* Xen Security Advisory 69 (CVE-2013-4370) - misplaced free in ocaml xc_vcpu_getaffinity stub
@ 2013-10-10 12:22 Xen.org security team
0 siblings, 0 replies; only message in thread
From: Xen.org security team @ 2013-10-10 12:22 UTC (permalink / raw)
To: xen-announce, xen-devel, xen-users, oss-security; +Cc: Xen.org security team
[-- Attachment #1: Type: text/plain, Size: 1915 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-4370 / XSA-69
version 2
misplaced free in ocaml xc_vcpu_getaffinity stub
UPDATES IN VERSION 2
====================
Public release.
ISSUE DESCRIPTION
=================
The ocaml binding for the xc_vcpu_getaffinity function incorrectly
frees a pointer before using it and subsequently freeing it again
afterwards. The code therefore contains a use-after-free and
double-free flaws.
IMPACT
======
An attacker may be able to cause a multithreaded toolstack written in
ocaml and using this function to race against itself leading to heap
corruption and a potential DoS.
Depending on the malloc implementation code execution cannot be ruled
out.
VULNERABLE SYSTEMS
==================
The flaw is present in Xen 4.2 onwards.
Systems using an ocaml based toolstack (e.g. xapi) are vulnerable.
MITIGATION
==========
Not calling the vcpu_getaffinity function will avoid this issue.
Not allowing untrusted users access to toolstack functionality will
avoid this issue.
CREDITS
=======
This issue was discovered by Coverity Scan and Matthew Daley.
RESOLUTION
==========
Applying the attached patch resolves this issue.
xsa69.patch Xen 4.3.x, Xen 4.2.x, xen-unstable
$ sha256sum xsa69*.patch
d3beb662aacf628b6a25ff6cfcd9526ab689aa43a56cf25e792a001f89b4edbc xsa69.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJSVpv9AAoJEIP+FMlX6CvZDDsIALyFWH1+Ox87+kncvYUHu6UJ
m4r85Jqp7pD97hAWP0mbVu/RxZgIE2mUaLDruuRvyaA940HtmsYxYRd010uqxUGQ
ouFdaChJpfyGAgKn15INEQnj7giX5Kd6tPFyza5N4TBm8HbK1N83rpGHDT8+unzA
MTAPk5KXCiIJ0LBU23Ce5ryXwXIkDjwPP+hJ+G0Axv1UpBTn6BhxE135m7cTOemU
oWHSrYbrM4zBpVPQHl1NX8YGtjbBILwDZOmtfJD/EDI2i7iqiIbVAAEoY6xFIHmL
nk0ZSN/rLSBXV+FH+sdJJunQzj4MOXg+nTx6ptO2T1pzTssEVsz6JOgUcCEMIy8=
=4eSf
-----END PGP SIGNATURE-----
[-- Attachment #2: xsa69.patch --]
[-- Type: application/octet-stream, Size: 995 bytes --]
From 067c122873c67bd1d9620f8340f9c9c209135388 Mon Sep 17 00:00:00 2001
From: Matthew Daley <mattjd@gmail.com>
Date: Tue, 10 Sep 2013 23:12:45 +1200
Subject: [PATCH] tools/ocaml: fix erroneous free of cpumap in
stub_xc_vcpu_getaffinity
Not sure how it got there...
Coverity-ID: 1056196
This is CVE-2013-4370 / XSA-69
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
tools/ocaml/libs/xc/xenctrl_stubs.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/tools/ocaml/libs/xc/xenctrl_stubs.c b/tools/ocaml/libs/xc/xenctrl_stubs.c
index df756ad..f5cf0ed 100644
--- a/tools/ocaml/libs/xc/xenctrl_stubs.c
+++ b/tools/ocaml/libs/xc/xenctrl_stubs.c
@@ -461,8 +461,6 @@ CAMLprim value stub_xc_vcpu_getaffinity(value xch, value domid,
retval = xc_vcpu_getaffinity(_H(xch), _D(domid),
Int_val(vcpu), c_cpumap);
- free(c_cpumap);
-
if (retval < 0) {
free(c_cpumap);
failwith_xc(_H(xch));
--
1.7.10.4
[-- Attachment #3: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2013-10-10 12:22 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-10-10 12:22 Xen Security Advisory 69 (CVE-2013-4370) - misplaced free in ocaml xc_vcpu_getaffinity stub Xen.org security team
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).