From dfddbf35d9df666fa731dcaf35afd8cf24ac8ecf Mon Sep 17 00:00:00 2001
From: Jan Beulich <jbeulich@suse.com>
Date: Thu, 8 Sep 2016 14:32:51 +0200
Subject: [PATCH] evtchn-fifo: prevent use after free

evtchn_fifo_init_control() calls evtchn_fifo_destroy() on an error
path, leading to cleanup_event_array() which frees d->evtchn_fifo
without also clearing the pointer. Otoh the bulk of
evtchn_fifo_init_control() is dependent on d->evtchn_fifo being NULL.

This is XSA-188 / CVE-2016-7154.

Reported-by: Mikhail V Gorobets <mikhail.v.gorobets@intel.com>
Suggested-by: Mikhail V Gorobets <mikhail.v.gorobets@intel.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
 xen/common/event_fifo.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/xen/common/event_fifo.c b/xen/common/event_fifo.c
index a443c98018..93752d4439 100644
--- a/xen/common/event_fifo.c
+++ b/xen/common/event_fifo.c
@@ -482,6 +482,7 @@ static void cleanup_event_array(struct domain *d)
     for ( i = 0; i < EVTCHN_FIFO_MAX_EVENT_ARRAY_PAGES; i++ )
         unmap_guest_page(d->evtchn_fifo->event_array[i]);
     xfree(d->evtchn_fifo);
+    d->evtchn_fifo = NULL;
 }
 
 static void setup_ports(struct domain *d)
-- 
2.39.5