XSA-88

CVE-2014-1950

问题描述

http://xenbits.xen.org/xsa/advisory-88.html

use-after-free in xc_cpupool_getinfo() under memory pressure

If xc_cpumap_alloc() fails then xc_cpupool_getinfo() will free and incorrectly return the then-free pointer to the result structure.

improper error handling (use-after-free)

Patch描述

http://xenbits.xen.org/xsa/xsa88.patch

Avoid freeing info then returning it to the caller.

--- a/tools/libxc/xc_cpupool.c
+++ b/tools/libxc/xc_cpupool.c
@@ -104,6 +104,7 @@ xc_cpupoolinfo_t *xc_cpupool_getinfo(xc_interface *xch,
     info->cpumap = xc_cpumap_alloc(xch);
     if (!info->cpumap) {
         free(info);
+        info = NULL;
         goto out;
     }
     info->cpupool_id = sysctl.u.cpupool_op.cpupool_id;

Consequence

An attacker may be able to cause a multi-threaded toolstack using this function to race against itself leading to heap corruption and a potential DoS.

heap corruption, DoS