Information
| Advisory | XSA-70 |
|---|
| Public release | 2013-10-10 12:00 |
|---|
| Updated | 2013-10-10 12:22 |
|---|
| Version | 2 |
|---|
| CVE(s) | CVE-2013-4371 |
|---|
| Title | use-after-free in libxl_list_cpupool under memory pressure |
|---|
Files
advisory-70.txt (signed advisory file)
xsa70.patch
Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-4371 / XSA-70
version 2
use-after-free in libxl_list_cpupool under memory pressure
UPDATES IN VERSION 2
====================
Public release.
ISSUE DESCRIPTION
=================
If realloc(3) fails then libxl_list_cpupool will incorrectly return
the now-free original pointer.
IMPACT
======
An attacker may be able to cause a multithreaded toolstack using this
function to race against itself leading to heap corruption and a
potential DoS.
Depending on the malloc implementation code execution cannot be ruled
out.
VULNERABLE SYSTEMS
==================
The flaw is present in Xen 4.2 onwards.
Systems using the libxl toolstack library are vulnerable.
MITIGATION
==========
Not calling the libxl_list_cpupool function will avoid this issue.
Not allowing untrusted users access to toolstack functionality will
avoid this issue.
CREDITS
=======
This issue was discovered by Coverity Scan and Matthew Daley.
RESOLUTION
==========
Applying the attached patch resolves this issue.
xsa70.patch Xen 4.3.x, Xen 4.2.x, xen-unstable
$ sha256sum xsa70*.patch
2582d3d545903af475436145f7e459414ad9d9c61d5720992eeeec42de8dde56 xsa70.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJSVpwCAAoJEIP+FMlX6CvZRskH/1fMuZLw8xSFT0L6piYvTudo
BYqm+xxOR9dFMVKWMb0Pqk9nhLlYXXAn6pZV0KsoUIaA81Qx+fTkRpafVG9FGoD6
AG2TWijVmG3kyQdEcjxBPKLont2COupTwKUU4wusvLq3adYu7s4CaxUrVLZrhbCf
q8EfmBA9rf1sLw2SiNXPT1o0XZjXJgiRbf5T4ggjJKUsb5+QMb0qXVFPHIqaAcZ5
Jf0HGRi+irH5thRx7hY3mprcGNx5WAWTiKOrzvQH6eDJjAlcAeS5YrDpBn1Z8lA2
ep2c758y6+ZcMfOffU9kHA9wybnZLq+yGIIgS2vcnbpiYHp29JFVEJ6ZIXp/4+4=
=5x/x
-----END PGP SIGNATURE-----
Xenproject.org Security Team