[Oraclevm-errata] OVMSA-2013-0059 Important: Oracle VM 3.2 xen security update
Errata Announcements for Oracle VM
oraclevm-errata at oss.oracle.com
Fri Jun 28 13:59:33 PDT 2013
Oracle VM Security Advisory OVMSA-2013-0059
The following updated rpms for Oracle VM 3.2 have been uploaded to the
Unbreakable Linux Network:
x86_64:
xen-4.1.3-25.el5.22.28.x86_64.rpm
xen-devel-4.1.3-25.el5.22.28.x86_64.rpm
xen-tools-4.1.3-25.el5.22.28.x86_64.rpm
SRPMS:
http://oss.oracle.com/oraclevm/server/3.2/SRPMS-updates/xen-4.1.3-25.el5.22.28.src.rpm
Description of changes:
[4.1.3-25.el5.22.28]
- x86: fix page refcount handling in page table pin error path
In the original patch 7 of the series addressing XSA-45 I mistakenly
took the addition of the call to get_page_light() in alloc_page_type()
to cover two decrements that would happen: One for the PGT_partial bit
that is getting set along with the call, and the other for the page
reference the caller hold (and would be dropping on its error path).
But of course the additional page reference is tied to the PGT_partial
bit, and hence any caller of a function that may leave
->arch.old_guest_table non-NULL for error cleanup purposes has to make
sure a respective page reference gets retained.
Similar issues were then also spotted elsewhere: In effect all callers
of get_page_type_preemptible() need to deal with errors in similar
ways. To make sure error handling can work this way without leaking
page references, a respective assertion gets added to that function.
This is CVE-2013-1432 / XSA-58.
Reported-by: Andrew Cooper <andrew.cooper3 at citrix.com>
Signed-off-by: Jan Beulich <jbeulich at suse.com>
Tested-by: Andrew Cooper <andrew.cooper3 at citrix.com>
Reviewed-by: Tim Deegan <tim at xen.org>
Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com>
Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 16949930]
[4.1.3-25.el5.22.27]
- libxl: Restrict permissions on PV console device xenstore nodes
Matthew Daley has observed that the PV console protocol places
sensitive host
state into a guest writeable xenstore locations, this includes:
- The pty used to communicate between the console backend daemon and its
client, allowing the guest administrator to read and write arbitrary
host
files.
- The output file, allowing the guest administrator to write
arbitrary host
files or to target arbitrary qemu chardevs which include sockets,
udp, ptr,
pipes etc (see -chardev in qemu(1) for a more complete list).
- The maximum buffer size, allowing the guest administrator to
consume more
resources than the host administrator has configured.
- The backend to use (qemu vs xenconsoled), potentially allowing the
guest
administrator to confuse host software.
So we arrange to make the sensitive keys in the xenstore frontend
directory
read only for the guest. This is safe since the xenstore permissions
model,
unlike POSIX directory permissions, does not allow the guest to
remove and
recreate a node if it has write access to the containing directory.
There are a few associated wrinkles:
- The primary PV console is "special". It's xenstore node is not
under the
usual /devices/ subtree and it does not use the customary xenstore state
machine protocol. Unfortunately its directory is used for other things,
including the vnc-port node, which we do not want the guest to be
able to
write to. Rather than trying to track down all the possible
secondary uses
of this directory just make it r/o to the guest. All newly created
subdirectories inherit these permissions and so are now safe by default.
- The other serial consoles do use the customary xenstore state
machine and
therefore need write access to at least the "protocol" and "state"
nodes,
however they may also want to use arbitrary "feature-foo" nodes
(although
I'm not aware of any) and therefore we cannot simply lock down the
entire
frontend directory. Instead we add support to
libxl__device_generic_add for
frontend keys which are explicitly read only and use that to lock
down the
sensitive keys.
- Minios' console frontend wants to write the "type" node, which it
has no
business doing since this is a host/toolstack level decision. This fails
now that the node has become read only to the PV guest. Since the
toolstack
already writes this node just remove the attempt to set it.
This is CVE-XXXX-XXX / XSA-57
Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
Conflicts (4.2 backport):
tools/libxl/libxl.c (no vtpm, free front_ro on error in
libxl__device_console_add)
Conflicts (4.1 backport):
extras/mini-os/console/xenbus.c
tools/libxl/libxl.c
tools/libxl/libxl_device.c
tools/libxl/libxl_internal.h
tools/libxl/libxl_pci.c
tools/libxl/libxl_xshelp.c
- minios code was in xencons_ring.c
- many places need &gc not just gc
- libxl__xs_writev path is not const
- varios minor context fixups
Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com>
Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 16949687]
More information about the Oraclevm-errata
mailing list