|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.4] evtchn-fifo: prevent use after free
commit dfddbf35d9df666fa731dcaf35afd8cf24ac8ecf
Author: Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Thu Sep 8 14:32:51 2016 +0200
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Sep 8 14:32:51 2016 +0200
evtchn-fifo: prevent use after free
evtchn_fifo_init_control() calls evtchn_fifo_destroy() on an error
path, leading to cleanup_event_array() which frees d->evtchn_fifo
without also clearing the pointer. Otoh the bulk of
evtchn_fifo_init_control() is dependent on d->evtchn_fifo being NULL.
This is XSA-188 / CVE-2016-7154.
Reported-by: Mikhail V Gorobets <mikhail.v.gorobets@xxxxxxxxx>
Suggested-by: Mikhail V Gorobets <mikhail.v.gorobets@xxxxxxxxx>
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
xen/common/event_fifo.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/xen/common/event_fifo.c b/xen/common/event_fifo.c
index a443c98..93752d4 100644
--- a/xen/common/event_fifo.c
+++ b/xen/common/event_fifo.c
@@ -482,6 +482,7 @@ static void cleanup_event_array(struct domain *d)
for ( i = 0; i < EVTCHN_FIFO_MAX_EVENT_ARRAY_PAGES; i++ )
unmap_guest_page(d->evtchn_fifo->event_array[i]);
xfree(d->evtchn_fifo);
+ d->evtchn_fifo = NULL;
}
static void setup_ports(struct domain *d)
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.4
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |