Information

AdvisoryXSA-47
Public release 2013-04-04 17:54
Updated 2013-04-04 17:54
Version 1
CVE(s) CVE-2013-1920
Title Potential use of freed memory in event channel operations

Files

advisory-47.txt (signed advisory file)
xsa47-4.1.patch
xsa47-4.2-unstable.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-1920 / XSA-47

        Potential use of freed memory in event channel operations

ISSUE DESCRIPTION
=================

Wrong ordering of operations upon extending the per-domain event
channel tracking table can cause a pointer to freed memory to be left
in place, when the hypervisor is under memory pressure and XSM (Xen
Security Module) is enabled.

IMPACT
======

Malicious guest kernels could inject arbitrary events or corrupt other
hypervisor state, possibly leading to code execution.

VULNERABLE SYSTEMS
==================

All Xen versions from 3.2 onwards are vulnerable when making use of
XSM.  Configurations without XSM or with a dummy module are not
affected.

MITIGATION
==========

Running without XSM (which is the default) will avoid this
vulnerability, albeit doing so will likely lower overall security of
systems that would otherwise have XSM enabled.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa47-4.1.patch             Xen 4.1.x
xsa47-4.2-unstable.patch    Xen 4.2.x and xen-unstable

$ sha256sum xsa47*.patch
e49a03e0693de07ec1418eb16191854458e72088febd6948ea5bc1f900a1853a  xsa47-4.1.patch
c29b59492f9d7e3f74bfc41877a2c5cff70436d3738fd91066f396f969aab0a7  xsa47-4.2-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRXb5fAAoJEIP+FMlX6CvZ0RwH/AtcVQFvERB+16wSjN3GTguk
LnakHD3NCVeaDNbkF0G4b4ibR5oOCAGO/9CQwcB1QKj67mvYJm2kglDnGWUmZUQC
TKWZR5vA9D9YAQvll8mSwd3OdLBoN0IGYPp9AIVUi9zl34zF+ZzbtsC57dvmjQD6
/E0tMDgOoCsA8ARnuknjbgk+CbfsGi/dbxYGDla4/wMC9wbUhG1wcA9lqNa37azT
1lRIj8qI3TfWC4aMh1kZKPsljrHZLkfA2VxgkrTCjr7u2Usr7vgUsNT4F0rYouRI
h5mo1JszJOnM2EHuzVbQrvBmaXlPIFF/S5cRvD6RIavEsOUet5au49Hnhb/ENG4=
=/g6f
-----END PGP SIGNATURE-----


Xenproject.org Security Team