Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 10 Oct 2013 12:22:49 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 69 (CVE-2013-4370) - misplaced free in
 ocaml xc_vcpu_getaffinity stub

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-4370 / XSA-69
                               version 2

           misplaced free in ocaml xc_vcpu_getaffinity stub

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The ocaml binding for the xc_vcpu_getaffinity function incorrectly
frees a pointer before using it and subsequently freeing it again
afterwards. The code therefore contains a use-after-free and
double-free flaws.

IMPACT
======

An attacker may be able to cause a multithreaded toolstack written in
ocaml and using this function to race against itself leading to heap
corruption and a potential DoS.

Depending on the malloc implementation code execution cannot be ruled
out.

VULNERABLE SYSTEMS
==================

The flaw is present in Xen 4.2 onwards.

Systems using an ocaml based toolstack (e.g. xapi) are vulnerable.

MITIGATION
==========

Not calling the vcpu_getaffinity function will avoid this issue.

Not allowing untrusted users access to toolstack functionality will
avoid this issue.

CREDITS
=======

This issue was discovered by Coverity Scan and Matthew Daley.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa69.patch             Xen 4.3.x, Xen 4.2.x, xen-unstable


$ sha256sum xsa69*.patch
d3beb662aacf628b6a25ff6cfcd9526ab689aa43a56cf25e792a001f89b4edbc  xsa69.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJSVpv9AAoJEIP+FMlX6CvZDDsIALyFWH1+Ox87+kncvYUHu6UJ
m4r85Jqp7pD97hAWP0mbVu/RxZgIE2mUaLDruuRvyaA940HtmsYxYRd010uqxUGQ
ouFdaChJpfyGAgKn15INEQnj7giX5Kd6tPFyza5N4TBm8HbK1N83rpGHDT8+unzA
MTAPk5KXCiIJ0LBU23Ce5ryXwXIkDjwPP+hJ+G0Axv1UpBTn6BhxE135m7cTOemU
oWHSrYbrM4zBpVPQHl1NX8YGtjbBILwDZOmtfJD/EDI2i7iqiIbVAAEoY6xFIHmL
nk0ZSN/rLSBXV+FH+sdJJunQzj4MOXg+nTx6ptO2T1pzTssEVsz6JOgUcCEMIy8=
=4eSf
-----END PGP SIGNATURE-----

Download attachment "xsa69.patch" of type "application/octet-stream" (995 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.