842513 – (CVE-2013-4370) VUL-0: CVE-2013-4370: XSA-69: xen: misplaced free in ocaml xc_vcpu_getaffinity stub

Bug 842513 (CVE-2013-4370) - VUL-0: CVE-2013-4370: XSA-69: xen: misplaced free in ocaml xc_vcpu_getaffinity stub

Summary: VUL-0: CVE-2013-4370: XSA-69: xen: misplaced free in ocaml xc_vcpu_getaffinit...

Status:	RESOLVED FIXED

Alias:	CVE-2013-4370

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:running:54856:moderate maint:r...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-09-26 11:28 UTC by Alexander Bergmann
Modified:	2015-02-19 01:32 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 2 Swamp Workflow Management 2013-09-26 22:00:28 UTC

bugbot adjusting priority

Comment 3 Marcus Meissner 2013-10-10 13:30:10 UTC

is public now

             Xen Security Advisory CVE-2013-4370 / XSA-69
                               version 2

           misplaced free in ocaml xc_vcpu_getaffinity stub

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The ocaml binding for the xc_vcpu_getaffinity function incorrectly
frees a pointer before using it and subsequently freeing it again
afterwards. The code therefore contains a use-after-free and
double-free flaws.

IMPACT
======

An attacker may be able to cause a multithreaded toolstack written in
ocaml and using this function to race against itself leading to heap
corruption and a potential DoS.

Depending on the malloc implementation code execution cannot be ruled
out.

VULNERABLE SYSTEMS
==================
The flaw is present in Xen 4.2 onwards.

Systems using an ocaml based toolstack (e.g. xapi) are vulnerable.

MITIGATION
==========

Not calling the vcpu_getaffinity function will avoid this issue.

Not allowing untrusted users access to toolstack functionality will
avoid this issue.

CREDITS
=======

This issue was discovered by Coverity Scan and Matthew Daley.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa69.patch             Xen 4.3.x, Xen 4.2.x, xen-unstable


$ sha256sum xsa69*.patch
d3beb662aacf628b6a25ff6cfcd9526ab689aa43a56cf25e792a001f89b4edbc  xsa69.patch
$

Comment 5 Marcus Meissner 2013-11-27 10:29:14 UTC

released

Comment 6 Swamp Workflow Management 2013-11-27 13:03:56 UTC

Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP3 (i386, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, x86_64)

Comment 7 Swamp Workflow Management 2013-12-25 17:07:49 UTC

openSUSE-SU-2013:1953-1: An update that solves 9 vulnerabilities and has 9 fixes is now available.

Category: security (moderate)
Bug References: 828623,833251,833483,833796,834751,835896,836239,839596,839600,840196,840592,841766,842511,842512,842513,842514,842515,845520
CVE References: CVE-2013-1442,CVE-2013-4355,CVE-2013-4361,CVE-2013-4368,CVE-2013-4369,CVE-2013-4370,CVE-2013-4371,CVE-2013-4375,CVE-2013-4416
Sources used:
openSUSE 12.3 (src):    xen-4.2.3_01-1.22.4