CVE-2015-0361
http://xenbits.xen.org/xsa/advisory-116.html
Xen crash due to use after free on hvm guest teardown
Certain data accessible (via hypercalls) by the domain controlling the execution of a HVM domain is being freed prematurely, leading to the respective memory regions to possibly be read from and written to in ways unexpected by their new owner(s).
use after free
http://xenbits.xen.org/xsa/xsa116.patch
x86/HVM: prevent use-after-free when destroying a domain hvmdomainrelinquishresources() can free certain domain resources which can still be accessed, e.g. by HVMOPset_param, while the domain is being cleaned up.
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -1487,9 +1487,6 @@ int hvm_domain_initialise(struct domain
void hvm_domain_relinquish_resources(struct domain *d)
{
- xfree(d->arch.hvm_domain.io_handler);
- xfree(d->arch.hvm_domain.params);
-
if ( is_pvh_domain(d) )
return;
@@ -1511,6 +1508,9 @@ void hvm_domain_relinquish_resources(str
void hvm_domain_destroy(struct domain *d)
{
+ xfree(d->arch.hvm_domain.io_handler);
+ xfree(d->arch.hvm_domain.params);
+
hvm_destroy_cacheattr_region_list(d);在destroy一个domain的时候进行free。
Malicious or buggy stub domain kernels or tool stacks otherwise living outside of Domain0 can mount a denial of service attack which, if successful, can affect the whole system.
DoS