[kernel-xen] Xen Security Advisory 88 (CVE-2014-1950) - use-after-free in xc_cpupool_getinfo() under memory pressure

Thu Feb 13 04:20:08 EST 2014

CVE assigned.

ISSUE DESCRIPTION
=================

If xc_cpumap_alloc() fails then xc_cpupool_getinfo() will free and
incorrectly
return the then-free pointer to the result structure.

IMPACT
======

An attacker may be able to cause a multi-threaded toolstack using this
function to race against itself leading to heap corruption and a
potential DoS.

Depending on the malloc implementation, privilege escalation cannot be
ruled out.

VULNERABLE SYSTEMS
==================

The flaw is present in Xen 4.1 onwards.  Only multithreaded toolstacks
are vulnerable.  Only systems where management functions (such as
domain creation) are exposed to untrusted users are vulnerable.

xl is not multithreaded, so is not vulnerable.  However, multithreaded
toolstacks using libxl as a library are vulnerable.  xend is
vulnerable.

MITIGATION
==========

Not allowing untrusted users access to toolstack functionality will
avoid this issue.

CREDITS
=======

This issue was discovered by Coverity Scan and diagnosed by Andrew
Cooper.

RESOLUTION
==========

Fixed in xen-4.2.3-14.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJS+61HAAoJEEGvNdV6fTHcUmsP/3SqydNEXLaxKhgXP50Yk7bp
pmE5hP8YcWjH6rx4ZkeweGnc6YeWT46H2mZO7WG0xNaKv70K96LPT42Ru4SYOYd+
nFqfQf0yKbdxeeDVxTU9GfzLs0yh9JeoucsiTYWYyxL3/Wji6e8bPgSX4nyYwulu
q7DzN5mlvch9T7EBx1u06kKjiMo15LjLozwRi16KJic0Sy6yWDT2rPvGXneytbCd
iw96zd8jQG5Ykl7YwhDCwt2SURe0TYZjfQvU2STTMNbvGBk0s/HSCnHDgiBowEu+
Ak2cocIol+5QZCpwL4fuEI5Jb1mR5lE+zwWlIEY7SRYsD74tktmfK1jTzNAMHJT7
V0peOisN8+yeIhuwrLUscXtOrNUWg/VXWktk/JztZNdpAGERzLTK3H+yg/IbwXD/
St04VDbVleFetvvgjFC4C2sKFH8nSKCZDyWKJP6SLaPvpqgNFMUQbcO44NsLyLIo
jmRWdzKMfualBIAV4RkA+FRbmEcEMKlDl6SBqWsJ0AaEyEjE/BZDH9QIN3lFaF2J
3Z6AkC7zpovRmvtmd/BKk14lTwTpTgQ9jBW1nVsygFD1zG5zUCRvJYasv1hsQe+v
fbtF6oqPz9T9bb5cuVmgo3PTZ0vCWJZkIiJH5Jm5fjeSJQE+aWJAHzEsfHYDvut2
3tlwqpdPtArjYNp+FkhQ
=eNO/
-----END PGP SIGNATURE-----