Races in the grant table unmap code

ISSUE DESCRIPTION

We have discovered two bugs in the code unmapping grant references.

• When a grant had been mapped twice by a backend domain, and then unmapped by two concurrent unmap calls, the frontend may be informed that the page had no further mappings when the first call completed rather than when the second call completed. (CVE-2017-10913.)
• A race triggerable by an unprivileged guest could cause a grant maptrack entry for grants to be “freed” twice. The ultimate effect of this would be for maptrack entries for a single domain to be re-used. (CVE-2017-10914.)

IMPACT

For the first issue, for a short window of time, a malicious backend could still read and write memory that the frontend thought was its own again. Depending on the usage, this could be either an information leak, or a backend-to-frontend privilege escalation.
The second issue is more difficult to analyze. It can probably cause reference counts to leak, preventing memory from being freed on domain destruction (denial-of-service), but information leakage or host privilege escalation cannot be ruled out.

VULNERABLE SYSTEMS

All versions of Xen are vulnerable.
Both ARM and x86 are vulnerable.
On x86, systems with either PV or HVM guests are vulnerable.