[Oraclevm-errata] OVMSA-2016-0172 Important: Oracle VM 3.2 xen security update
Errata Announcements for Oracle VM
oraclevm-errata at oss.oracle.com
Wed Dec 7 09:18:42 PST 2016
Oracle VM Security Advisory OVMSA-2016-0172
The following updated rpms for Oracle VM 3.2 have been uploaded to the
Unbreakable Linux Network:
x86_64:
xen-4.1.3-25.el5.223.45.x86_64.rpm
xen-devel-4.1.3-25.el5.223.45.x86_64.rpm
xen-tools-4.1.3-25.el5.223.45.x86_64.rpm
SRPMS:
http://oss.oracle.com/oraclevm/server/3.2/SRPMS-updates/xen-4.1.3-25.el5.223.45.src.rpm
Description of changes:
[4.1.3-25.el5.223.45]
- qemu: ioport_read, ioport_write: be defensive about 32-bit addresses
On x86, ioport addresses are 16-bit. That these functions take 32-bit
arguments is a mistake. Changing the argument type to 16-bit will
discard the top bits of any erroneous values from elsewhere in qemu.
Also, check just before use that the value is in range. (This turns
an ill-advised change to MAX_IOPORTS into a possible guest crash
rather than a privilege escalation vulnerability.)
And, in the Xen ioreq processor, clamp incoming ioport addresses to
16-bit values. Xen will never write >16-bit values but the guest may
have access to the ioreq ring. We want to defend the rest of the qemu
code from wrong values.
This is XSA-199.
Signed-off-by: Ian Jackson <Ian.Jackson at eu.citrix.com>
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug
25149333] {CVE-2016-9637}
More information about the Oraclevm-errata
mailing list