From ba799f116b55fbcc792cf6901d8794dd2ccdf5dd Mon Sep 17 00:00:00 2001
From: Michael Young <m.a.young@durham.ac.uk>
Date: Jan 06 2015 19:35:28 +0000
Subject: xen crash due to use after free on hvm guest teardown


---

diff --git a/xen.spec b/xen.spec
index 1e84d6d..51dec40 100644
--- a/xen.spec
+++ b/xen.spec
@@ -53,7 +53,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.4.1
-Release: 11%{?dist}
+Release: 12%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -117,6 +117,7 @@ Patch36: xl.migrate.debug.crash.patch
 Patch37: xl.migrate.debug.fail.patch
 Patch38: xsa114-4.4.patch
 Patch39: xl.migrate.debug.fail.fix.patch
+Patch40: xsa116.patch
 
 Patch99: xen.figs.disable.patch
 Patch100: xen-configure-xend.patch
@@ -319,6 +320,7 @@ manage Xen virtual machines.
 %patch37 -p1
 %patch38 -p1
 %patch39 -p1
+%patch40 -p1
 
 %patch99 -p1
 %patch100 -p1
@@ -923,6 +925,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Tue Jan 06 2015 Michael Young <m.a.young@durham.ac.uk> - 4.4.1-12
+- xen crash due to use after free on hvm guest teardown [XSA-116,
+	 CVE-2015-0361] (#1179221)
+
 * Tue Dec 16 2014 Michael Young <m.a.young@durham.ac.uk> - 4.4.1-11
 - fix xendomains issue introduced by xl migrate --debug patch
 
diff --git a/xsa116.patch b/xsa116.patch
new file mode 100644
index 0000000..816a9bd
--- /dev/null
+++ b/xsa116.patch
@@ -0,0 +1,33 @@
+x86/HVM: prevent use-after-free when destroying a domain
+
+hvm_domain_relinquish_resources() can free certain domain resources
+which can still be accessed, e.g. by HVMOP_set_param, while the domain
+is being cleaned up.
+
+Signed-off-by: Mihai Donțu <mdontu@bitdefender.com>
+Tested-by: Răzvan Cojocaru <rcojocaru@bitdefender.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -1487,9 +1487,6 @@ int hvm_domain_initialise(struct domain 
+ 
+ void hvm_domain_relinquish_resources(struct domain *d)
+ {
+-    xfree(d->arch.hvm_domain.io_handler);
+-    xfree(d->arch.hvm_domain.params);
+-
+     if ( is_pvh_domain(d) )
+         return;
+ 
+@@ -1511,6 +1508,9 @@ void hvm_domain_relinquish_resources(str
+ 
+ void hvm_domain_destroy(struct domain *d)
+ {
++    xfree(d->arch.hvm_domain.io_handler);
++    xfree(d->arch.hvm_domain.params);
++
+     hvm_destroy_cacheattr_region_list(d);
+ 
+     if ( is_pvh_domain(d) )