[kernel-xen] Xen Security Advisory 83 (CVE-2014-1642) - Out-of-memory condition yielding memory corruption during IRQ setup

Steven Haigh netwiz at crc.id.au
Fri Jan 24 23:14:13 EST 2014


               Xen Security Advisory CVE-2014-1642 / XSA-83
                              version 3

       Out-of-memory condition yielding memory corruption during IRQ setup

UPDATES IN VERSION 3
====================

CVE assigned.

ISSUE DESCRIPTION
=================

When setting up the IRQ for a passed through physical device, a flaw
in the error handling could result in a memory allocation being used
after it is freed, and then freed a second time.  This would typically
result in memory corruption.

IMPACT
======

Malicious guest administrators can trigger a use-after-free error, resulting
in hypervisor memory corruption.  The effects of memory corruption could be
anything, including a host-wide denial of service, or privilege escalation.

VULNERABLE SYSTEMS
==================

Xen 4.2.x and later are vulnerable.
Xen 4.1.x and earlier are not vulnerable.

Only systems making use of device passthrough are vulnerable.

Only systems with a 64-bit hypervisor configured to support more than 128
CPUs or with a 32-bit hypervisor configured to support more than 64 CPUs are
vulnerable.

MITIGATION
==========

This issue can be avoided by not assigning PCI devices to untrusted
guests on
systems supporting Intel VT-d or AMD Vi.

CREDITS
=======

This issue was discovered by Coverity Scan, prompted by modelling
improvements contributed by Andrew Coooper.  The issue was diagnosed
by Matthew Daley and Andrew Coooper.  The patch was prepared by Andrew
Cooper.

RESOLUTION
==========

Fixed in xen-4.2.3-12

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20140124/655d9b36/attachment.sig>


More information about the kernel-xen mailing list