Xen Security Advisory CVE-2017-14317 / XSA-233
cxenstored: Race in domain cleanup
UPDATES IN VERSION 3
Added metadata file
When shutting down a VM with a stubdomain, a race in cxenstored may
cause a double-free.
The xenstored daemon may crash, resulting in a DoS of any parts of the
system relying on it (including domain creation / destruction,
ballooning, device changes, etc).
All versions of Xen are vulnerable.
Only systems running the C version os xenstored ("xenstored") are
vulnerable; systems running the Ocaml version ("oxenstored") are not
Only systems running devicemodel stubdomains are vulnerable. Only x86
HVM guests can use stubdomains. Therefore ARM systems, x86 systems
running only PV guests, and x86 systems running HVM guests with the
devicemodel not in a stubdomain (eg in dom0), are not vulnerable.
Running oxenstored will mitigate this issue. Not using stubdomains
will also mitigate the issue.
This issue was discovered by Eric Chanudet of AIS.
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)