CVE-2022-50257 (GCVE-0-2022-50257)

Vulnerability from cvelistv5 – Published: 2025-09-15 14:02 – Updated: 2025-09-15 14:02
VLAI?
Title
xen/gntdev: Prevent leaking grants
Summary
In the Linux kernel, the following vulnerability has been resolved: xen/gntdev: Prevent leaking grants Prior to this commit, if a grant mapping operation failed partially, some of the entries in the map_ops array would be invalid, whereas all of the entries in the kmap_ops array would be valid. This in turn would cause the following logic in gntdev_map_grant_pages to become invalid: for (i = 0; i < map->count; i++) { if (map->map_ops[i].status == GNTST_okay) { map->unmap_ops[i].handle = map->map_ops[i].handle; if (!use_ptemod) alloced++; } if (use_ptemod) { if (map->kmap_ops[i].status == GNTST_okay) { if (map->map_ops[i].status == GNTST_okay) alloced++; map->kunmap_ops[i].handle = map->kmap_ops[i].handle; } } } ... atomic_add(alloced, &map->live_grants); Assume that use_ptemod is true (i.e., the domain mapping the granted pages is a paravirtualized domain). In the code excerpt above, note that the "alloced" variable is only incremented when both kmap_ops[i].status and map_ops[i].status are set to GNTST_okay (i.e., both mapping operations are successful). However, as also noted above, there are cases where a grant mapping operation fails partially, breaking the assumption of the code excerpt above. The aforementioned causes map->live_grants to be incorrectly set. In some cases, all of the map_ops mappings fail, but all of the kmap_ops mappings succeed, meaning that live_grants may remain zero. This in turn makes it impossible to unmap the successfully grant-mapped pages pointed to by kmap_ops, because unmap_grant_pages has the following snippet of code at its beginning: if (atomic_read(&map->live_grants) == 0) return; /* Nothing to do */ In other cases where only some of the map_ops mappings fail but all kmap_ops mappings succeed, live_grants is made positive, but when the user requests unmapping the grant-mapped pages, __unmap_grant_pages_done will then make map->live_grants negative, because the latter function does not check if all of the pages that were requested to be unmapped were actually unmapped, and the same function unconditionally subtracts "data->count" (i.e., a value that can be greater than map->live_grants) from map->live_grants. The side effects of a negative live_grants value have not been studied. The net effect of all of this is that grant references are leaked in one of the above conditions. In Qubes OS v4.1 (which uses Xen's grant mechanism extensively for X11 GUI isolation), this issue manifests itself with warning messages like the following to be printed out by the Linux kernel in the VM that had granted pages (that contain X11 GUI window data) to dom0: "g.e. 0x1234 still pending", especially after the user rapidly resizes GUI VM windows (causing some grant-mapping operations to partially or completely fail, due to the fact that the VM unshares some of the pages as part of the window resizing, making the pages impossible to grant-map from dom0). The fix for this issue involves counting all successful map_ops and kmap_ops mappings separately, and then adding the sum to live_grants. During unmapping, only the number of successfully unmapped grants is subtracted from live_grants. The code is also modified to check for negative live_grants values after the subtraction and warn the user.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 36cd49b071fceca70326d9db786aa15e9fffd677 , < b043f2cab100bed3e0a999dcf38cc05b1e4a7e41 (git)
Affected: 2fe26a9a70482bea7827803fdec98050fec68b20 , < 49bb053b1ec367b6883030eb2cca696e91435679 (git)
Affected: 73e9e72247b98da65bc32d41a961e820cca5f503 , < cb1ccfe7655380f77a58b340072f5f40bc285902 (git)
Affected: ee25841221c17228cbd30262a90f3b03ad80cdf6 , < 3d056d81b93a787613eda44aeb21fc14c3392b34 (git)
Affected: 79963021fd718b74bed4cbc98f5f49d3ba6fb48c , < 49db6cb81400ba863e1a85e55fcdf1031807c23f (git)
Affected: 87a54feba68f5e47925c8e49100db9b2a8add761 , < 1cb73704cb4778299609634a790a80daba582f7d (git)
Affected: dbe97cff7dd9f0f75c524afdd55ad46be3d15295 , < 0bccddd9b8f03ad57bb738f0d3da8845d4e1e579 (git)
Affected: dbe97cff7dd9f0f75c524afdd55ad46be3d15295 , < 273f6a4f71be12e2ec80a4919837d6e4fa933a04 (git)
Affected: dbe97cff7dd9f0f75c524afdd55ad46be3d15295 , < 0991028cd49567d7016d1b224fe0117c35059f86 (git)
Affected: d4a49d20cd7cdb6bd075cd04c2cd00a7eba907ed (git)
Create a notification for this product.
    Linux Linux Affected: 5.19
Unaffected: 0 , < 5.19 (semver)
Unaffected: 4.9.332 , ≤ 4.9.* (semver)
Unaffected: 4.14.298 , ≤ 4.14.* (semver)
Unaffected: 4.19.264 , ≤ 4.19.* (semver)
Unaffected: 5.4.223 , ≤ 5.4.* (semver)
Unaffected: 5.10.153 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/xen/gntdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b043f2cab100bed3e0a999dcf38cc05b1e4a7e41",
              "status": "affected",
              "version": "36cd49b071fceca70326d9db786aa15e9fffd677",
              "versionType": "git"
            },
            {
              "lessThan": "49bb053b1ec367b6883030eb2cca696e91435679",
              "status": "affected",
              "version": "2fe26a9a70482bea7827803fdec98050fec68b20",
              "versionType": "git"
            },
            {
              "lessThan": "cb1ccfe7655380f77a58b340072f5f40bc285902",
              "status": "affected",
              "version": "73e9e72247b98da65bc32d41a961e820cca5f503",
              "versionType": "git"
            },
            {
              "lessThan": "3d056d81b93a787613eda44aeb21fc14c3392b34",
              "status": "affected",
              "version": "ee25841221c17228cbd30262a90f3b03ad80cdf6",
              "versionType": "git"
            },
            {
              "lessThan": "49db6cb81400ba863e1a85e55fcdf1031807c23f",
              "status": "affected",
              "version": "79963021fd718b74bed4cbc98f5f49d3ba6fb48c",
              "versionType": "git"
            },
            {
              "lessThan": "1cb73704cb4778299609634a790a80daba582f7d",
              "status": "affected",
              "version": "87a54feba68f5e47925c8e49100db9b2a8add761",
              "versionType": "git"
            },
            {
              "lessThan": "0bccddd9b8f03ad57bb738f0d3da8845d4e1e579",
              "status": "affected",
              "version": "dbe97cff7dd9f0f75c524afdd55ad46be3d15295",
              "versionType": "git"
            },
            {
              "lessThan": "273f6a4f71be12e2ec80a4919837d6e4fa933a04",
              "status": "affected",
              "version": "dbe97cff7dd9f0f75c524afdd55ad46be3d15295",
              "versionType": "git"
            },
            {
              "lessThan": "0991028cd49567d7016d1b224fe0117c35059f86",
              "status": "affected",
              "version": "dbe97cff7dd9f0f75c524afdd55ad46be3d15295",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d4a49d20cd7cdb6bd075cd04c2cd00a7eba907ed",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/xen/gntdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.332",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.298",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.264",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.223",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.153",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.332",
                  "versionStartIncluding": "4.9.322",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.298",
                  "versionStartIncluding": "4.14.287",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.264",
                  "versionStartIncluding": "4.19.251",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.223",
                  "versionStartIncluding": "5.4.204",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.153",
                  "versionStartIncluding": "5.10.129",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "5.15.51",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.18.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/gntdev: Prevent leaking grants\n\nPrior to this commit, if a grant mapping operation failed partially,\nsome of the entries in the map_ops array would be invalid, whereas all\nof the entries in the kmap_ops array would be valid. This in turn would\ncause the following logic in gntdev_map_grant_pages to become invalid:\n\n  for (i = 0; i \u003c map-\u003ecount; i++) {\n    if (map-\u003emap_ops[i].status == GNTST_okay) {\n      map-\u003eunmap_ops[i].handle = map-\u003emap_ops[i].handle;\n      if (!use_ptemod)\n        alloced++;\n    }\n    if (use_ptemod) {\n      if (map-\u003ekmap_ops[i].status == GNTST_okay) {\n        if (map-\u003emap_ops[i].status == GNTST_okay)\n          alloced++;\n        map-\u003ekunmap_ops[i].handle = map-\u003ekmap_ops[i].handle;\n      }\n    }\n  }\n  ...\n  atomic_add(alloced, \u0026map-\u003elive_grants);\n\nAssume that use_ptemod is true (i.e., the domain mapping the granted\npages is a paravirtualized domain). In the code excerpt above, note that\nthe \"alloced\" variable is only incremented when both kmap_ops[i].status\nand map_ops[i].status are set to GNTST_okay (i.e., both mapping\noperations are successful).  However, as also noted above, there are\ncases where a grant mapping operation fails partially, breaking the\nassumption of the code excerpt above.\n\nThe aforementioned causes map-\u003elive_grants to be incorrectly set. In\nsome cases, all of the map_ops mappings fail, but all of the kmap_ops\nmappings succeed, meaning that live_grants may remain zero. This in turn\nmakes it impossible to unmap the successfully grant-mapped pages pointed\nto by kmap_ops, because unmap_grant_pages has the following snippet of\ncode at its beginning:\n\n  if (atomic_read(\u0026map-\u003elive_grants) == 0)\n    return; /* Nothing to do */\n\nIn other cases where only some of the map_ops mappings fail but all\nkmap_ops mappings succeed, live_grants is made positive, but when the\nuser requests unmapping the grant-mapped pages, __unmap_grant_pages_done\nwill then make map-\u003elive_grants negative, because the latter function\ndoes not check if all of the pages that were requested to be unmapped\nwere actually unmapped, and the same function unconditionally subtracts\n\"data-\u003ecount\" (i.e., a value that can be greater than map-\u003elive_grants)\nfrom map-\u003elive_grants. The side effects of a negative live_grants value\nhave not been studied.\n\nThe net effect of all of this is that grant references are leaked in one\nof the above conditions. In Qubes OS v4.1 (which uses Xen\u0027s grant\nmechanism extensively for X11 GUI isolation), this issue manifests\nitself with warning messages like the following to be printed out by the\nLinux kernel in the VM that had granted pages (that contain X11 GUI\nwindow data) to dom0: \"g.e. 0x1234 still pending\", especially after the\nuser rapidly resizes GUI VM windows (causing some grant-mapping\noperations to partially or completely fail, due to the fact that the VM\nunshares some of the pages as part of the window resizing, making the\npages impossible to grant-map from dom0).\n\nThe fix for this issue involves counting all successful map_ops and\nkmap_ops mappings separately, and then adding the sum to live_grants.\nDuring unmapping, only the number of successfully unmapped grants is\nsubtracted from live_grants. The code is also modified to check for\nnegative live_grants values after the subtraction and warn the user."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-15T14:02:42.986Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b043f2cab100bed3e0a999dcf38cc05b1e4a7e41"
        },
        {
          "url": "https://git.kernel.org/stable/c/49bb053b1ec367b6883030eb2cca696e91435679"
        },
        {
          "url": "https://git.kernel.org/stable/c/cb1ccfe7655380f77a58b340072f5f40bc285902"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d056d81b93a787613eda44aeb21fc14c3392b34"
        },
        {
          "url": "https://git.kernel.org/stable/c/49db6cb81400ba863e1a85e55fcdf1031807c23f"
        },
        {
          "url": "https://git.kernel.org/stable/c/1cb73704cb4778299609634a790a80daba582f7d"
        },
        {
          "url": "https://git.kernel.org/stable/c/0bccddd9b8f03ad57bb738f0d3da8845d4e1e579"
        },
        {
          "url": "https://git.kernel.org/stable/c/273f6a4f71be12e2ec80a4919837d6e4fa933a04"
        },
        {
          "url": "https://git.kernel.org/stable/c/0991028cd49567d7016d1b224fe0117c35059f86"
        }
      ],
      "title": "xen/gntdev: Prevent leaking grants",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50257",
    "datePublished": "2025-09-15T14:02:42.986Z",
    "dateReserved": "2025-09-15T13:58:00.973Z",
    "dateUpdated": "2025-09-15T14:02:42.986Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.