[kernel-xen] Xen Security Advisory 70 (CVE-2013-4371) - use-after-free in libxl_list_cpupool under memory pressure

Steven Haigh netwiz at crc.id.au
Fri Oct 11 02:45:26 EST 2013


             Xen Security Advisory CVE-2013-4371 / XSA-70
                               version 2

      use-after-free in libxl_list_cpupool under memory pressure

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

If realloc(3) fails then libxl_list_cpupool will incorrectly return
the now-free original pointer.

IMPACT
======

An attacker may be able to cause a multithreaded toolstack using this
function to race against itself leading to heap corruption and a
potential DoS.

Depending on the malloc implementation code execution cannot be ruled
out.

VULNERABLE SYSTEMS
==================

The flaw is present in Xen 4.2 onwards.

Systems using the libxl toolstack library are vulnerable.

MITIGATION
==========

Not calling the libxl_list_cpupool function will avoid this issue.

Not allowing untrusted users access to toolstack functionality will
avoid this issue.

CREDITS
=======

This issue was discovered by Coverity Scan and Matthew Daley.

RESOLUTION
==========

Fixed in xen-4.2.3-4

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20131011/9ff9bb5f/attachment.sig>


More information about the kernel-xen mailing list