Date: Thu, 10 Oct 2013 12:22:49 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 69 (CVE-2013-4370) - misplaced free in ocaml xc_vcpu_getaffinity stub -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4370 / XSA-69 version 2 misplaced free in ocaml xc_vcpu_getaffinity stub UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The ocaml binding for the xc_vcpu_getaffinity function incorrectly frees a pointer before using it and subsequently freeing it again afterwards. The code therefore contains a use-after-free and double-free flaws. IMPACT ====== An attacker may be able to cause a multithreaded toolstack written in ocaml and using this function to race against itself leading to heap corruption and a potential DoS. Depending on the malloc implementation code execution cannot be ruled out. VULNERABLE SYSTEMS ================== The flaw is present in Xen 4.2 onwards. Systems using an ocaml based toolstack (e.g. xapi) are vulnerable. MITIGATION ========== Not calling the vcpu_getaffinity function will avoid this issue. Not allowing untrusted users access to toolstack functionality will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue. xsa69.patch Xen 4.3.x, Xen 4.2.x, xen-unstable $ sha256sum xsa69*.patch d3beb662aacf628b6a25ff6cfcd9526ab689aa43a56cf25e792a001f89b4edbc xsa69.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSVpv9AAoJEIP+FMlX6CvZDDsIALyFWH1+Ox87+kncvYUHu6UJ m4r85Jqp7pD97hAWP0mbVu/RxZgIE2mUaLDruuRvyaA940HtmsYxYRd010uqxUGQ ouFdaChJpfyGAgKn15INEQnj7giX5Kd6tPFyza5N4TBm8HbK1N83rpGHDT8+unzA MTAPk5KXCiIJ0LBU23Ce5ryXwXIkDjwPP+hJ+G0Axv1UpBTn6BhxE135m7cTOemU oWHSrYbrM4zBpVPQHl1NX8YGtjbBILwDZOmtfJD/EDI2i7iqiIbVAAEoY6xFIHmL nk0ZSN/rLSBXV+FH+sdJJunQzj4MOXg+nTx6ptO2T1pzTssEVsz6JOgUcCEMIy8= =4eSf -----END PGP SIGNATURE----- Download attachment "xsa69.patch" of type "application/octet-stream" (995 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.