CVE-2014-1950
http://xenbits.xen.org/xsa/advisory-88.html
use-after-free in xc_cpupool_getinfo() under memory pressure
If xc_cpumap_alloc() fails then xc_cpupool_getinfo() will free and incorrectly return the then-free pointer to the result structure.
improper error handling (use-after-free)
http://xenbits.xen.org/xsa/xsa88.patch
Avoid freeing info then returning it to the caller.
--- a/tools/libxc/xc_cpupool.c
+++ b/tools/libxc/xc_cpupool.c
@@ -104,6 +104,7 @@ xc_cpupoolinfo_t *xc_cpupool_getinfo(xc_interface *xch,
info->cpumap = xc_cpumap_alloc(xch);
if (!info->cpumap) {
free(info);
+ info = NULL;
goto out;
}
info->cpupool_id = sysctl.u.cpupool_op.cpupool_id;
An attacker may be able to cause a multi-threaded toolstack using this function to race against itself leading to heap corruption and a potential DoS.
heap corruption, DoS