use after free in FIFO event channel code

2016-09-08T12:00:00
ID XSA-188
Type xen
Reporter Xen Project
Modified 2016-09-08T12:00:00

Description

ISSUE DESCRIPTION

When the EVTCHNOP_init_control operation is called with a bad guest frame number, it takes an error path which frees a control structure without also clearing the corresponding pointer. Certain subsequent operations (EVTCHNOP_expand_array or another EVTCHNOP_init_control), upon finding the non-NULL pointer, continue operation assuming it points to allocated memory.

IMPACT

A malicious guest administrator can crash the host, leading to a DoS. Arbitrary code execution (and therefore privilege escalation), and information leaks, cannot be excluded.

VULNERABLE SYSTEMS

Only Xen 4.4 is vulnerable. Xen versions 4.5 and later as well as Xen versions 4.3 and earlier are not vulnerable.