Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

CVE-2022-50257

PUBLISHED 15.09.2025

CNA: Linux

xen/gntdev: Prevent leaking grants

Обновлено: 15.09.2025
In the Linux kernel, the following vulnerability has been resolved: xen/gntdev: Prevent leaking grants Prior to this commit, if a grant mapping operation failed partially, some of the entries in the map_ops array would be invalid, whereas all of the entries in the kmap_ops array would be valid. This in turn would cause the following logic in gntdev_map_grant_pages to become invalid: for (i = 0; i < map->count; i++) { if (map->map_ops[i].status == GNTST_okay) { map->unmap_ops[i].handle = map->map_ops[i].handle; if (!use_ptemod) alloced++; } if (use_ptemod) { if (map->kmap_ops[i].status == GNTST_okay) { if (map->map_ops[i].status == GNTST_okay) alloced++; map->kunmap_ops[i].handle = map->kmap_ops[i].handle; } } } ... atomic_add(alloced, &map->live_grants); Assume that use_ptemod is true (i.e., the domain mapping the granted pages is a paravirtualized domain). In the code excerpt above, note that the "alloced" variable is only incremented when both kmap_ops[i].status and map_ops[i].status are set to GNTST_okay (i.e., both mapping operations are successful). However, as also noted above, there are cases where a grant mapping operation fails partially, breaking the assumption of the code excerpt above. The aforementioned causes map->live_grants to be incorrectly set. In some cases, all of the map_ops mappings fail, but all of the kmap_ops mappings succeed, meaning that live_grants may remain zero. This in turn makes it impossible to unmap the successfully grant-mapped pages pointed to by kmap_ops, because unmap_grant_pages has the following snippet of code at its beginning: if (atomic_read(&map->live_grants) == 0) return; /* Nothing to do */ In other cases where only some of the map_ops mappings fail but all kmap_ops mappings succeed, live_grants is made positive, but when the user requests unmapping the grant-mapped pages, __unmap_grant_pages_done will then make map->live_grants negative, because the latter function does not check if all of the pages that were requested to be unmapped were actually unmapped, and the same function unconditionally subtracts "data->count" (i.e., a value that can be greater than map->live_grants) from map->live_grants. The side effects of a negative live_grants value have not been studied. The net effect of all of this is that grant references are leaked in one of the above conditions. In Qubes OS v4.1 (which uses Xen's grant mechanism extensively for X11 GUI isolation), this issue manifests itself with warning messages like the following to be printed out by the Linux kernel in the VM that had granted pages (that contain X11 GUI window data) to dom0: "g.e. 0x1234 still pending", especially after the user rapidly resizes GUI VM windows (causing some grant-mapping operations to partially or completely fail, due to the fact that the VM unshares some of the pages as part of the window resizing, making the pages impossible to grant-map from dom0). The fix for this issue involves counting all successful map_ops and kmap_ops mappings separately, and then adding the sum to live_grants. During unmapping, only the number of successfully unmapped grants is subtracted from live_grants. The code is also modified to check for negative live_grants values after the subtraction and warn the user.

БДУ ФСТЭК

Идентификатор Описание
BDU:2026-08845 Уязвимость функций gntdev_map_grant_pages() и __unmap_grant_pages_done() модуля drivers/xen/gntdev.c драйвера устройств кадрового буфера ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Вероятность Severity Процентиль ? Дата расчёта
0.02% LOW 5.67 23.05.2026

Доп. Информация

Product Status

Linux
Product: Linux
Vendor: Linux
Default status: unaffected
Версии:
Затронутые версии Статус
Наблюдалось в версиях от 36cd49b071fceca70326d9db786aa15e9fffd677 до b043f2cab100bed3e0a999dcf38cc05b1e4a7e41 affected
Наблюдалось в версиях от 2fe26a9a70482bea7827803fdec98050fec68b20 до 49bb053b1ec367b6883030eb2cca696e91435679 affected
Наблюдалось в версиях от 73e9e72247b98da65bc32d41a961e820cca5f503 до cb1ccfe7655380f77a58b340072f5f40bc285902 affected
Наблюдалось в версиях от ee25841221c17228cbd30262a90f3b03ad80cdf6 до 3d056d81b93a787613eda44aeb21fc14c3392b34 affected
Наблюдалось в версиях от 79963021fd718b74bed4cbc98f5f49d3ba6fb48c до 49db6cb81400ba863e1a85e55fcdf1031807c23f affected
Наблюдалось в версиях от 87a54feba68f5e47925c8e49100db9b2a8add761 до 1cb73704cb4778299609634a790a80daba582f7d affected
Наблюдалось в версиях от dbe97cff7dd9f0f75c524afdd55ad46be3d15295 до 0bccddd9b8f03ad57bb738f0d3da8845d4e1e579 affected
Наблюдалось в версиях от dbe97cff7dd9f0f75c524afdd55ad46be3d15295 до 273f6a4f71be12e2ec80a4919837d6e4fa933a04 affected
Наблюдалось в версиях от dbe97cff7dd9f0f75c524afdd55ad46be3d15295 до 0991028cd49567d7016d1b224fe0117c35059f86 affected
Наблюдалось в версии d4a49d20cd7cdb6bd075cd04c2cd00a7eba907ed affected
Linux
Product: Linux
Vendor: Linux
Default status: affected
Версии:
Затронутые версии Статус
Наблюдалось в версии 5.19 affected
Наблюдалось в версиях от 0 до 5.19 unaffected
Наблюдалось до версии 4.9.* unaffected
Наблюдалось до версии 4.14.* unaffected
Наблюдалось до версии 4.19.* unaffected
Наблюдалось до версии 5.4.* unaffected
Наблюдалось до версии 5.10.* unaffected
Наблюдалось до версии 5.15.* unaffected
Наблюдалось до версии 5.19.* unaffected
Наблюдалось до версии 6.0.* unaffected
Наблюдалось до версии * unaffected
 

Ссылки

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.