[Oraclevm-errata] OVMSA-2015-0067 Important: Oracle VM 3.3 xen security update

Errata Announcements for Oracle VM oraclevm-errata at oss.oracle.com
Thu Jun 11 10:03:58 PDT 2015 

Oracle VM Security Advisory OVMSA-2015-0067

The following updated rpms for Oracle VM 3.3 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
xen-4.3.0-55.el6.22.52.x86_64.rpm
xen-tools-4.3.0-55.el6.22.52.x86_64.rpm


SRPMS:
http://oss.oracle.com/oraclevm/server/3.3/SRPMS-updates/xen-4.3.0-55.el6.22.52.src.rpm



Description of changes:

[4.3.0-55.el6.22.52]
- x86/traps: loop in the correct direction in compat_iret()
   This is XSA-136.
   Reviewed-by: Jan Beulich <jbeulich at suse.com>
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21219185] 
{CVE-2015-4164}

[4.3.0-55.el6.22.51]
- pcnet: force the buffer access to be in bounds during tx
   4096 is the maximum length per TMD and it is also currently the size of
   the relay buffer pcnet driver uses for sending the packet data to QEMU
   for further processing. With packet spanning multiple TMDs it can
   happen that the overall packet size will be bigger than sizeof(buffer),
   which results in memory corruption.
   Fix this by only allowing to queue maximum sizeof(buffer) bytes.
   This is CVE-2015-3209.
   Signed-off-by: Petr Matousek <pmatouse at redhat.com>
   Reported-by: Matt Tait <matttait at google.com>
   Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
   Reviewed-by: Stefan Hajnoczi <stefanha at redhat.com>
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21218590] 
{CVE-2015-3209}

[4.3.0-55.el6.22.50]
- pcnet: fix Negative array index read
    From: Gonglei <arei.gonglei at huawei.com>
   s->xmit_pos maybe assigned to a negative value (-1),
   but in this branch variable s->xmit_pos as an index to
   array s->buffer. Let's add a check for s->xmit_pos.
    upstream-commit-id: 7b50d00911ddd6d56a766ac5671e47304c20a21b
   Signed-off-by: Gonglei <arei.gonglei at huawei.com>
   Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
   Reviewed-by: Jason Wang <jasowang at redhat.com>
   Reviewed-by: Jason Wang <jasowang at redhat.com>
   Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21218590] 
{CVE-2015-3209}

[4.3.0-55.el6.22.49]
- pcnet: force the buffer access to be in bounds during tx
   4096 is the maximum length per TMD and it is also currently the size of
   the relay buffer pcnet driver uses for sending the packet data to QEMU
   for further processing. With packet spanning multiple TMDs it can
   happen that the overall packet size will be bigger than sizeof(buffer),
   which results in memory corruption.
   Fix this by only allowing to queue maximum sizeof(buffer) bytes.
   This is CVE-2015-3209.
   Signed-off-by: Petr Matousek <pmatouse at redhat.com>
   Reported-by: Matt Tait <matttait at google.com>
   Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
   Reviewed-by: Stefan Hajnoczi <stefanha at redhat.com>
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com> [bug 21218590] 
{CVE-2015-3209}

[4.3.0-55.el6.22.48]
- pcnet: fix Negative array index read
    From: Gonglei <arei.gonglei at huawei.com>
   s->xmit_pos maybe assigned to a negative value (-1),
   but in this branch variable s->xmit_pos as an index to
   array s->buffer. Let's add a check for s->xmit_pos.
    upstream-commit-id: 7b50d00911ddd6d56a766ac5671e47304c20a21b
   Signed-off-by: Gonglei <arei.gonglei at huawei.com>
   Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
   Reviewed-by: Jason Wang <jasowang at redhat.com>
   Reviewed-by: Jason Wang <jasowang at redhat.com>
   Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21218590] 
{CVE-2015-3209}

[4.3.0-55.el6.22.47]
- gnttab: add missing version check to GNTTABOP_swap_grant_ref handling
   ... avoiding NULL derefs when the version to use wasn't set yet (via
   GNTTABOP_setup_table or GNTTABOP_set_version).
   This is XSA-134.
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Acked-by: Ian Campbell <ian.campbell at citrix.com>
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21218010] 
{CVE-2015-4163}

More information about the Oraclevm-errata mailing list