[kernel-xen] Xen Security Advisory 70 (CVE-2013-4371) - use-after-free in libxl_list_cpupool under memory pressure
Steven Haigh
netwiz at crc.id.au
Fri Oct 11 02:45:26 EST 2013
Xen Security Advisory CVE-2013-4371 / XSA-70
version 2
use-after-free in libxl_list_cpupool under memory pressure
UPDATES IN VERSION 2
====================
Public release.
ISSUE DESCRIPTION
=================
If realloc(3) fails then libxl_list_cpupool will incorrectly return
the now-free original pointer.
IMPACT
======
An attacker may be able to cause a multithreaded toolstack using this
function to race against itself leading to heap corruption and a
potential DoS.
Depending on the malloc implementation code execution cannot be ruled
out.
VULNERABLE SYSTEMS
==================
The flaw is present in Xen 4.2 onwards.
Systems using the libxl toolstack library are vulnerable.
MITIGATION
==========
Not calling the libxl_list_cpupool function will avoid this issue.
Not allowing untrusted users access to toolstack functionality will
avoid this issue.
CREDITS
=======
This issue was discovered by Coverity Scan and Matthew Daley.
RESOLUTION
==========
Fixed in xen-4.2.3-4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20131011/9ff9bb5f/attachment.sig>
More information about the kernel-xen
mailing list