[Oraclevm-errata] OVMSA-2016-0008 Important: Oracle VM 3.2 xen security update

Errata Announcements for Oracle VM oraclevm-errata at oss.oracle.com
Mon Jan 25 19:38:23 PST 2016 

Oracle VM Security Advisory OVMSA-2016-0008

The following updated rpms for Oracle VM 3.2 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
xen-4.1.3-25.el5.209.9.x86_64.rpm
xen-devel-4.1.3-25.el5.209.9.x86_64.rpm
xen-tools-4.1.3-25.el5.209.9.x86_64.rpm


SRPMS:
http://oss.oracle.com/oraclevm/server/3.2/SRPMS-updates/xen-4.1.3-25.el5.209.9.src.rpm



Description of changes:

[4.1.3-25.el5.209.9]
- VT-d: fix TLB flushing in dma_pte_clear_one()
   From: Jan Beulich <jbeulich at suse.com>
   The TLB flush code was wrong since xen-4.1.3-25.el5.127.20 (commit:
   vtd-Refactor-iotlb-flush-code.patch), both ovm-3.2.9 and ovm-3.2.10 were
   affected.
   The third parameter of __intel_iommu_iotlb_flush() is to indicate
   whether the to be flushed entry was a present one. A few lines before,
   we bailed if !dma_pte_present(*pte), so there's no need to check the
   flag here again - we can simply always pass TRUE here.
   This is CVE-2013-6375 / XSA-78.
   Suggested-by: Cheng Yueqiang <yqcheng.2008 at phdis.smu.edu.sg>
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com>
   Acked-by: Keir Fraser <keir at xen.org>
   (cherry picked from commit 85c72f9fe764ed96f5c149efcdd69ab7c18bfe3d)
   Signed-off-by: Bob Liu <bob.liu at oracle.com>
   Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com> [bug 22551212] 
{CVE-2013-6375}

[4.1.3-25.el5.209.8]
- x86/VMX: prevent INVVPID failure due to non-canonical guest address
   While INVLPG (and on SVM INVLPGA) don't fault on non-canonical
   addresses, INVVPID fails (in the "individual address" case) when passed
   such an address.
   Since such intercepted INVLPG are effectively no-ops anyway, don't fix
   this in vmx_invlpg_intercept(), but instead have paging_invlpg() never
   return true in such a case.
   This is XSA-168.
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com>
   Acked-by: Ian Campbell <ian.campbell at citrix.com>
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com> [bug 22585479] 
{CVE-2016-1571}

[4.1.3-25.el5.209.7]
- x86/mm: PV superpage handling lacks sanity checks
   MMUEXT_{,UN}MARK_SUPER fail to check the input MFN for validity before
   dereferencing pointers into the superpage frame table.
   get_superpage() has a similar issue.
   This is XSA-167.
   Reported-by: Qinghao Tang <luodalongde at gmail.com>
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Acked-by: Ian Campbell <ian.campbell at citrix.com>
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com> [bug 22585464] 
{CVE-2016-1570}

[4.1.3-25.el5.209.6]
- xend/image: Don't throw VMException when using backend domains for disks.
   If we are using backend domains the disk image may not be
   accessible within the host (domain0). As such it is OK to
   continue on.
   The 'addStoreEntries' in DevController.py already does the check
   to make sure that when the 'backend' configuration is used - that
   said domain exists.
   As such the only change we need to do is to exclude the disk
   image location if the domain is not dom0.
   Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
   Acked-by: Adnan Misherfi <adnan.misherfi at oracle.com>
   Signed-off-by: Zhigang Wang <zhigang.x.wang at oracle.com>
   Signed-off-by: Joe Jin <joe.jin at oracle.com> [bug 22242536]

[4.1.3-25.el5.209.5]
- memory: fix XENMEM_exchange error handling
   assign_pages() can fail due to the domain getting killed in parallel,
   which should not result in a hypervisor crash.
   Also delete a redundant put_gfn() - all relevant paths leading to the
   "fail" label already do this (and there are also paths where it was
   plain wrong). All of the put_gfn()-s got introduced by 51032ca058
   ("Modify naming of queries into the p2m"), including the otherwise
   unneeded initializer for k (with even a kind of misleading comment -
   the compiler warning could actually have served as a hint that the use
   is wrong).
   This is XSA-159.
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Acked-by: Ian Campbell <ian.campbell at citrix.com>
   Based on xen.org's xsa159.patch
   Conflicts:
   OVM 3.2 does not have the change (51032ca058) that is backed out
   in xen/common/memory.c or the put_gfn() in xen/common/memory.c
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 22326081] 
{CVE-2015-8339,CVE-2015-8340}

More information about the Oraclevm-errata mailing list