Bug 842514 (CVE-2013-4371) - VUL-0: CVE-2013-4371: XSA-70: xen: use-after-free in libxl_list_cpupool under memory pressure
Summary: VUL-0: CVE-2013-4371: XSA-70: xen: use-after-free in libxl_list_cpupool under...
Status: RESOLVED FIXED
Alias: CVE-2013-4371
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:running:54856:moderate maint:r...
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-26 11:28 UTC by Alexander Bergmann
Modified: 2015-02-19 01:32 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Swamp Workflow Management 2013-09-26 22:00:34 UTC 
bugbot adjusting priority
Comment 3 Marcus Meissner 2013-10-10 13:37:01 UTC 
is public now

             Xen Security Advisory CVE-2013-4371 / XSA-70
                               version 2

      use-after-free in libxl_list_cpupool under memory pressure

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

If realloc(3) fails then libxl_list_cpupool will incorrectly return
the now-free original pointer.

IMPACT
======

An attacker may be able to cause a multithreaded toolstack using this
function to race against itself leading to heap corruption and a
potential DoS.

Depending on the malloc implementation code execution cannot be ruled
out.

VULNERABLE SYSTEMS
==================

The flaw is present in Xen 4.2 onwards.
Systems using the libxl toolstack library are vulnerable.

MITIGATION
==========

Not calling the libxl_list_cpupool function will avoid this issue.

Not allowing untrusted users access to toolstack functionality will
avoid this issue.

CREDITS
=======

This issue was discovered by Coverity Scan and Matthew Daley.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa70.patch             Xen 4.3.x, Xen 4.2.x, xen-unstable


$ sha256sum xsa70*.patch
2582d3d545903af475436145f7e459414ad9d9c61d5720992eeeec42de8dde56  xsa70.patch
Comment 5 Marcus Meissner 2013-11-27 10:29:28 UTC 
relewased
Comment 6 Swamp Workflow Management 2013-11-27 13:04:00 UTC 
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP3 (i386, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, x86_64)
Comment 7 Swamp Workflow Management 2013-12-25 17:07:59 UTC 
openSUSE-SU-2013:1953-1: An update that solves 9 vulnerabilities and has 9 fixes is now available.

Category: security (moderate)
Bug References: 828623,833251,833483,833796,834751,835896,836239,839596,839600,840196,840592,841766,842511,842512,842513,842514,842515,845520
CVE References: CVE-2013-1442,CVE-2013-4355,CVE-2013-4361,CVE-2013-4368,CVE-2013-4369,CVE-2013-4370,CVE-2013-4371,CVE-2013-4375,CVE-2013-4416
Sources used:
openSUSE 12.3 (src):    xen-4.2.3_01-1.22.4