Xen.org security team
2014-Feb-12 17:04 UTC
Xen Security Advisory 88 (CVE-2014-1950) - use-after-free in xc_cpupool_getinfo() under memory pressure
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-1950 / XSA-88 version 3 use-after-free in xc_cpupool_getinfo() under memory pressure UPDATES IN VERSION 3 =================== CVE assigned. ISSUE DESCRIPTION ================ If xc_cpumap_alloc() fails then xc_cpupool_getinfo() will free and incorrectly return the then-free pointer to the result structure. IMPACT ===== An attacker may be able to cause a multi-threaded toolstack using this function to race against itself leading to heap corruption and a potential DoS. Depending on the malloc implementation, privilege escalation cannot be ruled out. VULNERABLE SYSTEMS ================= The flaw is present in Xen 4.1 onwards. Only multithreaded toolstacks are vulnerable. Only systems where management functions (such as domain creation) are exposed to untrusted users are vulnerable. xl is not multithreaded, so is not vulnerable. However, multithreaded toolstacks using libxl as a library are vulnerable. xend is vulnerable. MITIGATION ========= Not allowing untrusted users access to toolstack functionality will avoid this issue. CREDITS ====== This issue was discovered by Coverity Scan and diagnosed by Andrew Cooper. RESOLUTION ========= Applying the attached patch resolves this issue. xsa88.patch xen-unstable, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x $ sha256sum xsa88*.patch 7a73ca9db19a9ffe6e8cd259fa71dc1299738f26fa024303f4ab38931db75f14 xsa88.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS+6mbAAoJEIP+FMlX6CvZjhAH/j9PI7N93lhkTiVZiD3noh9e czgskoQ1ge1zHSzYVXvLZvVEaEVCSMQpql37gSAeWl7rfjdFxv6xQQ3OIla2Xyqm xfoaQhP8ZMbBX6RAWRWC99wCB8ki67VA3ZqHEqNPz72FxnaT9Y0bQ0Wg4cVcq69q hNtidmtRfX8yD5o/ACpiuCHL0miD9GxZGjGVy1EAjMxKgfDR8fBkI2hoHe4v6V4v XzeiXW7/xyLtXausFsTdUI/gTO+2UCWlaBPS5eobCnXFP+agmJfhTAzHU9gNQajv AATAlka1y9WMWnLBvp+UMDqJ2w5XhwwVQAW17mAyipLi0vco6gcp1F80UTKmtVc=1It2 -----END PGP SIGNATURE----- _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users