XSA-69

CVE-2013-4370

问题描述

http://xenbits.xen.org/xsa/advisory-69.html

misplaced free in ocaml xc_vcpu_getaffinity stub

The ocaml binding for the xc_vcpu_getaffinity function incorrectly frees a pointer before using it and subsequently freeing it again afterwards. The code therefore contains a use-after-free and double-free flaws.

logic error (use-after-free, double-free)

Patch描述

http://xenbits.xen.org/xsa/xsa69.patch

tools/ocaml: fix erroneous free of cpumap in stubxcvcpu_getaffinity

--- a/tools/ocaml/libs/xc/xenctrl_stubs.c
+++ b/tools/ocaml/libs/xc/xenctrl_stubs.c
@@ -461,8 +461,6 @@ CAMLprim value stub_xc_vcpu_getaffinity(value xch, value domid,
 
    retval = xc_vcpu_getaffinity(_H(xch), _D(domid),
                                 Int_val(vcpu), c_cpumap);
-   free(c_cpumap);
-
    if (retval < 0) {
        free(c_cpumap);
        failwith_xc(_H(xch));

莫名其妙多了一个free…

Consequence

An attacker may be able to cause a multithreaded toolstack written in ocaml and using this function to race against itself leading to heap corruption and a potential DoS.

heap corruption, DoS