Potential use of freed memory in event channel operations

ISSUE DESCRIPTION

Wrong ordering of operations upon extending the per-domain event channel tracking table can cause a pointer to freed memory to be left in place, when the hypervisor is under memory pressure and XSM (Xen Security Module) is enabled.

IMPACT

Malicious guest kernels could inject arbitrary events or corrupt other hypervisor state, possibly leading to code execution.

VULNERABLE SYSTEMS

All Xen versions from 3.2 onwards are vulnerable when making use of XSM. Configurations without XSM or with a dummy module are not affected.