Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 10 Oct 2013 12:22:55 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 70 (CVE-2013-4371) - use-after-free in
 libxl_list_cpupool under memory pressure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-4371 / XSA-70
                               version 2

      use-after-free in libxl_list_cpupool under memory pressure

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

If realloc(3) fails then libxl_list_cpupool will incorrectly return
the now-free original pointer.

IMPACT
======

An attacker may be able to cause a multithreaded toolstack using this
function to race against itself leading to heap corruption and a
potential DoS.

Depending on the malloc implementation code execution cannot be ruled
out.

VULNERABLE SYSTEMS
==================

The flaw is present in Xen 4.2 onwards.

Systems using the libxl toolstack library are vulnerable.

MITIGATION
==========

Not calling the libxl_list_cpupool function will avoid this issue.

Not allowing untrusted users access to toolstack functionality will
avoid this issue.

CREDITS
=======

This issue was discovered by Coverity Scan and Matthew Daley.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa70.patch             Xen 4.3.x, Xen 4.2.x, xen-unstable


$ sha256sum xsa70*.patch
2582d3d545903af475436145f7e459414ad9d9c61d5720992eeeec42de8dde56  xsa70.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJSVpwCAAoJEIP+FMlX6CvZRskH/1fMuZLw8xSFT0L6piYvTudo
BYqm+xxOR9dFMVKWMb0Pqk9nhLlYXXAn6pZV0KsoUIaA81Qx+fTkRpafVG9FGoD6
AG2TWijVmG3kyQdEcjxBPKLont2COupTwKUU4wusvLq3adYu7s4CaxUrVLZrhbCf
q8EfmBA9rf1sLw2SiNXPT1o0XZjXJgiRbf5T4ggjJKUsb5+QMb0qXVFPHIqaAcZ5
Jf0HGRi+irH5thRx7hY3mprcGNx5WAWTiKOrzvQH6eDJjAlcAeS5YrDpBn1Z8lA2
ep2c758y6+ZcMfOffU9kHA9wybnZLq+yGIIgS2vcnbpiYHp29JFVEJ6ZIXp/4+4=
=5x/x
-----END PGP SIGNATURE-----

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ