CVE-2014-1642
http://xenbits.xen.org/xsa/advisory-83.html
Out-of-memory condition yielding memory corruption during IRQ setup
When setting up the IRQ for a passed through physical device, a flaw in the error handling could result in a memory allocation being used after it is freed, and then freed a second time. This would typically result in memory corruption.
improper error handling (use-after-free)
http://xenbits.xen.org/xsa/xsa83.patch
x86/irq: avoid use-after-free on error path in pirq_guest_bind()
--- a/xen/arch/x86/irq.c
+++ b/xen/arch/x86/irq.c
@@ -1590,8 +1590,7 @@ int pirq_guest_bind(struct vcpu *v, stru
printk(XENLOG_G_INFO
"Cannot bind IRQ%d to dom%d. Out of memory.\n",
pirq->pirq, v->domain->domain_id);
- rc = -ENOMEM;
- goto out;
+ return -ENOMEM;
}
action = newaction;Malicious guest administrators can trigger a use-after-free error, resulting in hypervisor memory corruption. The effects of memory corruption could be anything, including a host-wide denial of service, or privilege escalation.
memory corruption, DoS