When setting up the IRQ for a passed through physical device, a flaw in the error handling could result in a memory allocation being used after it is freed, and then freed a second time.
Malicious guest administrators can trigger a use-after-free error, resulting in hypervisor memory corruption.
Red Hat would like to thank the Xen project for reporting this issue.
This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5.
This issue did not affect Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG 2 as we did not have support for Xen hypervisor.
Created xen tracking bugs for this issue:
Affects: fedora-all [bug 1057142]