|Public release ||2016-09-08 12:00|
|Updated ||2016-09-08 12:00|
|Title ||use after free in FIFO event channel code|
Filesadvisory-188.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2016-7154 / XSA-188
use after free in FIFO event channel code
UPDATES IN VERSION 3
When the EVTCHNOP_init_control operation is called with a bad guest
frame number, it takes an error path which frees a control structure
without also clearing the corresponding pointer. Certain subsequent
operations (EVTCHNOP_expand_array or another EVTCHNOP_init_control),
upon finding the non-NULL pointer, continue operation assuming it
points to allocated memory.
A malicious guest administrator can crash the host, leading to a DoS.
Arbitrary code execution (and therefore privilege escalation), and
information leaks, cannot be excluded.
Only Xen 4.4 is vulnerable. Xen versions 4.5 and later as well as Xen
versions 4.3 and earlier are not vulnerable.
There is no mitigation available.
This issue was discovered by Mikhail Gorobets of Advanced Threat
Research, Intel Security.
Applying the attached patch resolves this issue.
xsa188.patch Xen 4.4.x
$ sha256sum xsa188*
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
Xenproject.org Security Team