CVE-2013-4370
http://xenbits.xen.org/xsa/advisory-69.html
misplaced free in ocaml xc_vcpu_getaffinity stub
The ocaml binding for the xc_vcpu_getaffinity function incorrectly frees a pointer before using it and subsequently freeing it again afterwards. The code therefore contains a use-after-free and double-free flaws.
logic error (use-after-free, double-free)
http://xenbits.xen.org/xsa/xsa69.patch
tools/ocaml: fix erroneous free of cpumap in stubxcvcpu_getaffinity
--- a/tools/ocaml/libs/xc/xenctrl_stubs.c
+++ b/tools/ocaml/libs/xc/xenctrl_stubs.c
@@ -461,8 +461,6 @@ CAMLprim value stub_xc_vcpu_getaffinity(value xch, value domid,
retval = xc_vcpu_getaffinity(_H(xch), _D(domid),
Int_val(vcpu), c_cpumap);
- free(c_cpumap);
-
if (retval < 0) {
free(c_cpumap);
failwith_xc(_H(xch));
莫名其妙多了一个free…
An attacker may be able to cause a multithreaded toolstack written in ocaml and using this function to race against itself leading to heap corruption and a potential DoS.
heap corruption, DoS