File 54abda24-x86-HVM-prevent-use-after-free-when-de... of Package xen.481

Overview Repositories Revisions Requests Users Attributes Meta

File 54abda24-x86-HVM-prevent-use-after-free-when-destroying-a-domain.patch of Package xen.481

References: bsc#910681 CVE-2015-0361 XSA-116

# Commit d3c151fd3a4365fc6107198bfc975807d40d157d
# Date 2015-01-06 12:50:44 +0000
# Author Mihai Donțu <mdontu@bitdefender.com>
# Committer Ian Jackson <Ian.Jackson@eu.citrix.com>
x86/HVM: prevent use-after-free when destroying a domain

hvm_domain_relinquish_resources() can free certain domain resources
which can still be accessed, e.g. by HVMOP_set_param, while the domain
is being cleaned up.

This is CVE-2015-0361 / XSA-116.

Signed-off-by: Mihai Donțu <mdontu@bitdefender.com>
Tested-by: Răzvan Cojocaru <rcojocaru@bitdefender.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -625,9 +625,6 @@ int hvm_domain_initialise(struct domain 
 
 void hvm_domain_relinquish_resources(struct domain *d)
 {
-    xfree(d->arch.hvm_domain.io_handler);
-    xfree(d->arch.hvm_domain.params);
-
     if ( is_pvh_domain(d) )
         return;
 
@@ -650,6 +647,9 @@ void hvm_domain_relinquish_resources(str
 
 void hvm_domain_destroy(struct domain *d)
 {
+    xfree(d->arch.hvm_domain.io_handler);
+    xfree(d->arch.hvm_domain.params);
+
     hvm_destroy_cacheattr_region_list(d);
 
     if ( is_pvh_domain(d) )

Places

File 54abda24-x86-HVM-prevent-use-after-free-when-destroying-a-domain.patch of Package xen.481

Places