Bugzilla – Bug 860092
VUL-0: CVE-2014-1642: xen: XSA-83: Out-of-memory condition yielding memory corruption during IRQ setup
Last modified: 2014-04-01 12:04:05 UTC
Xen Security Advisory XSA-83 version 2 Out-of-memory condition yielding memory corruption during IRQ setup UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When setting up the IRQ for a passed through physical device, a flaw in the error handling could result in a memory allocation being used after it is freed, and then freed a second time. This would typically result in memory corruption. IMPACT ====== Malicious guest administrators can trigger a use-after-free error, resulting in hypervisor memory corruption. The effects of memory corruption could be anything, including a host-wide denial of service, or privilege escalation. VULNERABLE SYSTEMS ================== Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not vulnerable. Only systems making use of device passthrough are vulnerable. Only systems with a 64-bit hypervisor configured to support more than 128 CPUs or with a 32-bit hypervisor configured to support more than 64 CPUs are vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted guests on systems supporting Intel VT-d or AMD Vi. CREDITS ======= This issue was discovered by Coverity Scan, prompted by modelling improvements contributed by Andrew Coooper. The issue was diagnosed by Matthew Daley and Andrew Coooper. The patch was prepared by Andrew Cooper. RESOLUTION ========== Applying the attached patch resolves this issue. xsa83.patch Xen 4.2.x, Xen 4.3.x, xen-unstable $ sha256sum xsa83*.patch 71ba62c024ed867f99f335ed63d7e04a7981d348cc29a3718e5c48f15a1e0fb1 xsa83.patch $
Created attachment 575537 [details] xsa83.patch for Xen 4.2.x, Xen 4.3.x, xen-unstable
*** Bug 858496 has been marked as a duplicate of this bug. ***
CVE-2014-1642 was assigned to this issue.
bugbot adjusting priority
"Xen 4.2.x and later are vulnerable." This effects SLE11-SP3, openSUSE:12.3 and openSUSE:13.1. "Xen 4.1.x and earlier are not vulnerable."
Xen package submitted for this bug with the following requests: SUSE:SLE-11-SP3:Update:Test: SR#33408 openSUSE:13.1:Update: MR#223835 openSUSE:12.3:Update: MR#223847
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-libs-x86, xen-tools, xen-tools-domU Products: SLE-DEBUGINFO 11-SP3 (i386, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, x86_64) SLE-SERVER 11-SP3 (i386, x86_64)
SUSE-SU-2014:0373-1: An update that solves 12 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 831120,833251,848014,853048,853049,858311,860092,860163,860165,860300,860302,861256,863297 CVE References: CVE-2013-2212,CVE-2013-6400,CVE-2013-6885,CVE-2014-1642,CVE-2014-1666,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894,CVE-2014-1895,CVE-2014-1896,CVE-2014-1950 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): xen-4.2.4_02-0.7.1 SUSE Linux Enterprise Server 11 SP3 (src): xen-4.2.4_02-0.7.1 SUSE Linux Enterprise Desktop 11 SP3 (src): xen-4.2.4_02-0.7.1
Fixed and released. Closing Bug.