[xen] security patch for CVE-2013-1920 / XSA-47
myoung
myoung at fedoraproject.org
Thu Apr 4 21:39:25 UTC 2013
commit db9701a979f8202b0bfd1104f147026284d79dd7
Author: Michael Young <m.a.young at durham.ac.uk>
Date: Thu Apr 4 22:37:11 2013 +0100
security patch for CVE-2013-1920 / XSA-47
xen.spec | 7 ++++++-
xsa47-4.2-unstable.patch | 31 +++++++++++++++++++++++++++++++
2 files changed, 37 insertions(+), 1 deletions(-)
---
diff --git a/xen.spec b/xen.spec
index 345403a..c993725 100644
--- a/xen.spec
+++ b/xen.spec
@@ -84,6 +84,7 @@ Patch62: man.formatting.patch
Patch63: xsa41.patch
Patch64: xsa38.patch
Patch65: gcc48.build.patch
+Patch66: xsa47-4.2-unstable.patch
Patch100: xen-configure-xend.patch
@@ -258,6 +259,7 @@ manage Xen virtual machines.
%patch63 -p1
%patch64 -p1
%patch65 -p1
+%patch66 -p1
%patch100 -p1
@@ -748,7 +750,10 @@ rm -rf %{buildroot}
%changelog
* Thu Apr 04 2013 Michael Young <m.a.young at durham.ac.uk> - 4.2.1-10
-- make xendomains systemd script executable and update it from init.d version
+- make xendomains systemd script executable and update it from
+ init.d version (#919705)
+- Potential use of freed memory in event channel operations [XSA-47,
+ CVE-2013-1920]
* Thu Feb 21 2013 Michael Young <m.a.young at durham.ac.uk> - 4.2.1-9
- patch for [XSA-36, CVE-2013-0153] can cause boot time crash
diff --git a/xsa47-4.2-unstable.patch b/xsa47-4.2-unstable.patch
new file mode 100644
index 0000000..7ebb8c8
--- /dev/null
+++ b/xsa47-4.2-unstable.patch
@@ -0,0 +1,31 @@
+defer event channel bucket pointer store until after XSM checks
+
+Otherwise a dangling pointer can be left, which would cause subsequent
+memory corruption as soon as the space got re-allocated for some other
+purpose.
+
+This is CVE-2013-1920 / XSA-47.
+
+Reported-by: Wei Liu <wei.liu2 at citrix.com>
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Reviewed-by: Tim Deegan <tim at xen.org>
+
+--- a/xen/common/event_channel.c
++++ b/xen/common/event_channel.c
+@@ -140,7 +140,6 @@ static int get_free_port(struct domain *
+ chn = xzalloc_array(struct evtchn, EVTCHNS_PER_BUCKET);
+ if ( unlikely(chn == NULL) )
+ return -ENOMEM;
+- bucket_from_port(d, port) = chn;
+
+ for ( i = 0; i < EVTCHNS_PER_BUCKET; i++ )
+ {
+@@ -153,6 +152,8 @@ static int get_free_port(struct domain *
+ }
+ }
+
++ bucket_from_port(d, port) = chn;
++
+ return port;
+ }
+
More information about the scm-commits
mailing list