XSA-70

CVE-2013-4371

问题描述

http://xenbits.xen.org/xsa/advisory-70.html

use-after-free in libxl_list_cpupool under memory pressure

If realloc(3) fails then libxl_list_cpupool will incorrectly return the now-free original pointer.

improper error handling (use-after-free)

Patch描述

http://xenbits.xen.org/xsa/xsa70.patch

--- a/tools/libxl/libxl.c
+++ b/tools/libxl/libxl.c
@@ -651,6 +651,7 @@ libxl_cpupoolinfo * libxl_list_cpupool(libxl_ctx *ctx, int *nb_pool_out)
         if (!tmp) {
             LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR, "allocating cpupool info");
             libxl_cpupoolinfo_list_free(ptr, i);
+            ptr = NULL;
             goto out;
         }
         ptr = tmp;

Consequence

An attacker may be able to cause a multithreaded toolstack using this function to race against itself leading to heap corruption and a potential DoS.

heap corruption, DoS