use-after-free in libxl_list_cpupool under memory pressure

2013-10-10T12:00:00
ID XSA-70
Type xen
Reporter Xen Project
Modified 2013-10-10T12:22:00

Description

ISSUE DESCRIPTION

If realloc(3) fails then libxl_list_cpupool will incorrectly return the now-free original pointer.

IMPACT

An attacker may be able to cause a multithreaded toolstack using this function to race against itself leading to heap corruption and a potential DoS. Depending on the malloc implementation code execution cannot be ruled out.

VULNERABLE SYSTEMS

The flaw is present in Xen 4.2 onwards. Systems using the libxl toolstack library are vulnerable.