With the introduction of version 2 grant table operations, a
version check became necessary for most grant table related
hypercalls. The GNTTABOP_swap_grant_ref call was lacking such a
check. As a result, the subsequent code behaved as if version 2 was
in use, when a guest issued this hypercall without a prior
GNTTABOP_setup_table or GNTTABOP_set_version.
The effect is a possible NULL pointer dereferences. However, this
cannot be exploited to elevate privileges of the attacking domain,
as the maximum memory address that can be wrongly accessed this way
is bounded to far below the start of hypervisor memory.
Malicious or buggy guest domain kernels can mount a denial of
service attack which, if successful, can affect the whole system.