Xen Security Advisory 47 (CVE-2013-1920) - Potential use of freed memory in event channel operations

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-1920 / XSA-47

        Potential use of freed memory in event channel operations

ISSUE DESCRIPTION
=================

Wrong ordering of operations upon extending the per-domain event
channel tracking table can cause a pointer to freed memory to be left
in place, when the hypervisor is under memory pressure and XSM (Xen
Security Module) is enabled.

IMPACT
======

Malicious guest kernels could inject arbitrary events or corrupt other
hypervisor state, possibly leading to code execution.

VULNERABLE SYSTEMS
==================

All Xen versions from 3.2 onwards are vulnerable when making use of
XSM.  Configurations without XSM or with a dummy module are not
affected.

MITIGATION
==========

Running without XSM (which is the default) will avoid this
vulnerability, albeit doing so will likely lower overall security of
systems that would otherwise have XSM enabled.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa47-4.1.patch             Xen 4.1.x
xsa47-4.2-unstable.patch    Xen 4.2.x and xen-unstable

$ sha256sum xsa47*.patch
e49a03e0693de07ec1418eb16191854458e72088febd6948ea5bc1f900a1853a  xsa47-4.1.patch
c29b59492f9d7e3f74bfc41877a2c5cff70436d3738fd91066f396f969aab0a7  xsa47-4.2-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRXb5fAAoJEIP+FMlX6CvZ0RwH/AtcVQFvERB+16wSjN3GTguk
LnakHD3NCVeaDNbkF0G4b4ibR5oOCAGO/9CQwcB1QKj67mvYJm2kglDnGWUmZUQC
TKWZR5vA9D9YAQvll8mSwd3OdLBoN0IGYPp9AIVUi9zl34zF+ZzbtsC57dvmjQD6
/E0tMDgOoCsA8ARnuknjbgk+CbfsGi/dbxYGDla4/wMC9wbUhG1wcA9lqNa37azT
1lRIj8qI3TfWC4aMh1kZKPsljrHZLkfA2VxgkrTCjr7u2Usr7vgUsNT4F0rYouRI
h5mo1JszJOnM2EHuzVbQrvBmaXlPIFF/S5cRvD6RIavEsOUet5au49Hnhb/ENG4=
=/g6f
-----END PGP SIGNATURE-----



xsa47-4.1.patch
Description:

defer event channel bucket pointer store until after XSM checks

Otherwise a dangling pointer can be left, which would cause subsequent
memory corruption as soon as the space got re-allocated for some other
purpose.

This is CVE-2013-1920 / XSA-47.

Reported-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>

--- a/xen/common/event_channel.c
+++ b/xen/common/event_channel.c
@@ -104,7 +104,6 @@ static int get_free_port(struct domain *
     if ( unlikely(chn == NULL) )
         return -ENOMEM;
     memset(chn, 0, EVTCHNS_PER_BUCKET * sizeof(*chn));
-    bucket_from_port(d, port) = chn;

     for ( i = 0; i < EVTCHNS_PER_BUCKET; i++ )
     {
@@ -117,6 +116,8 @@ static int get_free_port(struct domain *
         }
     }

+    bucket_from_port(d, port) = chn;
+
     return port;


xsa47-4.2-unstable.patch
Description:


defer event channel bucket pointer store until after XSM checks

Otherwise a dangling pointer can be left, which would cause subsequent
memory corruption as soon as the space got re-allocated for some other
purpose.

This is CVE-2013-1920 / XSA-47.

Reported-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>

--- a/xen/common/event_channel.c
+++ b/xen/common/event_channel.c
@@ -140,7 +140,6 @@ static int get_free_port(struct domain *
     chn = xzalloc_array(struct evtchn, EVTCHNS_PER_BUCKET);
     if ( unlikely(chn == NULL) )
         return -ENOMEM;
-    bucket_from_port(d, port) = chn;

     for ( i = 0; i < EVTCHNS_PER_BUCKET; i++ )
     {
@@ -153,6 +152,8 @@ static int get_free_port(struct domain *
         }
     }

+    bucket_from_port(d, port) = chn;
+
     return port;
 }