Xen 4.2.x, 4.1.x, and earlier, when the hypervisor is running under memory pressure and the Xen Security Module (XSM) is enabled, uses the wrong ordering of operations when extending the per-domain event channel tracking table, which causes a use-after-free and allows local guest kernels to inject arbitrary events and gain privileges via unspecified vectors.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Xen | Xen | 3.0.2 (including) | 3.0.2 (including) |
| Xen | Xen | 3.0.3 (including) | 3.0.3 (including) |
| Xen | Xen | 3.0.4 (including) | 3.0.4 (including) |
| Xen | Xen | 3.1.3 (including) | 3.1.3 (including) |
| Xen | Xen | 3.1.4 (including) | 3.1.4 (including) |
| Xen | Xen | 3.2.0 (including) | 3.2.0 (including) |
| Xen | Xen | 3.2.1 (including) | 3.2.1 (including) |
| Xen | Xen | 3.2.2 (including) | 3.2.2 (including) |
| Xen | Xen | 3.2.3 (including) | 3.2.3 (including) |
| Xen | Xen | 3.3.0 (including) | 3.3.0 (including) |
| Xen | Xen | 3.3.1 (including) | 3.3.1 (including) |
| Xen | Xen | 3.3.2 (including) | 3.3.2 (including) |
| Xen | Xen | 3.4.0 (including) | 3.4.0 (including) |
| Xen | Xen | 3.4.1 (including) | 3.4.1 (including) |
| Xen | Xen | 3.4.2 (including) | 3.4.2 (including) |
| Xen | Xen | 3.4.3 (including) | 3.4.3 (including) |
| Xen | Xen | 3.4.4 (including) | 3.4.4 (including) |
| Xen | Xen | 4.0.0 (including) | 4.0.0 (including) |
| Xen | Xen | 4.0.1 (including) | 4.0.1 (including) |
| Xen | Xen | 4.0.2 (including) | 4.0.2 (including) |
| Xen | Xen | 4.0.3 (including) | 4.0.3 (including) |
| Xen | Xen | 4.0.4 (including) | 4.0.4 (including) |
| Xen | Xen | 4.1.0 (including) | 4.1.0 (including) |
| Xen | Xen | 4.1.1 (including) | 4.1.1 (including) |
| Xen | Xen | 4.1.2 (including) | 4.1.2 (including) |
| Xen | Xen | 4.1.3 (including) | 4.1.3 (including) |
| Xen | Xen | 4.1.4 (including) | 4.1.4 (including) |
| Xen | Xen | 4.2.0 (including) | 4.2.0 (including) |
| Xen | Xen | 4.2.1 (including) | 4.2.1 (including) |
| Xen | Ubuntu | upstream | * |
| Xen-3.1 | Ubuntu | hardy | * |
| Xen-3.2 | Ubuntu | hardy | * |
| Xen-3.2 | Ubuntu | upstream | * |
| Xen-3.3 | Ubuntu | upstream | * |
References
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00000.html
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00049.html
- http://lists.xen.org/archives/html/xen-announce/2013-04/msg00000.html
- http://osvdb.org/92050
- http://secunia.com/advisories/52857
- http://secunia.com/advisories/55082
- http://security.gentoo.org/glsa/glsa-201309-24.xml
- http://www.openwall.com/lists/oss-security/2013/04/04/7
- http://www.securityfocus.com/bid/58880
- http://www.securitytracker.com/id/1028388
- https://exchange.xforce.ibmcloud.com/vulnerabilities/83226
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00000.html
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00049.html
- http://lists.xen.org/archives/html/xen-announce/2013-04/msg00000.html
- http://osvdb.org/92050
- http://secunia.com/advisories/52857
- http://secunia.com/advisories/55082
- http://security.gentoo.org/glsa/glsa-201309-24.xml
- http://www.openwall.com/lists/oss-security/2013/04/04/7
- http://www.securityfocus.com/bid/58880
- http://www.securitytracker.com/id/1028388
- https://exchange.xforce.ibmcloud.com/vulnerabilities/83226