Vigil@nce - Xen: use after free via pci_piix3_xen_ide_unplug
October 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker in a guest system can force the usage of a freed
memory area in the pci_piix3_xen_ide_unplug() function of Xen, in
order to trigger a denial of service, and possibly to run code in
the host system.
– Impacted products: Fedora, SUSE Linux Enterprise Desktop, SLES,
Ubuntu, Xen.
– Severity: 2/4.
– Creation date: 03/08/2015.
DESCRIPTION OF THE VULNERABILITY
The Xen product can contain an HVM x86 guest system, where an IDE
device can be emulated by qemu-xen.
However, when this disk is unplugged, the pci_piix3_xen_ide_unplug()
function frees a memory area before reusing it.
An attacker in a guest system can therefore force the usage of a
freed memory area in the pci_piix3_xen_ide_unplug() function of
Xen, in order to trigger a denial of service, and possibly to run
code in the host system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Xen-use-after-free-via-pci-piix3-xen-ide-unplug-17572