[xen] Out-of-memory condition yielding memory corruption during IRQ setup

myoung myoung at fedoraproject.org
Thu Jan 23 22:01:58 UTC 2014 

commit 904f9bc5ddc92ed7af79d293974d75cfbbd2053d
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Thu Jan 23 22:01:52 2014 +0000

    Out-of-memory condition yielding memory corruption during IRQ setup

 xen.spec    |    8 +++++++-
 xsa83.patch |   20 ++++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletions(-)
---
diff --git a/xen.spec b/xen.spec
index 7be70d2..9ea1c8d 100644
--- a/xen.spec
+++ b/xen.spec
@@ -46,7 +46,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.3.1
-Release: 6%{?dist}
+Release: 7%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -106,6 +106,7 @@ Patch26: xsa76.patch
 Patch27: xsa82.patch
 Patch28: xsa77-unstable.patch
 Patch29: xsa80.patch
+Patch30: xsa83.patch
 
 Patch100: xen-configure-xend.patch
 
@@ -294,6 +295,7 @@ manage Xen virtual machines.
 %patch27 -p1
 %patch28 -p1
 %patch29 -p1
+%patch30 -p1
 
 %patch100 -p1
 
@@ -826,6 +828,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Thu Jan 23 2014 Michael Young <m.a.young at durham.ac.uk> - 4.3.1-7
+- Out-of-memory condition yielding memory corruption during IRQ setup
+    [XSA-83, CVE-2014-1642] (#1057142)
+
 * Wed Dec 11 2013 Michael Young <m.a.young at durham.ac.uk> - 4.3.1-6
 - Disaggregated domain management security status update [XSA-77]
 - IOMMU TLB flushing may be inadvertently suppressed [XSA-80, CVE-2013-6400]
diff --git a/xsa83.patch b/xsa83.patch
new file mode 100644
index 0000000..209c38b
--- /dev/null
+++ b/xsa83.patch
@@ -0,0 +1,20 @@
+x86/irq: avoid use-after-free on error path in pirq_guest_bind()
+
+This is XSA-83.
+
+Coverity-ID: 1146952
+Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
+Reviewed-by: Jan Beulich <jbeulich at suse.com>
+
+--- a/xen/arch/x86/irq.c
++++ b/xen/arch/x86/irq.c
+@@ -1590,8 +1590,7 @@ int pirq_guest_bind(struct vcpu *v, stru
+             printk(XENLOG_G_INFO
+                    "Cannot bind IRQ%d to dom%d. Out of memory.\n",
+                    pirq->pirq, v->domain->domain_id);
+-            rc = -ENOMEM;
+-            goto out;
++            return -ENOMEM;
+         }
+ 
+         action = newaction;

More information about the scm-commits mailing list