1374476 – (CVE-2016-7154, xsa188) CVE-2016-7154 xen: use after free in FIFO event channel code

Bug 1374476 (CVE-2016-7154, xsa188) - CVE-2016-7154 xen: use after free in FIFO event channel code

Summary: CVE-2016-7154 xen: use after free in FIFO event channel code

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2016-7154, xsa188
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-08 18:57 UTC by Martin Prpič
Modified:	2021-02-17 03:22 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-09-08 18:59:07 UTC
Embargoed:

Attachments	(Terms of Use)

Description Martin Prpič 2016-09-08 18:57:20 UTC

ISSUE DESCRIPTION
=================

When the EVTCHNOP_init_control operation is called with a bad guest
frame number, it takes an error path which frees a control structure
without also clearing the corresponding pointer.  Certain subsequent
operations (EVTCHNOP_expand_array or another EVTCHNOP_init_control),
upon finding the non-NULL pointer, continue operation assuming it
points to allocated memory.

IMPACT
======

A malicious guest administrator can crash the host, leading to a DoS.
Arbitrary code execution (and therefore privilege escalation), and
information leaks, cannot be excluded.

VULNERABLE SYSTEMS
==================

Only Xen 4.4 is vulnerable.  Xen versions 4.5 and later as well as Xen
versions 4.3 and earlier are not vulnerable.

External References:

https://xenbits.xen.org/xsa/advisory-188.html

Acknowledgements:

Name: the Xen project
Upstream: Mikhail Gorobets (Advanced Threat Research; Intel Security)

Note You need to log in before you can comment on or make changes to this bug.