The XSA-45/CVE-2013-1918 patch making error handling paths preemptible broke page reference counting by not retaining a reference on pages stored for deferred cleanup. This would lead to the hypervisor prematurely attempting to free the page, generally crashing upon finding the page still in use.
Malicious or buggy PV guest kernels can mount a denial of service attack affecting the whole system. It can't be excluded that this could also be exploited to mount a privilege escalation attack.
Red Hat would like to thank the Xen project for reporting this issue. Upstream acknowledges Andrew Cooper and the Citrix XenServer team as the original reporters.
This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5 because we did not backport CVE-2013-1918 fix.
This issue did not affect Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG 2 because of missing Xen hypervisor support.
Created xen tracking bugs for this issue
Affects: fedora-all [bug 978383]
Public as per: