Xen Security Advisory CVE-2016-7154 / XSA-188
use after free in FIFO event channel code
When the EVTCHNOP_init_control operation is called with a bad guest
frame number, it takes an error path which frees a control structure
without also clearing the corresponding pointer. Certain subsequent
operations (EVTCHNOP_expand_array or another EVTCHNOP_init_control),
upon finding the non-NULL pointer, continue operation assuming it
points to allocated memory.
A malicious guest administrator can crash the host, leading to a DoS.
Arbitrary code execution (and therefore privilege escalation), and
information leaks, cannot be excluded.
Only Xen 4.4 is vulnerable. Xen versions 4.5 and later as well as Xen
versions 4.3 and earlier are not vulnerable.
There is no mitigation available.
This issue was discovered by Mikhail Gorobets of Advanced Threat
Research, Intel Security.
Applying the attached patch resolves this issue.
none of version vulnerable (only 4.4 is vulnerable, we have 4.6.x, 4.7.x here)