From mboxrd@z Thu Jan 1 00:00:00 1970 From: Xen.org security team Subject: Xen Security Advisory 69 (CVE-2013-4370) - misplaced free in ocaml xc_vcpu_getaffinity stub Date: Thu, 10 Oct 2013 12:22:49 +0000 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary Return-path: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com Cc: "Xen.org security team" List-Id: xen-devel@lists.xenproject.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4370 / XSA-69 version 2 misplaced free in ocaml xc_vcpu_getaffinity stub UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The ocaml binding for the xc_vcpu_getaffinity function incorrectly frees a pointer before using it and subsequently freeing it again afterwards. The code therefore contains a use-after-free and double-free flaws. IMPACT ====== An attacker may be able to cause a multithreaded toolstack written in ocaml and using this function to race against itself leading to heap corruption and a potential DoS. Depending on the malloc implementation code execution cannot be ruled out. VULNERABLE SYSTEMS ================== The flaw is present in Xen 4.2 onwards. Systems using an ocaml based toolstack (e.g. xapi) are vulnerable. MITIGATION ========== Not calling the vcpu_getaffinity function will avoid this issue. Not allowing untrusted users access to toolstack functionality will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue. xsa69.patch Xen 4.3.x, Xen 4.2.x, xen-unstable $ sha256sum xsa69*.patch d3beb662aacf628b6a25ff6cfcd9526ab689aa43a56cf25e792a001f89b4edbc xsa69.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSVpv9AAoJEIP+FMlX6CvZDDsIALyFWH1+Ox87+kncvYUHu6UJ m4r85Jqp7pD97hAWP0mbVu/RxZgIE2mUaLDruuRvyaA940HtmsYxYRd010uqxUGQ ouFdaChJpfyGAgKn15INEQnj7giX5Kd6tPFyza5N4TBm8HbK1N83rpGHDT8+unzA MTAPk5KXCiIJ0LBU23Ce5ryXwXIkDjwPP+hJ+G0Axv1UpBTn6BhxE135m7cTOemU oWHSrYbrM4zBpVPQHl1NX8YGtjbBILwDZOmtfJD/EDI2i7iqiIbVAAEoY6xFIHmL nk0ZSN/rLSBXV+FH+sdJJunQzj4MOXg+nTx6ptO2T1pzTssEVsz6JOgUcCEMIy8= =4eSf -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa69.patch" Content-Disposition: attachment; filename="xsa69.patch" Content-Transfer-Encoding: base64 RnJvbSAwNjdjMTIyODczYzY3YmQxZDk2MjBmODM0MGY5YzljMjA5MTM1Mzg4 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBNYXR0aGV3IERhbGV5 IDxtYXR0amRAZ21haWwuY29tPgpEYXRlOiBUdWUsIDEwIFNlcCAyMDEzIDIz OjEyOjQ1ICsxMjAwClN1YmplY3Q6IFtQQVRDSF0gdG9vbHMvb2NhbWw6IGZp eCBlcnJvbmVvdXMgZnJlZSBvZiBjcHVtYXAgaW4KIHN0dWJfeGNfdmNwdV9n ZXRhZmZpbml0eQoKTm90IHN1cmUgaG93IGl0IGdvdCB0aGVyZS4uLgoKQ292 ZXJpdHktSUQ6IDEwNTYxOTYKClRoaXMgaXMgQ1ZFLTIwMTMtNDM3MCAvIFhT QS02OQoKU2lnbmVkLW9mZi1ieTogTWF0dGhldyBEYWxleSA8bWF0dGpkQGdt YWlsLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxs QGNpdHJpeC5jb20+Ci0tLQogdG9vbHMvb2NhbWwvbGlicy94Yy94ZW5jdHJs X3N0dWJzLmMgfCAgICAyIC0tCiAxIGZpbGUgY2hhbmdlZCwgMiBkZWxldGlv bnMoLSkKCmRpZmYgLS1naXQgYS90b29scy9vY2FtbC9saWJzL3hjL3hlbmN0 cmxfc3R1YnMuYyBiL3Rvb2xzL29jYW1sL2xpYnMveGMveGVuY3RybF9zdHVi cy5jCmluZGV4IGRmNzU2YWQuLmY1Y2YwZWQgMTAwNjQ0Ci0tLSBhL3Rvb2xz L29jYW1sL2xpYnMveGMveGVuY3RybF9zdHVicy5jCisrKyBiL3Rvb2xzL29j YW1sL2xpYnMveGMveGVuY3RybF9zdHVicy5jCkBAIC00NjEsOCArNDYxLDYg QEAgQ0FNTHByaW0gdmFsdWUgc3R1Yl94Y192Y3B1X2dldGFmZmluaXR5KHZh bHVlIHhjaCwgdmFsdWUgZG9taWQsCiAKIAlyZXR2YWwgPSB4Y192Y3B1X2dl dGFmZmluaXR5KF9IKHhjaCksIF9EKGRvbWlkKSwKIAkgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIEludF92YWwodmNwdSksIGNfY3B1bWFwKTsKLQlm cmVlKGNfY3B1bWFwKTsKLQogCWlmIChyZXR2YWwgPCAwKSB7CiAJCWZyZWUo Y19jcHVtYXApOwogCQlmYWlsd2l0aF94YyhfSCh4Y2gpKTsKLS0gCjEuNy4x MC40Cgo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --=separator--