[xen] use-after-free in xc_cpupool_getinfo() under memory pressure

[myoung]

commit cf73ea59fcd3700a53e77af7191d111ae5a8c6ff
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Wed Feb 12 19:57:49 2014 +0000

    use-after-free in xc_cpupool_getinfo() under memory pressure

 xen.spec    |    8 +++++++-
 xsa88.patch |   27 +++++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletions(-)
---
diff --git a/xen.spec b/xen.spec
index ad81188..7fbee28 100644
--- a/xen.spec
+++ b/xen.spec
@@ -46,7 +46,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.3.1
-Release: 9%{?dist}
+Release: 10%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -111,6 +111,7 @@ Patch31: xsa87-unstable-4.3.patch
 Patch32: xsa84-unstable-4.3.patch
 Patch33: xsa85.patch
 Patch34: xsa86.patch
+Patch35: xsa88.patch
 
 Patch100: xen-configure-xend.patch
 
@@ -304,6 +305,7 @@ manage Xen virtual machines.
 %patch32 -p1
 %patch33 -p1
 %patch34 -p1
+%patch35 -p1
 
 %patch100 -p1
 
@@ -836,6 +838,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Wed Feb 12 2014 Michael Young <m.a.young at durham.ac.uk> - 4.3.1-10
+- use-after-free in xc_cpupool_getinfo() under memory pressure [XSA-88,
+    CVE-2014-1950] (#1064491)
+
 * Thu Feb 06 2014 Michael Young <m.a.young at durham.ac.uk> - 4.3.1-9
 - integer overflow in several XSM/Flask hypercalls [XSA-84, CVE-2014-1891,
     CVE-2014-1892, CVE-2014-1893, CVE-2014-1894]
diff --git a/xsa88.patch b/xsa88.patch
new file mode 100644
index 0000000..a9fc806
--- /dev/null
+++ b/xsa88.patch
@@ -0,0 +1,27 @@
+From: Andrew Cooper <andrew.cooper3 at citrix.com>
+Date: Wed, 22 Jan 2014 17:47:21 +0000
+Subject: libxc: Fix out-of-memory error handling in xc_cpupool_getinfo()
+
+Avoid freeing info then returning it to the caller.
+
+This is XSA-88.
+
+Coverity-ID: 1056192
+Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
+Reviewed-by: Jan Beulich <jbeulich at suse.com>
+---
+ tools/libxc/xc_cpupool.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/libxc/xc_cpupool.c b/tools/libxc/xc_cpupool.c
+index c8c2a33..6393cfb 100644
+--- a/tools/libxc/xc_cpupool.c
++++ b/tools/libxc/xc_cpupool.c
+@@ -104,6 +104,7 @@ xc_cpupoolinfo_t *xc_cpupool_getinfo(xc_interface *xch,
+     info->cpumap = xc_cpumap_alloc(xch);
+     if (!info->cpumap) {
+         free(info);
++        info = NULL;
+         goto out;
+     }
+     info->cpupool_id = sysctl.u.cpupool_op.cpupool_id;