[xen] security patch for CVE-2013-1920 / XSA-47

myoung myoung at fedoraproject.org
Thu Apr 4 21:39:25 UTC 2013 

commit db9701a979f8202b0bfd1104f147026284d79dd7
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Thu Apr 4 22:37:11 2013 +0100

    security patch for CVE-2013-1920 / XSA-47

 xen.spec                 |    7 ++++++-
 xsa47-4.2-unstable.patch |   31 +++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 1 deletions(-)
---
diff --git a/xen.spec b/xen.spec
index 345403a..c993725 100644
--- a/xen.spec
+++ b/xen.spec
@@ -84,6 +84,7 @@ Patch62: man.formatting.patch
 Patch63: xsa41.patch
 Patch64: xsa38.patch
 Patch65: gcc48.build.patch
+Patch66: xsa47-4.2-unstable.patch
 
 Patch100: xen-configure-xend.patch
 
@@ -258,6 +259,7 @@ manage Xen virtual machines.
 %patch63 -p1
 %patch64 -p1
 %patch65 -p1
+%patch66 -p1
 
 %patch100 -p1
 
@@ -748,7 +750,10 @@ rm -rf %{buildroot}
 
 %changelog
 * Thu Apr 04 2013 Michael Young <m.a.young at durham.ac.uk> - 4.2.1-10
-- make xendomains systemd script executable and update it from init.d version
+- make xendomains systemd script executable and update it from
+  init.d version (#919705)
+- Potential use of freed memory in event channel operations [XSA-47,
+  CVE-2013-1920]
 
 * Thu Feb 21 2013 Michael Young <m.a.young at durham.ac.uk> - 4.2.1-9
 - patch for [XSA-36, CVE-2013-0153] can cause boot time crash
diff --git a/xsa47-4.2-unstable.patch b/xsa47-4.2-unstable.patch
new file mode 100644
index 0000000..7ebb8c8
--- /dev/null
+++ b/xsa47-4.2-unstable.patch
@@ -0,0 +1,31 @@
+defer event channel bucket pointer store until after XSM checks
+
+Otherwise a dangling pointer can be left, which would cause subsequent
+memory corruption as soon as the space got re-allocated for some other
+purpose.
+
+This is CVE-2013-1920 / XSA-47.
+
+Reported-by: Wei Liu <wei.liu2 at citrix.com>
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Reviewed-by: Tim Deegan <tim at xen.org>
+
+--- a/xen/common/event_channel.c
++++ b/xen/common/event_channel.c
+@@ -140,7 +140,6 @@ static int get_free_port(struct domain *
+     chn = xzalloc_array(struct evtchn, EVTCHNS_PER_BUCKET);
+     if ( unlikely(chn == NULL) )
+         return -ENOMEM;
+-    bucket_from_port(d, port) = chn;
+ 
+     for ( i = 0; i < EVTCHNS_PER_BUCKET; i++ )
+     {
+@@ -153,6 +152,8 @@ static int get_free_port(struct domain *
+         }
+     }
+ 
++    bucket_from_port(d, port) = chn;
++
+     return port;
+ }
+

More information about the scm-commits mailing list