x86: steal_page violates page_struct access discipline

ISSUE DESCRIPTION

Xen’s reference counting rules were designed to allow pages to change owner and state without requiring a global lock. Each page has a page structure, and a very specific set of access disciplines must be observed to ensure that pages are freed properly, and that no writable mappings exist for PV pagetable pages.
Unfortunately, when the XENMEM_exchange hypercall was introduced, these access disciplines were violated, opening up several potential race conditions.

IMPACT

A single PV guest can leak arbitrary amounts of memory, leading to a denial of service.
A cooperating pair of PV and HVM/PVH guests can get a writable pagetable entry, leading to information disclosure or privilege escalation.
Privilege escalation attacks using only a single PV guest or a pair of PV guests have not been ruled out.
Note that both of these attacks require very precise timing, which may be difficult to exploit in practice.

VULNERABLE SYSTEMS

Only x86 systems are vulnerable.
Only systems which run PV guests are vulnerable. Systems which run only HVM/PVH guests are not vulnerable.