When a transaction is committed, C Xenstored will first check the quota is correct before attempting to commit any nodes. It would be possible that accounting is temporarily negative if a node has been removed outside of the transaction.
Unfortunately, some versions of C Xenstored are assuming that the quota cannot be negative and are using assert() to confirm it. This will lead to C Xenstored crash when tools are built without -DNDEBUG (this is the default).
Weakness
The product dereferences a pointer that it expects to be valid but is NULL.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Xen | Xen | * | 4.17.0 (excluding) |
| Xen | Ubuntu | bionic | * |
| Xen | Ubuntu | focal | * |
| Xen | Ubuntu | lunar | * |
| Xen | Ubuntu | mantic | * |
| Xen | Ubuntu | oracular | * |
| Xen | Ubuntu | plucky | * |
| Xen | Ubuntu | trusty | * |
| Xen | Ubuntu | xenial | * |