[kernel-xen] Xen Security Advisory 69 (CVE-2013-4370) - misplaced free in ocaml xc_vcpu_getaffinity stub
Steven Haigh
netwiz at crc.id.au
Fri Oct 11 02:44:57 EST 2013
Xen Security Advisory CVE-2013-4370 / XSA-69
version 2
misplaced free in ocaml xc_vcpu_getaffinity stub
UPDATES IN VERSION 2
====================
Public release.
ISSUE DESCRIPTION
=================
The ocaml binding for the xc_vcpu_getaffinity function incorrectly
frees a pointer before using it and subsequently freeing it again
afterwards. The code therefore contains a use-after-free and
double-free flaws.
IMPACT
======
An attacker may be able to cause a multithreaded toolstack written in
ocaml and using this function to race against itself leading to heap
corruption and a potential DoS.
Depending on the malloc implementation code execution cannot be ruled
out.
VULNERABLE SYSTEMS
==================
The flaw is present in Xen 4.2 onwards.
Systems using an ocaml based toolstack (e.g. xapi) are vulnerable.
MITIGATION
==========
Not calling the vcpu_getaffinity function will avoid this issue.
Not allowing untrusted users access to toolstack functionality will
avoid this issue.
CREDITS
=======
This issue was discovered by Coverity Scan and Matthew Daley.
RESOLUTION
==========
Fixed in xen-4.2.3-4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20131011/7674067b/attachment.sig>
More information about the kernel-xen
mailing list