From ${URL}: ISSUE DESCRIPTION ================= When setting up the IRQ for a passed through physical device, a flaw in the error handling could result in a memory allocation being used after it is freed, and then freed a second time. This would typically result in memory corruption. IMPACT ====== Malicious guest administrators can trigger a use-after-free error, resulting in hypervisor memory corruption. The effects of memory corruption could be anything, including a host-wide denial of service, or privilege escalation.
Patch available at http://xenbits.xen.org/xsa/xsa83.patch
fixed, patch included in following versions app-emulation/xen-4.2.2-r3 app-emulation/xen-4.3.1-r4
(In reply to Yixun Lan from comment #2) > fixed, patch included in following versions > > app-emulation/xen-4.2.2-r3 > app-emulation/xen-4.3.1-r4 ready for go stable?
CVE-2014-1642 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1642): The IRQ setup in Xen 4.2.x and 4.3.x, when using device passthrough and configured to support a large number of CPUs, frees certain memory that may still be intended for use, which allows local guest administrators to cause a denial of service (memory corruption and hypervisor crash) and possibly execute arbitrary code via vectors related to an out-of-memory error that triggers a (1) use-after-free or (2) double free.
(In reply to Mikle Kolyada from comment #3) > ready for go stable? I've reuqested a stable, see bug #500528, also bug #500530
Fixed as part of Bug 500530. Adding to existing GLSA.
This issue was resolved and addressed in GLSA 201407-03 at http://security.gentoo.org/glsa/glsa-201407-03.xml by GLSA coordinator Mikle Kolyada (Zlogene).
