Advisory: XSA-255

The Grant Table v2 API has includes a set of status frames, which the guest is expected to map in addition to the regular grant frames. These frames need freeing by Xen if a guest chooses to switch back to Grant Table v1. Such a transition would might occur when invoking a crash kernel.

Before XSA-255, Xen failed to check for outstanding mappings of the status frames before freeing the underlying pages.

Depending on the version of Xen, this might reliably hit a BUG() in the reference counting logic (and is at most a straight DoS), or may allow for the guest to cause worse problems via its writeable mapping to a reused page.

See also: tests/xsa-255/main.c