Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 499054 (CVE-2014-1642)

Summary: <app-emulation/xen-{4.2.3-r1,4.3.1-r5}: Double free in IRQ pass-through allocation (XSA-83) (CVE-2014-1642)
Product: Gentoo Security Reporter: Chris Reffett (RETIRED) <creffett>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: idella4, xen
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---

Description Chris Reffett (RETIRED) gentoo-dev Security 2014-01-23 15:28:01 UTC
From ${URL}:


When setting up the IRQ for a passed through physical device, a flaw
in the error handling could result in a memory allocation being used
after it is freed, and then freed a second time.  This would typically
result in memory corruption.


Malicious guest administrators can trigger a use-after-free error, resulting
in hypervisor memory corruption.  The effects of memory corruption could be
anything, including a host-wide denial of service, or privilege escalation.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2014-01-23 15:30:50 UTC
Patch available at
Comment 2 Yixun Lan archtester gentoo-dev 2014-01-24 15:45:29 UTC
fixed, patch included in following versions

Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-27 17:46:34 UTC
(In reply to Yixun Lan from comment #2)
> fixed, patch included in following versions
> app-emulation/xen-4.2.2-r3
> app-emulation/xen-4.3.1-r4

ready for go stable?
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-01-27 18:28:48 UTC
CVE-2014-1642 (
  The IRQ setup in Xen 4.2.x and 4.3.x, when using device passthrough and
  configured to support a large number of CPUs, frees certain memory that may
  still be intended for use, which allows local guest administrators to cause
  a denial of service (memory corruption and hypervisor crash) and possibly
  execute arbitrary code via vectors related to an out-of-memory error that
  triggers a (1) use-after-free or (2) double free.
Comment 5 Yixun Lan archtester gentoo-dev 2014-02-13 09:37:21 UTC
(In reply to Mikle Kolyada from comment #3)
> ready for go stable?

I've reuqested a stable, see bug #500528, also bug #500530
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2014-05-21 03:30:26 UTC
Fixed as part of Bug 500530.

Adding to existing GLSA.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-07-16 16:46:37 UTC
This issue was resolved and addressed in
 GLSA 201407-03 at
by GLSA coordinator Mikle Kolyada (Zlogene).