FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

xen-kernel -- use after free in FIFO event channel code

Affected packages
4.4 <= xen-kernel < 4.5

Details

VuXML ID 4bf57137-ba4d-11e6-ae1b-002590263bf5
Discovery 2016-09-08
Entry 2016-12-04

The Xen Project reports:

When the EVTCHNOP_init_control operation is called with a bad guest frame number, it takes an error path which frees a control structure without also clearing the corresponding pointer. Certain subsequent operations (EVTCHNOP_expand_array or another EVTCHNOP_init_control), upon finding the non-NULL pointer, continue operation assuming it points to allocated memory.

A malicious guest administrator can crash the host, leading to a DoS. Arbitrary code execution (and therefore privilege escalation), and information leaks, cannot be excluded.

References

CVE Name CVE-2016-7154
FreeBSD PR ports/214936
URL https://xenbits.xen.org/xsa/advisory-188.html