Bug 950097 (CVE-2013-1920) - CVE-2013-1920 kernel: xen: potential use of freed memory in event channel operations
Summary: CVE-2013-1920 kernel: xen: potential use of freed memory in event channel ope...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2013-1920
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 950673
TreeView+ depends on / blocked
 
Reported: 2013-04-09 15:37 UTC by Petr Matousek
Modified: 2023-05-11 22:25 UTC (History)
16 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-04-09 15:38:19 UTC
Embargoed:

Attachments (Terms of Use)

Description Petr Matousek 2013-04-09 15:37:25 UTC 
Wrong ordering of operations upon extending the per-domain event channel tracking table can cause a pointer to freed memory to be left in place, when the hypervisor is under memory pressure and XSM (Xen Security Module) is enabled.

Malicious guest kernels could inject arbitrary events or corrupt other hypervisor state, possibly leading to code execution.

References:
http://seclists.org/oss-sec/2013/q2/17

Acknowledgements:

Red Hat would like to thank the Xen project for reporting this issue.
Comment 1 Petr Matousek 2013-04-09 15:38:19 UTC 
Statement:

Not vulnerable.

This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5.

This issue did not affect Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG as we did not have support for Xen hypervisor.
Comment 3 Michael Young 2013-04-16 21:10:34 UTC 
Fedora isn't vulnerable as we don't build xen with XSM enabled. However the source for xen-4.2.1-10.fc19, xen-4.2.1-10.fc18 and xen-4.1.4-7.fc17 include the patch.
Note You need to log in before you can comment on or make changes to this bug.