[Oraclevm-errata] OVMSA-2012-0056 Important: Oracle VM 3.0 xen security update

Errata Announcements for Oracle VM oraclevm-errata at oss.oracle.com
Tue Dec 4 22:43:44 PST 2012


Oracle VM Security Advisory OVMSA-2012-0056

The following updated rpms for Oracle VM 3.0 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
xen-4.0.0-81.el5.25.x86_64.rpm
xen-devel-4.0.0-81.el5.25.x86_64.rpm
xen-tools-4.0.0-81.el5.25.x86_64.rpm


SRPMS:
http://oss.oracle.com/oraclevm/server/3.0/SRPMS-updates/xen-4.0.0-81.el5.25.src.rpm



Description of changes:

[4.0.0-81.el5.25 ]
- xen: fix error handling of guest_physmap_mark_populate_on_demand()
   The only user of the 'out' label bypasses a necessary unlock, thus
   enabling the caller to lock up Xen.
   Also, the function was never meant to be called by a guest for itself,
   so rather than inspecting the code paths in depth for potential other
   problems this might cause, and adjusting e.g. the non-guest printk()
   in the above error path, just disallow the guest access to it.
   Finally, the printk() (considering its potential of spamming the log,
   the more that it's not using XENLOG_GUEST), is being converted to
   P2M_DEBUG(), as debugging is what it apparently was added for in the
   first place.
   This is XSA-30 / CVE-2012-5514.
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Acked-by: Ian Campbell <ian.campbell at citrix.com>
   Acked-by: George Dunlap <george.dunlap at eu.citrix.com>
   Acked-by: Ian Jackson <ian.jackson at eu.citrix.com>
   Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: Chuck Anderson <chuck.anderson at oracle.com> [bug 
15907247] {CVE-2012-5514}

[4.0.0-81.el5.24 ]
- Revert version 2 of XSA-30 / CVE-2012-5514
   Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com> [bug 
15907247] {CVE-2012-5514}

[4.0.0-81.el5.23 ]
- memop: limit guest specified extent order
   Allowing unbounded order values here causes almost unbounded loops
   and/or partially incomplete requests, particularly in PoD code.
  The added range checks in populate_physmap(), decrease_reservation(),
   and the 'in' one in memory_exchange() architecturally all could use
   PADDR_BITS - PAGE_SHIFT, and are being artificially constrained to
   MAX_ORDER.
   This is XSA-31 / CVE-2012-5515.
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Acked-by: Tim Deegan <tim at xen.org>
   Acked-by: Ian Jackson <ian.jackson at eu.citrix.com>
   Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com> [bug 
15907269] {CVE-2012-5515}

[4.0.0-81.el5.22 ]
- xen: fix error path of guest_physmap_mark_populate_on_demand()
   The only user of the 'out' label bypasses a necessary unlock, thus
   enabling the caller to lock up Xen.
   This is XSA-30 / CVE-2012-5514.
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Acked-by: Ian Campbell <ian.campbell at citrix.com>
   Acked-by: Ian Jackson <ian.jackson at eu.citrix.com>
   Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com> [bug 
15907247] {CVE-2012-5514}

[4.0.0-81.el5.21 ]
- xen: add missing guest address range checks to XENMEM_exchange handlers
   Ever since its existence (3.0.3 iirc) the handler for this has been
   using non address range checking guest memory accessors (i.e.
   the ones prefixed with two underscores) without first range
   checking the accessed space (via guest_handle_okay()), allowing
   a guest to access and overwrite hypervisor memory.
   This is XSA-29 / CVE-2012-5513.
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Acked-by: Ian Campbell <ian.campbell at citrix.com>
   Acked-by: Ian Jackson <ian.jackson at eu.citrix.com>
   Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: Joe Jin <joe.jin at oracle.com> [bug 15907241] {CVE-2012-5513}

[4.0.0-81.el5.20 ]
- hvm: Limit the size of large HVM op batches
   Doing large p2m updates for HVMOP_track_dirty_vram without preemption
   ties up the physical processor. Integrating preemption into the p2m
   updates is hard so simply limit to 1GB which is sufficient for a 15000
   * 15000 * 32bpp framebuffer.
   For HVMOP_modified_memory and HVMOP_set_mem_type preemptible add the
   necessary machinery to handle preemption.
   This is CVE-2012-5511 / XSA-27.
   Signed-off-by: Tim Deegan <tim at xen.org>
   Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
   Acked-by: Ian Jackson <ian.jackson at eu.citrix.com>
   x86/paging: Don't allocate user-controlled amounts of stack memory.
   This is XSA-27 / CVE-2012-5511.
   Signed-off-by: Tim Deegan <tim at xen.org>
   Acked-by: Jan Beulich <jbeulich at suse.com>
   v2: Provide definition of GB to fix x86-32 compile.
   Signed-off-by: Jan Beulich <JBeulich at suse.com>
   Acked-by: Ian Jackson <ian.jackson at eu.citrix.com>
   Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: Joe Jin <joe.jin at oracle.com> [bug 15907163] {CVE-2012-5511}

[4.0.0-81.el5.19 ]
- xen/common/grant_table.c
   gnttab: fix releasing of memory upon switches between versions
   gnttab_unpopulate_status_frames() incompletely freed the pages
   previously used as status frame in that they did not get removed from
   the domain's xenpage_list, thus causing subsequent list corruption
   when those pages did get allocated again for the same or another purpose.
   Similarly, grant_table_create() and gnttab_grow_table() both improperly
   clean up in the event of an error - pages already shared with the guest
   can't be freed by just passing them to free_xenheap_page(). Fix this by
   sharing the pages only after all allocations succeeded.
   This is CVE-2012-5510 / XSA-26.
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Acked-by: Ian Campbell <ian.campbell at citrix.com>
   Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com> [bug 
15907210] {CVE-2012-5510}




More information about the Oraclevm-errata mailing list