Out-of-memory condition yielding memory corruption during IRQ setup
When setting up the IRQ for a passed through physical device, a flaw in the error handling could result in a memory allocation being used after it is freed, and then freed a second time. This would typically result in memory corruption.
improper error handling (use-after-free)
x86/irq: avoid use-after-free on error path in pirq_guest_bind()
--- a/xen/arch/x86/irq.c +++ b/xen/arch/x86/irq.c @@ -1590,8 +1590,7 @@ int pirq_guest_bind(struct vcpu *v, stru printk(XENLOG_G_INFO "Cannot bind IRQ%d to dom%d. Out of memory.\n", pirq->pirq, v->domain->domain_id); - rc = -ENOMEM; - goto out; + return -ENOMEM; } action = newaction;
Malicious guest administrators can trigger a use-after-free error, resulting in hypervisor memory corruption. The effects of memory corruption could be anything, including a host-wide denial of service, or privilege escalation.
memory corruption, DoS