From oraclevm-errata at oss.oracle.com  Thu May 14 10:32:25 2015
From: oraclevm-errata at oss.oracle.com (Errata Announcements for Oracle VM)
Date: Thu, 14 May 2015 10:32:25 -0700
Subject: [Oraclevm-errata] OVMSA-2015-0057 Critical: Oracle VM 3.3 xen
	security update
Message-ID: <5554DC29.4040002@oracle.com>

Oracle VM Security Advisory OVMSA-2015-0057

The following updated rpms for Oracle VM 3.3 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
xen-4.3.0-55.el6.22.24.x86_64.rpm
xen-tools-4.3.0-55.el6.22.24.x86_64.rpm


SRPMS:
http://oss.oracle.com/oraclevm/server/3.3/SRPMS-updates/xen-4.3.0-55.el6.22.24.src.rpm



Description of changes:

[4.3.0-55.el6.22.24]
- fdc: force the fifo access to be in bounds of the allocated buffer
   During processing of certain commands such as FD_CMD_READ_ID and
   FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
   get out of bounds leading to memory corruption with values coming
   from the guest.
   Fix this by making sure that the index is always bounded by the
   allocated memory.
   This is CVE-2015-3456.
   Signed-off-by: Petr Matousek <pmatouse at redhat.com>
   Reviewed-by: John Snow <jsnow at redhat.com>
   XSA-133
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com> [bug 21078640] 
{CVE-2015-3456}

[4.3.0-55.el6.22.23]
- fdc: force the fifo access to be in bounds of the allocated buffer
   During processing of certain commands such as FD_CMD_READ_ID and
   FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
   get out of bounds leading to memory corruption with values coming
   from the guest.
   Fix this by making sure that the index is always bounded by the
   allocated memory.
   This is CVE-2015-3456.
   Signed-off-by: Petr Matousek <pmatouse at redhat.com>
   Reviewed-by: John Snow <jsnow at redhat.com>
   XSA-133
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com> [bug 21078640] 
{CVE-2015-3456}

[4.3.0-55.el6.22.22]
- domctl: don't allow a toolstack domain to call domain_pause() on itself
   These DOMCTL subops were accidentally declared safe for disaggregation
   in the wake of XSA-77.
   This is XSA-127.
   Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
   Reviewed-by: Jan Beulich <jbeulich at suse.com>
   Acked-by: Ian Campbell <ian.campbell at citrix.com>
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com> [bug 
20739551] {CVE-2015-2751}

[4.3.0-55.el6.22.21]
- xen: limit guest control of PCI command register
   Otherwise the guest can abuse that control to cause e.g. PCIe
   Unsupported Request responses (by disabling memory and/or I/O decoding
   and subsequently causing [CPU side] accesses to the respective address
   ranges), which (depending on system configuration) may be fatal to the
   host.
   This is CVE-2015-2756 / XSA-126.
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Reviewed-by: Stefano Stabellini <stefano.stabellini at eu.citrix.com>
   Acked-by: Ian Campbell <ian.campbell at citrix.com>
   Conflicts:
   tools/qemu-xen-traditional-dir/hw/pass-through.c
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com> [bug 20739354] 
{CVE-2015-2756}

[4.3.0-55.el6.22.20]
- xen: limit guest control of PCI command register
   Otherwise the guest can abuse that control to cause e.g. PCIe
   Unsupported Request responses (by disabling memory and/or I/O decoding
   and subsequently causing [CPU side] accesses to the respective address
   ranges), which (depending on system configuration) may be fatal to the
   host.
   This is CVE-2015-2756 / XSA-126.
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Reviewed-by: Stefano Stabellini <stefano.stabellini at eu.citrix.com>
   Acked-by: Ian Campbell <ian.campbell at citrix.com>
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com> [bug 
20739354] {CVE-2015-2756}

[4.3.0-55.el6.22.19]
- Limit XEN_DOMCTL_memory_mapping hypercall to only process up to 64 
GFNs (or less)
   Said hypercall for large BARs can take quite a while. As such
   we can require that the hypercall MUST break up the request
   in smaller values.
   Another approach is to add preemption to it - whether we do the
   preemption using hypercall_create_continuation or returning
   EAGAIN to userspace (and have it re-invocate the call) - either
   way the issue we cannot easily solve is that in 'map_mmio_regions'
   if we encounter an error we MUST call 'unmap_mmio_regions' for the
   whole BAR region.
   Since the preemption would re-use input fields such as nr_mfns,
   first_gfn, first_mfn - we would lose the original values -
   and only undo what was done in the current round (i.e. ignoring
   anything that was done prior to earlier preemptions).
   Unless we re-used the return value as 'EAGAIN|nr_mfns_done<<10' but
   that puts a limit (since the return value is a long) on the amount
   of nr_mfns that can provided.
   This patch sidesteps this problem by:
   - Setting an hard limit of nr_mfns having to be 64 or less.
   - Toolstack adjusts correspondingly to the nr_mfn limit.
   - If the there is an error when adding the toolstack will call the
   remove operation to remove the whole region.
   The need to break this hypercall down is for large BARs can take
   more than the guest (initial domain usually) time-slice. This has
   the negative result in that the guest is locked out for a long
   duration and is unable to act on any pending events.
   We also augment the code to return zero if nr_mfns instead
   of trying to the hypercall.
   Suggested-by: Jan Beulich <jbeulich at suse.com>
   Acked-by: Jan Beulich <jbeulich at suse.com>
   Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
   Acked-by: Ian Campbell <ian.campbell at citrix.com>
   This is CVE-2015-2752 / XSA-125.
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com> [bug 
20732350] {CVE-2015-2752}



From oraclevm-errata at oss.oracle.com  Thu May 14 11:16:09 2015
From: oraclevm-errata at oss.oracle.com (Errata Announcements for Oracle VM)
Date: Thu, 14 May 2015 11:16:09 -0700
Subject: [Oraclevm-errata] OVMSA-2015-0058 Critical: Oracle VM 3.2 xen
	security update
Message-ID: <5554E669.1040405@oracle.com>

Oracle VM Security Advisory OVMSA-2015-0058

The following updated rpms for Oracle VM 3.2 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
xen-4.1.3-25.el5.127.36.1.x86_64.rpm
xen-devel-4.1.3-25.el5.127.36.1.x86_64.rpm
xen-tools-4.1.3-25.el5.127.36.1.x86_64.rpm


SRPMS:
http://oss.oracle.com/oraclevm/server/3.2/SRPMS-updates/xen-4.1.3-25.el5.127.36.1.src.rpm



Description of changes:

[4.1.3-25.el5.127.36.1]
- force the fifo access to be in bounds of the allocated buffer
   This is CVE-2015-3456. [bug 21078935] {CVE-2015-3456}

[4.1.3-25.el5.127.36]
- xen: limit guest control of PCI command register
   Otherwise the guest can abuse that control to cause e.g. PCIe
   Unsupported Request responses (by disabling memory and/or I/O decoding
   and subsequently causing [CPU side] accesses to the respective address
   ranges), which (depending on system configuration) may be fatal to the
   host.
   This is CVE-2015-2756 / XSA-126.
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Reviewed-by: Stefano Stabellini <stefano.stabellini at eu.citrix.com>
   Acked-by: Ian Campbell <ian.campbell at citrix.com>
   Conflicts:
   tools/ioemu-remote/hw/pass-through.c
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com> [bug 
20739381] {CVE-2015-2756}

[4.1.3-25.el5.127.35]
- Limit XEN_DOMCTL_memory_mapping hypercall to only process up to 64 
GFNs (or less)
   Said hypercall for large BARs can take quite a while. As such
   we can require that the hypercall MUST break up the request
   in smaller values.
   Another approach is to add preemption to it - whether we do the
   preemption using hypercall_create_continuation or returning
   EAGAIN to userspace (and have it re-invocate the call) - either
   way the issue we cannot easily solve is that in 'map_mmio_regions'
   if we encounter an error we MUST call 'unmap_mmio_regions' for the
   whole BAR region.
   Since the preemption would re-use input fields such as nr_mfns,
   first_gfn, first_mfn - we would lose the original values -
   and only undo what was done in the current round (i.e. ignoring
   anything that was done prior to earlier preemptions).
   Unless we re-used the return value as 'EAGAIN|nr_mfns_done<<10' but
   that puts a limit (since the return value is a long) on the amount
   of nr_mfns that can provided.
   This patch sidesteps this problem by:
   - Setting an hard limit of nr_mfns having to be 64 or less.
   - Toolstack adjusts correspondingly to the nr_mfn limit.
   - If the there is an error when adding the toolstack will call the
   remove operation to remove the whole region.
   The need to break this hypercall down is for large BARs can take
   more than the guest (initial domain usually) time-slice. This has
   the negative result in that the guest is locked out for a long
   duration and is unable to act on any pending events.
   We also augment the code to return zero if nr_mfns instead
   of trying to the hypercall.
   Suggested-by: Jan Beulich <jbeulich at suse.com>
   Acked-by: Jan Beulich <jbeulich at suse.com>
   Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
   Acked-by: Ian Campbell <ian.campbell at citrix.com>
   This is CVE-2015-2752 / XSA-125.
   Conflicts:
   xen/arch/x86/domctl.c
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com> [bug 
20732402] {CVE-2015-2752}



From oraclevm-errata at oss.oracle.com  Thu May 14 14:10:58 2015
From: oraclevm-errata at oss.oracle.com (Errata Announcements for Oracle VM)
Date: Thu, 14 May 2015 14:10:58 -0700
Subject: [Oraclevm-errata] OVMSA-2015-0059 Moderate: Oracle VM 2.2 xen
	security update
Message-ID: <55550F62.20204@oracle.com>

Oracle VM Security Advisory OVMSA-2015-0059

The following updated rpms for Oracle VM 2.2 have been uploaded to the 
Unbreakable Linux Network:

i386:
xen-3.4.0-0.2.23.el5.i386.rpm
xen-64-3.4.0-0.2.23.el5.noarch.rpm
xen-debugger-3.4.0-0.2.23.el5.noarch.rpm
xen-devel-3.4.0-0.2.23.el5.i386.rpm
xen-pvhvm-devel-3.4.0-0.2.23.el5.i386.rpm
xen-tools-3.4.0-0.2.23.el5.i386.rpm


SRPMS:
http://oss.oracle.com/oraclevm/server/2.2/SRPMS-updates/xen-3.4.0-0.2.23.el5.src.rpm



Description of changes:

[3.4.0-0.2.23]
- force the fifo access to be in bounds of the allocated buffer
   This is XSA-133. [bug 21078975] {CVE-2015-3456}


From oraclevm-errata at oss.oracle.com  Thu May 14 18:28:38 2015
From: oraclevm-errata at oss.oracle.com (Errata Announcements for Oracle VM)
Date: Thu, 14 May 2015 18:28:38 -0700
Subject: [Oraclevm-errata] OVMSA-2015-0060 Important: Oracle VM 3.3
	kernel-uek security update
Message-ID: <55554BC6.4000703@oracle.com>

Oracle VM Security Advisory OVMSA-2015-0060

The following updated rpms for Oracle VM 3.3 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
kernel-uek-3.8.13-68.2.2.el6uek.x86_64.rpm
kernel-uek-firmware-3.8.13-68.2.2.el6uek.noarch.rpm


SRPMS:
http://oss.oracle.com/oraclevm/server/3.3/SRPMS-updates/kernel-uek-3.8.13-68.2.2.el6uek.src.rpm



Description of changes:

[3.8.13-68.2.2.el6uek]
- crypto: aesni - fix memory usage in GCM decryption (Stephan Mueller) 
[Orabug: 21077385]  {CVE-2015-3331}

[3.8.13-68.2.1.el6uek]
- xen/pciback: Don't disable PCI_COMMAND on PCI device reset. (Konrad 
Rzeszutek Wilk)  [Orabug: 20807438]  {CVE-2015-2150}
- xen-blkfront: fix accounting of reqs when migrating (Roger Pau Monne) 
  [Orabug: 20860817] - Doc/cpu-hotplug: Specify race-free way to 
register CPU hotplug callbacks (Srivatsa S. Bhat)  [Orabug: 20917697] - 
net/iucv/iucv.c: Fix CPU hotplug callback registration (Srivatsa S. 
Bhat)  [Orabug: 20917697] - net/core/flow.c: Fix CPU hotplug callback 
registration (Srivatsa S. Bhat)  [Orabug: 20917697] - mm, vmstat: Fix 
CPU hotplug callback registration (Srivatsa S. Bhat)  [Orabug: 20917697] 
- profile: Fix CPU hotplug callback registration (Srivatsa S. Bhat) 
[Orabug: 20917697] - trace, ring-buffer: Fix CPU hotplug callback 
registration (Srivatsa S. Bhat)  [Orabug: 20917697] - hwmon, 
via-cputemp: Fix CPU hotplug callback registration (Srivatsa S. Bhat) 
[Orabug: 20917697] - hwmon, coretemp: Fix CPU hotplug callback 
registration (Srivatsa S. Bhat)  [Orabug: 20917697] - octeon, watchdog: 
Fix CPU hotplug callback registration (Srivatsa S. Bhat)  [Orabug: 
20917697] - oprofile, nmi-timer: Fix CPU hotplug callback registration 
(Srivatsa S. Bhat)  [Orabug: 20917697] - intel-idle: Fix CPU hotplug 
callback registration (Srivatsa S. Bhat)  [Orabug: 20917697] - 
drivers/base/topology.c: Fix CPU hotplug callback registration (Srivatsa 
S. Bhat)  [Orabug: 20917697] - acpi-cpufreq: Fix CPU hotplug callback 
registration (Srivatsa S. Bhat)  [Orabug: 20917697] - scsi, fcoe: Fix 
CPU hotplug callback registration (Srivatsa S. Bhat)  [Orabug: 20917697] 
- scsi, bnx2fc: Fix CPU hotplug callback registration (Srivatsa S. Bhat) 
  [Orabug: 20917697] - scsi, bnx2i: Fix CPU hotplug callback 
registration (Srivatsa S. Bhat)  [Orabug: 20917697] - arm64, 
debug-monitors: Fix CPU hotplug callback registration (Srivatsa S. Bhat) 
  [Orabug: 20917697] - arm64, hw_breakpoint.c: Fix CPU hotplug callback 
registration (Srivatsa S. Bhat)  [Orabug: 20917697] - x86, kvm: Fix CPU 
hotplug callback registration (Srivatsa S. Bhat)  [Orabug: 20917697] - 
x86, oprofile, nmi: Fix CPU hotplug callback registration (Srivatsa S. 
Bhat)  [Orabug: 20917697] - x86, pci, amd-bus: Fix CPU hotplug callback 
registration (Srivatsa S. Bhat)  [Orabug: 20917697] - x86, hpet: Fix CPU 
hotplug callback registration (Srivatsa S. Bhat)  [Orabug: 20917697] - 
x86, intel, cacheinfo: Fix CPU hotplug callback registration (Srivatsa 
S. Bhat)  [Orabug: 20917697] - x86, amd, ibs: Fix CPU hotplug callback 
registration (Srivatsa S. Bhat)  [Orabug: 20917697] - x86, 
therm_throt.c: Fix CPU hotplug callback registration (Srivatsa S. Bhat) 
  [Orabug: 20917697] - x86, mce: Fix CPU hotplug callback registration 
(Srivatsa S. Bhat)  [Orabug: 20917697] - x86, intel, uncore: Fix CPU 
hotplug callback registration (Srivatsa S. Bhat)  [Orabug: 20917697] - 
x86, vsyscall: Fix CPU hotplug callback registration (Srivatsa S. Bhat) 
  [Orabug: 20917697] - x86, cpuid: Fix CPU hotplug callback registration 
(Srivatsa S. Bhat)  [Orabug: 20917697] - x86, msr: Fix CPU hotplug 
callback registration (Srivatsa S. Bhat)  [Orabug: 20917697] - powerpc, 
sysfs: Fix CPU hotplug callback registration (Srivatsa S. Bhat) 
[Orabug: 20917697] - sparc, sysfs: Fix CPU hotplug callback registration 
(Srivatsa S. Bhat)  [Orabug: 20917697] - s390, smp: Fix CPU hotplug 
callback registration (Srivatsa S. Bhat)  [Orabug: 20917697] - s390, 
cacheinfo: Fix CPU hotplug callback registration (Srivatsa S. Bhat) 
[Orabug: 20917697] - arm, hw-breakpoint: Fix CPU hotplug callback 
registration (Srivatsa S. Bhat)  [Orabug: 20917697] - ia64, err-inject: 
Fix CPU hotplug callback registration (Srivatsa S. Bhat)  [Orabug: 
20917697] - ia64, topology: Fix CPU hotplug callback registration 
(Srivatsa S. Bhat)  [Orabug: 20917697] - ia64, palinfo: Fix CPU hotplug 
callback registration (Srivatsa S. Bhat)  [Orabug: 20917697] - CPU 
hotplug, perf: Fix CPU hotplug callback registration (Srivatsa S. Bhat) 
  [Orabug: 20917697] - CPU hotplug: Provide lockless versions of 
callback registration functions (Srivatsa S. Bhat)  [Orabug: 20917697] - 
isofs: Fix unchecked printing of ER records (Jan Kara)  [Orabug: 
20930551]  {CVE-2014-9584}
- KEYS: close race between key lookup and freeing (Sasha Levin) 
[Orabug: 20930548]  {CVE-2014-9529} {CVE-2014-9529}
- mm: memcg: do not allow task about to OOM kill to bypass the limit 
(Johannes Weiner)  [Orabug: 20930539]  {CVE-2014-8171}
- mm: memcg: do not declare OOM from __GFP_NOFAIL allocations (Johannes 
Weiner)  [Orabug: 20930539]  {CVE-2014-8171}
- fs: buffer: move allocation failure loop into the allocator (Johannes 
Weiner)  [Orabug: 20930539]  {CVE-2014-8171}
- mm: memcg: handle non-error OOM situations more gracefully (Johannes 
Weiner)  [Orabug: 20930539]  {CVE-2014-8171}
- mm: memcg: do not trap chargers with full callstack on OOM (Johannes 
Weiner)  [Orabug: 20930539]  {CVE-2014-8171}
- mm: memcg: rework and document OOM waiting and wakeup (Johannes 
Weiner)  [Orabug: 20930539]  {CVE-2014-8171}
- mm: memcg: enable memcg OOM killer only for user faults (Johannes 
Weiner)  [Orabug: 20930539]  {CVE-2014-8171}
- x86: finish user fault error path with fatal signal (Johannes Weiner) 
  [Orabug: 20930539]  {CVE-2014-8171}
- arch: mm: pass userspace fault flag to generic fault handler (Johannes 
Weiner)  [Orabug: 20930539]  {CVE-2014-8171}
- selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID. 
(Stephen Smalley)  [Orabug: 20930501]  {CVE-2014-3215}
- IB/core: Prevent integer overflow in ib_umem_get address arithmetic 
(Shachar Raindel)  [Orabug: 20799875]  {CVE-2014-8159} {CVE-2014-8159}