Bug 1486709 (CVE-2017-14317, xsa233) - CVE-2017-14317 xsa233 xen: cxenstored: Race in domain cleanup (XSA-233)
Summary: CVE-2017-14317 xsa233 xen: cxenstored: Race in domain cleanup (XSA-233)
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-14317, xsa233
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1490884
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-30 11:55 UTC by Adam Mariš
Modified: 2019-09-29 14:19 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 03:22:48 UTC


Attachments (Terms of Use)

Description Adam Mariš 2017-08-30 11:55:52 UTC
ISSUE DESCRIPTION
=================

When shutting down a VM with a stubdomain, a race in cxenstored may
cause a double-free.

IMPACT
======

The xenstored daemon may crash, resulting in a DoS of any parts of the
system relying on it (including domain creation / destruction,
ballooning, device changes, etc).

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

Only systems running the C version os xenstored ("xenstored") are
vulnerable; systems running the Ocaml version ("oxenstored") are not
vulnerable.

Only systems running devicemodel stubdomains are vulnerable.  Only x86
HVM guests can use stubdomains.  Therefore ARM systems, x86 systems
running only PV guests, and x86 systems running HVM guests with the
devicemodel not in a stubdomain (eg in dom0), are not vulnerable.

MITIGATION
==========

Running oxenstored will mitigate this issue.  Not using stubdomains
will also mitigate the issue.

External References:

http://xenbits.xen.org/xsa/advisory-233.html

Comment 1 Adam Mariš 2017-09-12 12:20:43 UTC
Acknowledgments:

Name: Eric Chanudet (AIS)

Comment 2 Adam Mariš 2017-09-12 12:23:39 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1490884]


Note You need to log in before you can comment on or make changes to this bug.