Date: Thu, 10 Oct 2013 12:22:55 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 70 (CVE-2013-4371) - use-after-free in libxl_list_cpupool under memory pressure -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4371 / XSA-70 version 2 use-after-free in libxl_list_cpupool under memory pressure UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= If realloc(3) fails then libxl_list_cpupool will incorrectly return the now-free original pointer. IMPACT ====== An attacker may be able to cause a multithreaded toolstack using this function to race against itself leading to heap corruption and a potential DoS. Depending on the malloc implementation code execution cannot be ruled out. VULNERABLE SYSTEMS ================== The flaw is present in Xen 4.2 onwards. Systems using the libxl toolstack library are vulnerable. MITIGATION ========== Not calling the libxl_list_cpupool function will avoid this issue. Not allowing untrusted users access to toolstack functionality will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue. xsa70.patch Xen 4.3.x, Xen 4.2.x, xen-unstable $ sha256sum xsa70*.patch 2582d3d545903af475436145f7e459414ad9d9c61d5720992eeeec42de8dde56 xsa70.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSVpwCAAoJEIP+FMlX6CvZRskH/1fMuZLw8xSFT0L6piYvTudo BYqm+xxOR9dFMVKWMb0Pqk9nhLlYXXAn6pZV0KsoUIaA81Qx+fTkRpafVG9FGoD6 AG2TWijVmG3kyQdEcjxBPKLont2COupTwKUU4wusvLq3adYu7s4CaxUrVLZrhbCf q8EfmBA9rf1sLw2SiNXPT1o0XZjXJgiRbf5T4ggjJKUsb5+QMb0qXVFPHIqaAcZ5 Jf0HGRi+irH5thRx7hY3mprcGNx5WAWTiKOrzvQH6eDJjAlcAeS5YrDpBn1Z8lA2 ep2c758y6+ZcMfOffU9kHA9wybnZLq+yGIIgS2vcnbpiYHp29JFVEJ6ZIXp/4+4= =5x/x -----END PGP SIGNATURE----- Download attachment "xsa70.patch" of type "application/octet-stream" (1050 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.