On 09.12.25 11:41, Demi Marie Obenour wrote:
On 12/8/25 14:51, Ariadne Conill wrote:We need to do this so that we can signal to the other end that the device is being removed, so that it will release its claim on the underlying memory allocation. Otherwise releasing the grant-table entries is deferred resulting in a kernel oops since the pages have already been freed.I don't think this is sufficient. The backend can simply refuse to release the grants. The frontend needs to ensure that the pages are not freed until the grant table entries are freed. Right now, the backend can cause a use-after-free in the frontend, and my understanding of the Xen Project's security policy is that this is a security vulnerability in the frontend code. My instinct is that the core Xen code should take a reference on each page before granting it to another domain, and not release that reference until the pages are no longer granted. This should prevent any use-after-free problems if I understand Linux core MM correctly.
I looked at this in detail now. I don't think we have a security bug right now, but the interfaces regarding granting pages to other domains should probably be reworked like you suggest. Currently it is the caller who needs to handle page references correctly, while this should be done by the grant handling (having to either issue get_page() or to pass NULL for the page pointer, in case you don't want the underlying page to be freed by gnttab_end_foreign_access(), is far from intuitive). Juergen
OpenPGP_0xB0DE9DD628BF132F.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
