Information
| Advisory | XSA-188 |
|---|
| Public release | 2016-09-08 12:00 |
|---|
| Updated | 2016-09-08 12:00 |
|---|
| Version | 3 |
|---|
| CVE(s) | CVE-2016-7154 |
|---|
| Title | use after free in FIFO event channel code |
|---|
Files
advisory-188.txt (signed advisory file)
xsa188.patch
Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2016-7154 / XSA-188
version 3
use after free in FIFO event channel code
UPDATES IN VERSION 3
====================
Public release.
ISSUE DESCRIPTION
=================
When the EVTCHNOP_init_control operation is called with a bad guest
frame number, it takes an error path which frees a control structure
without also clearing the corresponding pointer. Certain subsequent
operations (EVTCHNOP_expand_array or another EVTCHNOP_init_control),
upon finding the non-NULL pointer, continue operation assuming it
points to allocated memory.
IMPACT
======
A malicious guest administrator can crash the host, leading to a DoS.
Arbitrary code execution (and therefore privilege escalation), and
information leaks, cannot be excluded.
VULNERABLE SYSTEMS
==================
Only Xen 4.4 is vulnerable. Xen versions 4.5 and later as well as Xen
versions 4.3 and earlier are not vulnerable.
MITIGATION
==========
There is no mitigation available.
CREDITS
=======
This issue was discovered by Mikhail Gorobets of Advanced Threat
Research, Intel Security.
RESOLUTION
==========
Applying the attached patch resolves this issue.
xsa188.patch Xen 4.4.x
$ sha256sum xsa188*
9f374c2e1437ad71369f41275e7b333e7b7691a783ba693ee567c899bd78c722 xsa188.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJX0VLuAAoJEIP+FMlX6CvZNjYH/RVxqYegZpfj0aiT5pai/a0i
PgPSoMccGoSSVTXzivXUTZS3fTIqfTpd4SQHu2Q2dUqbb6zcPqd3NzF7Jl9IMwLk
JHZwPYXOsZ0D6thFAMYFpjHOWXv7+1Mw7Np82PaA2yAUad+kxUORiJeL1RAE6zG/
xsAR7PTl2mK1Ae9lqDtKLijn0cnicAYoKiSlta8M0T5Sp79CT3xsfHiBbaWUBCcI
gmOW76RUbfOwn2kmhFJ4X5bwSzEhM93pQu7hJCmuwAADc8ezEEFv2lsUm5W8hkmW
a8V2nuqM+prbxY8JI3XbKJm5YrmHQpnX4FiBn13DZeUsaukT4Q1EltP1z/XvJto=
=jzF5
-----END PGP SIGNATURE-----
Xenproject.org Security Team