Date: Thu, 10 Oct 2013 12:22:55 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 70 (CVE-2013-4371) - use-after-free in libxl_list_cpupool under memory pressure -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4371 / XSA-70 version 2 use-after-free in libxl_list_cpupool under memory pressure UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= If realloc(3) fails then libxl_list_cpupool will incorrectly return the now-free original pointer. IMPACT ====== An attacker may be able to cause a multithreaded toolstack using this function to race against itself leading to heap corruption and a potential DoS. Depending on the malloc implementation code execution cannot be ruled out. VULNERABLE SYSTEMS ================== The flaw is present in Xen 4.2 onwards. Systems using the libxl toolstack library are vulnerable. MITIGATION ========== Not calling the libxl_list_cpupool function will avoid this issue. Not allowing untrusted users access to toolstack functionality will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue. xsa70.patch Xen 4.3.x, Xen 4.2.x, xen-unstable $ sha256sum xsa70*.patch 2582d3d545903af475436145f7e459414ad9d9c61d5720992eeeec42de8dde56 xsa70.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSVpwCAAoJEIP+FMlX6CvZRskH/1fMuZLw8xSFT0L6piYvTudo BYqm+xxOR9dFMVKWMb0Pqk9nhLlYXXAn6pZV0KsoUIaA81Qx+fTkRpafVG9FGoD6 AG2TWijVmG3kyQdEcjxBPKLont2COupTwKUU4wusvLq3adYu7s4CaxUrVLZrhbCf q8EfmBA9rf1sLw2SiNXPT1o0XZjXJgiRbf5T4ggjJKUsb5+QMb0qXVFPHIqaAcZ5 Jf0HGRi+irH5thRx7hY3mprcGNx5WAWTiKOrzvQH6eDJjAlcAeS5YrDpBn1Z8lA2 ep2c758y6+ZcMfOffU9kHA9wybnZLq+yGIIgS2vcnbpiYHp29JFVEJ6ZIXp/4+4= =5x/x -----END PGP SIGNATURE----- [ CONTENT OF TYPE application/octet-stream SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ