Xen Security Advisory CVE-2016-7154 / XSA-188 version 3 use after free in FIFO event channel code ISSUE DESCRIPTION ================= When the EVTCHNOP_init_control operation is called with a bad guest frame number, it takes an error path which frees a control structure without also clearing the corresponding pointer. Certain subsequent operations (EVTCHNOP_expand_array or another EVTCHNOP_init_control), upon finding the non-NULL pointer, continue operation assuming it points to allocated memory. IMPACT ====== A malicious guest administrator can crash the host, leading to a DoS. Arbitrary code execution (and therefore privilege escalation), and information leaks, cannot be excluded. VULNERABLE SYSTEMS ================== Only Xen 4.4 is vulnerable. Xen versions 4.5 and later as well as Xen versions 4.3 and earlier are not vulnerable. MITIGATION ========== There is no mitigation available. CREDITS ======= This issue was discovered by Mikhail Gorobets of Advanced Threat Research, Intel Security. RESOLUTION ========== Applying the attached patch resolves this issue.
none of version vulnerable (only 4.4 is vulnerable, we have 4.6.x, 4.7.x here)