Bug 950097 (CVE-2013-1920)

Summary: CVE-2013-1920 kernel: xen: potential use of freed memory in event channel operations
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agordeev, anton, dhoward, drjones, imammedo, jforbes, kraxel, lersek, lwang, m.a.young, mrezanin, pbonzini, plougher, rvrbovsk, virt-maint, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-09 15:38:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 950673    

Description Petr Matousek 2013-04-09 15:37:25 UTC 
Wrong ordering of operations upon extending the per-domain event channel tracking table can cause a pointer to freed memory to be left in place, when the hypervisor is under memory pressure and XSM (Xen Security Module) is enabled.

Malicious guest kernels could inject arbitrary events or corrupt other hypervisor state, possibly leading to code execution.

References:
http://seclists.org/oss-sec/2013/q2/17

Acknowledgements:

Red Hat would like to thank the Xen project for reporting this issue.
Comment 1 Petr Matousek 2013-04-09 15:38:19 UTC 
Statement:

Not vulnerable.

This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5.

This issue did not affect Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG as we did not have support for Xen hypervisor.
Comment 3 Michael Young 2013-04-16 21:10:34 UTC 
Fedora isn't vulnerable as we don't build xen with XSM enabled. However the source for xen-4.2.1-10.fc19, xen-4.2.1-10.fc18 and xen-4.1.4-7.fc17 include the patch.