When setting up the IRQ for a passed through physical device, a flaw
in the error handling could result in a memory allocation being used
after it is freed, and then freed a second time. This would typically
result in memory corruption.
Malicious guest administrators can trigger a use-after-free error, resulting
in hypervisor memory corruption. The effects of memory corruption could be
anything, including a host-wide denial of service, or privilege escalation.
Patch available at http://xenbits.xen.org/xsa/xsa83.patch
fixed, patch included in following versions
(In reply to Yixun Lan from comment #2)
> fixed, patch included in following versions
ready for go stable?
The IRQ setup in Xen 4.2.x and 4.3.x, when using device passthrough and
configured to support a large number of CPUs, frees certain memory that may
still be intended for use, which allows local guest administrators to cause
a denial of service (memory corruption and hypervisor crash) and possibly
execute arbitrary code via vectors related to an out-of-memory error that
triggers a (1) use-after-free or (2) double free.
(In reply to Mikle Kolyada from comment #3)
> ready for go stable?
I've reuqested a stable, see bug #500528, also bug #500530
Fixed as part of Bug 500530.
Adding to existing GLSA.
This issue was resolved and addressed in
GLSA 201407-03 at http://security.gentoo.org/glsa/glsa-201407-03.xml
by GLSA coordinator Mikle Kolyada (Zlogene).