[Oraclevm-errata] OVMSA-2016-0171 Important: Oracle VM 3.3 xen security update

Errata Announcements for Oracle VM oraclevm-errata at oss.oracle.com
Wed Dec 7 09:18:18 PST 2016 

Oracle VM Security Advisory OVMSA-2016-0171

The following updated rpms for Oracle VM 3.3 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
xen-4.3.0-55.el6.119.62.x86_64.rpm
xen-tools-4.3.0-55.el6.119.62.x86_64.rpm


SRPMS:
http://oss.oracle.com/oraclevm/server/3.3/SRPMS-updates/xen-4.3.0-55.el6.119.62.src.rpm



Description of changes:

[4.3.0-55.el6.119.62]
- qemu_up: ioport_read, ioport_write: be defensive about 32-bit addresses
   On x86, ioport addresses are 16-bit.  That these functions take 32-bit
   arguments is a mistake.  Changing the argument type to 16-bit will
   discard the top bits of any erroneous values from elsewhere in qemu.
   Also, check just before use that the value is in range.  (This turns
   an ill-advised change to MAX_IOPORTS into a possible guest crash
   rather than a privilege escalation vulnerability.)
   And, in the Xen ioreq processor, clamp incoming ioport addresses to
   16-bit values.  Xen will never write >16-bit values but the guest may
   have access to the ioreq ring.  We want to defend the rest of the qemu
   code from wrong values.
   This is XSA-199.
   Signed-off-by: Ian Jackson <Ian.Jackson at eu.citrix.com>
   Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
   Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 
25149316] {CVE-2016-9637}

[4.3.0-55.el6.119.61]
- qemu: ioport_read, ioport_write: be defensive about 32-bit addresses
   On x86, ioport addresses are 16-bit.  That these functions take 32-bit
   arguments is a mistake.  Changing the argument type to 16-bit will
   discard the top bits of any erroneous values from elsewhere in qemu.
   Also, check just before use that the value is in range.  (This turns
   an ill-advised change to MAX_IOPORTS into a possible guest crash
   rather than a privilege escalation vulnerability.)
   And, in the Xen ioreq processor, clamp incoming ioport addresses to
   16-bit values.  Xen will never write >16-bit values but the guest may
   have access to the ioreq ring.  We want to defend the rest of the qemu
   code from wrong values.
   This is XSA-199.
   Signed-off-by: Ian Jackson <Ian.Jackson at eu.citrix.com>
   Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
   Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 
25149316] {CVE-2016-9637}

More information about the Oraclevm-errata mailing list