[xen/f19] use-after-free in xc_cpupool_getinfo() under memory pressure
myoung
myoung at fedoraproject.org
Wed Feb 12 21:31:35 UTC 2014
commit ee90594eb75932045843229fd68c43f8ba915851
Author: Michael Young <m.a.young at durham.ac.uk>
Date: Wed Feb 12 21:31:25 2014 +0000
use-after-free in xc_cpupool_getinfo() under memory pressure
xen.spec | 8 +++++++-
xsa88.patch | 27 +++++++++++++++++++++++++++
2 files changed, 34 insertions(+), 1 deletions(-)
---
diff --git a/xen.spec b/xen.spec
index 96279d3..72a48e0 100644
--- a/xen.spec
+++ b/xen.spec
@@ -27,7 +27,7 @@
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.2.3
-Release: 15%{?dist}
+Release: 16%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
@@ -102,6 +102,7 @@ Patch124: xsa87-4.2.patch
Patch125: xsa84-4.2.patch
Patch126: xsa85.patch
Patch127: xsa86.patch
+Patch128: xsa88.patch
Patch100: xen-configure-xend.patch
@@ -294,6 +295,7 @@ manage Xen virtual machines.
%patch125 -p1
%patch126 -p1
%patch127 -p1
+%patch128 -p1
%patch100 -p1
@@ -787,6 +789,10 @@ rm -rf %{buildroot}
%endif
%changelog
+* Wed Feb 12 2014 Michael Young <m.a.young at durham.ac.uk> - 4.2.3-16
+- use-after-free in xc_cpupool_getinfo() under memory pressure [XSA-88,
+ CVE-2014-1950] (#1064491)
+
* Thu Feb 06 2014 Michael Young <m.a.young at durham.ac.uk> - 4.2.3-15
- integer overflow in several XSM/Flask hypercalls [XSA-84, CVE-2014-1891,
CVE-2014-1892, CVE-2014-1893, CVE-2014-1894]
diff --git a/xsa88.patch b/xsa88.patch
new file mode 100644
index 0000000..a9fc806
--- /dev/null
+++ b/xsa88.patch
@@ -0,0 +1,27 @@
+From: Andrew Cooper <andrew.cooper3 at citrix.com>
+Date: Wed, 22 Jan 2014 17:47:21 +0000
+Subject: libxc: Fix out-of-memory error handling in xc_cpupool_getinfo()
+
+Avoid freeing info then returning it to the caller.
+
+This is XSA-88.
+
+Coverity-ID: 1056192
+Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
+Reviewed-by: Jan Beulich <jbeulich at suse.com>
+---
+ tools/libxc/xc_cpupool.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/libxc/xc_cpupool.c b/tools/libxc/xc_cpupool.c
+index c8c2a33..6393cfb 100644
+--- a/tools/libxc/xc_cpupool.c
++++ b/tools/libxc/xc_cpupool.c
+@@ -104,6 +104,7 @@ xc_cpupoolinfo_t *xc_cpupool_getinfo(xc_interface *xch,
+ info->cpumap = xc_cpumap_alloc(xch);
+ if (!info->cpumap) {
+ free(info);
++ info = NULL;
+ goto out;
+ }
+ info->cpupool_id = sysctl.u.cpupool_op.cpupool_id;
More information about the scm-commits
mailing list