- Type
- ECOSYSTEM
- Events
-
Introduced5.19.0Fixed6.0.3