From: Jan Beulich <jbeulich@suse.com>
Date: Thu, 8 Sep 2016 12:32:51 +0000 (+0200)
Subject: evtchn-fifo: prevent use after free
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=dfddbf35d9df666fa731dcaf35afd8cf24ac8ecf;p=xen.git

evtchn-fifo: prevent use after free

evtchn_fifo_init_control() calls evtchn_fifo_destroy() on an error
path, leading to cleanup_event_array() which frees d->evtchn_fifo
without also clearing the pointer. Otoh the bulk of
evtchn_fifo_init_control() is dependent on d->evtchn_fifo being NULL.

This is XSA-188 / CVE-2016-7154.

Reported-by: Mikhail V Gorobets <mikhail.v.gorobets@intel.com>
Suggested-by: Mikhail V Gorobets <mikhail.v.gorobets@intel.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
---

diff --git a/xen/common/event_fifo.c b/xen/common/event_fifo.c
index a443c98018..93752d4439 100644
--- a/xen/common/event_fifo.c
+++ b/xen/common/event_fifo.c
@@ -482,6 +482,7 @@ static void cleanup_event_array(struct domain *d)
     for ( i = 0; i < EVTCHN_FIFO_MAX_EVENT_ARRAY_PAGES; i++ )
         unmap_guest_page(d->evtchn_fifo->event_array[i]);
     xfree(d->evtchn_fifo);
+    d->evtchn_fifo = NULL;
 }
 
 static void setup_ports(struct domain *d)