861256 – (CVE-2014-1950) VUL-0: CVE-2014-1950: xen: XSA-88: use-after-free in xc_cpupool_getinfo() under memory pressure

Bug 861256 (CVE-2014-1950) - VUL-0: CVE-2014-1950: xen: XSA-88: use-after-free in xc_cpupool_getinfo() under memory pressure

Summary: VUL-0: CVE-2014-1950: xen: XSA-88: use-after-free in xc_cpupool_getinfo() und...

Status:	RESOLVED FIXED

Alias:	CVE-2014-1950

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp3:56441
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-01-30 09:40 UTC by Alexander Bergmann
Modified:	2015-02-19 01:47 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 1 Alexander Bergmann 2014-01-30 09:41:49 UTC

Created attachment 576492 [details]
xen-unstable, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x

Comment 2 Swamp Workflow Management 2014-01-31 23:00:16 UTC

bugbot adjusting priority

Comment 4 Alexander Bergmann 2014-02-12 14:48:02 UTC

public now:

                    Xen Security Advisory XSA-88
                              version 2

      use-after-free in xc_cpupool_getinfo() under memory pressure

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

If xc_cpumap_alloc() fails then xc_cpupool_getinfo() will free and incorrectly
return the then-free pointer to the result structure.

IMPACT
======

An attacker may be able to cause a multi-threaded toolstack using this
function to race against itself leading to heap corruption and a
potential DoS.

Depending on the malloc implementation, privilege escalation cannot be
ruled out.

VULNERABLE SYSTEMS
==================

The flaw is present in Xen 4.1 onwards.  Only multithreaded toolstacks
are vulnerable.  Only systems where management functions (such as
domain creation) are exposed to untrusted users are vulnerable.

xl is not multithreaded, so is not vulnerable.  However, multithreaded
toolstacks using libxl as a library are vulnerable.  xend is
vulnerable.

MITIGATION
==========

Not allowing untrusted users access to toolstack functionality will
avoid this issue.

CREDITS
=======

This issue was discovered by Coverity Scan and diagnosed by Andrew
Cooper.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa88.patch        xen-unstable, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x

$ sha256sum xsa88*.patch
7a73ca9db19a9ffe6e8cd259fa71dc1299738f26fa024303f4ab38931db75f14  xsa88.patch
$

Comment 5 Alexander Bergmann 2014-02-12 16:10:12 UTC

CVE-2014-1950 was assigned to this issue.

Comment 6 Charles Arnold 2014-02-25 18:22:56 UTC

Xen package submitted for this bug with the following requests:

SUSE:SLE-11-SP3:Update:Test: SR#33408
SUSE:SLE-11-SP2:Update:Test: SR#33409
openSUSE:13.1:Update: MR#223835
openSUSE:12.3:Update: MR#223847

Comment 7 Swamp Workflow Management 2014-03-13 19:49:29 UTC

Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-libs-x86, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP2 (i386, x86_64)
SLE-SERVER 11-SP2-LTSS (i386, x86_64)

Comment 8 Swamp Workflow Management 2014-03-13 19:52:34 UTC

Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-libs-x86, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP3 (i386, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, x86_64)

Comment 9 Swamp Workflow Management 2014-03-13 23:06:32 UTC

SUSE-SU-2014:0372-1: An update that solves 10 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 831120,833483,842417,846849,848014,849667,849668,853049,860163,860302,861256
CVE References: CVE-2013-2212,CVE-2013-4553,CVE-2013-4554,CVE-2013-6885,CVE-2014-1666,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894,CVE-2014-1950
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    xen-4.1.6_06-0.5.1

Comment 10 Swamp Workflow Management 2014-03-13 23:08:47 UTC

SUSE-SU-2014:0373-1: An update that solves 12 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 831120,833251,848014,853048,853049,858311,860092,860163,860165,860300,860302,861256,863297
CVE References: CVE-2013-2212,CVE-2013-6400,CVE-2013-6885,CVE-2014-1642,CVE-2014-1666,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894,CVE-2014-1895,CVE-2014-1896,CVE-2014-1950
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xen-4.2.4_02-0.7.1
SUSE Linux Enterprise Server 11 SP3 (src):    xen-4.2.4_02-0.7.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xen-4.2.4_02-0.7.1

Comment 11 Marcus Meissner 2014-03-26 09:13:43 UTC

released

Comment 12 Swamp Workflow Management 2014-04-04 14:11:04 UTC

openSUSE-SU-2014:0483-1: An update that solves 16 vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 831120,833251,833483,840997,842417,846849,848014,848657,849665,849667,849668,853048,853049,858311,858496,860163,860165,860300,860302,861256,863297
CVE References: CVE-2013-2212,CVE-2013-4494,CVE-2013-4551,CVE-2013-4553,CVE-2013-4554,CVE-2013-6400,CVE-2013-6885,CVE-2014-1642,CVE-2014-1666,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894,CVE-2014-1895,CVE-2014-1896,CVE-2014-1950
Sources used:
openSUSE 12.3 (src):    xen-4.2.4_02-1.26.2