[Oraclevm-errata] OVMSA-2016-0037 Important: Oracle VM 3.2 kernel-uek security update

Errata Announcements for Oracle VM oraclevm-errata at oss.oracle.com
Thu Mar 17 12:44:21 PDT 2016

Oracle VM Security Advisory OVMSA-2016-0037

The following updated rpms for Oracle VM 3.2 have been uploaded to the 
Unbreakable Linux Network:



Description of changes:

- Fix double free iocb->private with AIO DIO (Shirley Ma)  [Orabug: 
- xen/xenbus: Avoid synchronous wait on XenBus stalling 
shutdown/restart. (Konrad Rzeszutek Wilk)  [Orabug: 18932877]
- Increased maximum tape device limit to 1024 in UEK2 (Ritika 
Srivastava)  [Orabug: 22044668]
- qla2xxx: don't treat initial temperature read failure as an error (Dan 
Duval)  [Orabug: 22098738]
- Revert "qla2xxx: Display mailbox failure by default." (Dan Duval) 
[Orabug: 22098738]
- RDS: Add interface for receive MSG latency trace (Santosh Shilimkar) 
[Orabug: 22630078]
- RDS: Add support for per socket SO_TIMESTAMP for incoming messages 
(Santosh Shilimkar)  [Orabug: 22630078]
- rds: add infrastructure to find more details for reconnect failure 
(Ajaykumar Hotchandani)  [Orabug: 21799394]
- rds: find connection drop reason (Ajaykumar Hotchandani)  [Orabug: 

- block: bump BLK_DEF_MAX_SECTORS to 2560 (Joe Jin)  [Orabug: 22521844]
- Revert "block: remove artifical max_hw_sectors cap" (Joe Jin) 
[Orabug: 22521844]

- KEYS: Don't permit request_key() to construct a new keyring (David 
Howells)  [Orabug: 22373449]  {CVE-2015-7872}

- crypto: add missing crypto module aliases (Mathias Krause)  [Orabug: 
22249656]  {CVE-2013-7421} {CVE-2014-9644}
- crypto: include crypto- module prefix in template (Kees Cook) 
[Orabug: 22249656]  {CVE-2013-7421} {CVE-2014-9644}
- crypto: prefix module autoloading with "crypto-" (Kees Cook)  [Orabug: 
22249656]  {CVE-2013-7421} {CVE-2014-9644}

- KVM: x86: Don't report guest userspace emulation error to userspace 
(Nadav Amit)  [Orabug: 22249615]  {CVE-2010-5313} {CVE-2014-7842}

- rds: print rdma_cm_id while establishing connection (Ajaykumar 
Hotchandani)  [Orabug: 22315028]
- rdma_cm: extend debug for remote mapping (Ajaykumar Hotchandani) 
[Orabug: 22315028]
- OFED: indicate consistent vendor error (Ajaykumar Hotchandani) 
[Orabug: 22308787]
- mlx4_core: print device details for PORT event (Ajaykumar Hotchandani) 
  [Orabug: 22113813]
- mlx4_core: enable print for device reset (Ajaykumar Hotchandani) 
[Orabug: 22308637]
- mlx4_core: correct fmr_reserve() (Ajaykumar Hotchandani)  [Orabug: 

- msg_unlock() in wrong spot after applying "Initialize msg/shm IPC 
objects before doing ipc_addid()" (Chuck Anderson)  [Orabug: 22250044] 
{CVE-2015-7613} {CVE-2015-7613}

- ipc/sem.c: fully initialize sem_array before making it visible 
(Manfred Spraul)  [Orabug: 22250044]  {CVE-2015-7613}
- Initialize msg/shm IPC objects before doing ipc_addid() (Linus 
Torvalds)  [Orabug: 22250044]  {CVE-2015-7613}

- KVM: svm: unconditionally intercept #DB (Paolo Bonzini)  [Orabug: 
22333698]  {CVE-2015-8104} {CVE-2015-8104}
- KVM: x86: work around infinite loop in microcode when #AC is delivered 
(Eric Northup)  [Orabug: 22333689]  {CVE-2015-5307} {CVE-2015-5307}

- mm/swap.c: reorganize put_compound_page() (Andrew Morton)  [Orabug: 
- mm/hugetlb.c: simplify PageHeadHuge() and PageHuge() (Andrew Morton) 
[Orabug: 16823432]
- mm: document PageHuge somewhat (Andrew Morton)  [Orabug: 16823432]
- mm: hugetlbfs: use __compound_tail_refcounted in __get_page_tail too 
(Andrea Arcangeli)  [Orabug: 16823432]
- mm: tail page refcounting optimization for slab and hugetlbfs (Andrea 
Arcangeli)  [Orabug: 16823432]
- mm: thp: optimize compound_trans_huge (Andrea Arcangeli)  [Orabug: 
- mm: hugetlbfs: move the put/get_page slab and hugetlbfs optimization 
in a faster path (Andrea Arcangeli)  [Orabug: 16823432]
- mm: hugetlb: use get_page_foll() in follow_hugetlb_page() (Andrea 
Arcangeli)  [Orabug: 16823432]
- mm: hugetlbfs: fix hugetlbfs optimization (Andrea Arcangeli)  [Orabug: 
- mm: fix aio performance regression for database caused by THP (Khalid 
Aziz)  [Orabug: 16823432]
- mm: fix slab->page flags corruption (Pravin B Shelar)  [Orabug: 16823432]
- IB/mlx4: Implement IB_QP_CREATE_USE_GFP_NOIO (Jiri Kosina)
- IB: Add a QP creation flag to use GFP_NOIO allocations (Or Gerlitz)
- IB: Return error for unsupported QP creation flags (Or Gerlitz)

- x86/xen: properly retrieve NMI reason (Jan Beulich)  [Orabug: 21892076]
- x86/mrst: Avoid reporting wrong nmi status (Jacob Pan)  [Orabug: 
- xen: Support 64-bit PV guest receiving NMIs (Konrad Rzeszutek Wilk) 
[Orabug: 21892076]
- nfsd: fix rare symlink decoding bug (J. Bruce Fields)  [Orabug: 18405506]
- ocfs2: __ocfs2_mknod_locked should return error when 
ocfs2_create_new_inode_locks() failed (Xue jiufei)  [Orabug: 21171285]
- NFSv4: Get rid of unnecessary BUG_ON()s (Trond Myklebust)  [Orabug: 
- IPoIB: serialize changing on tx_outstanding (Wengang Wang)  [Orabug: 
- x86/xen: Do not clip xen_e820_map to xen_e820_map_entries when 
sanitizing map (Malcolm Crossley)
- IPoIB: Drop priv->lock before calling ipoib_send() (Wengang Wang)
- IB/mlx4: Use vmalloc for WR buffers when needed (Wengang Wang) 
[Orabug: 22025569]
- mm: move kvfree to mm/util (Wengang Wang)  [Orabug: 22025569]
- mlx4_core: Introduce restrictions for PD update (Ajaykumar Hotchandani)
- mlx4: Increase SYNC_TPT command timeout (Mukesh Kacker)  [Orabug: 
- IB/ipoib: Calculate csum only when skb->ip_summed is CHECKSUM_PARTIAL 
(Yuval Shaia)  [Orabug: 20873175]
- virtio-net: drop NETIF_F_FRAGLIST (Jason Wang)  [Orabug: 22145599] 

- xen/blkfront: remove redundant flush_op (Vitaly Kuznetsov)  [Orabug: 
- xen/blkfront: improve protection against issuing unsupported REQ_FUA 
(Vitaly Kuznetsov)  [Orabug: 21862750]

- intel_idle: Broadwell support (Santosh Shilimkar)  [Orabug: 21805197]
- NVMe: Setup max hardware sector count to 512KB (Santosh Shilimkar) 
[Orabug: 21818552]
- mlx4_core: Fix integer overflows so 8TBs of memory (Wengang Wang)
- iw/rds: fixed big endianness conversion issue for dp->dp_ack_seq (Qing 
Huang)  [Orabug: 21107553]
- bonding: change error message to debug message in bond_release 
(Wengang Wang)

- xen-blkfront: introduce blkfront_gather_backend_features() (Bob Liu) 
[Orabug: 21795426]
- chmod can cause hang in a cluster (Tariq Saeed)  [Orabug: 21496050]

- mm/hugetlb: Add locking to region_{add,change,truncate,count} when 
using shared files with hugepages (Mike Kravetz)  [Orabug: 21561820]

- af_netlink: force credentials passing [CVE-2012-3520] (Eric Dumazet) 
[Orabug: 21591166]  {CVE-2012-3520}
- xen/pciback: Don't print scary messages when unsupported by 
hypervisor. (Konrad Rzeszutek Wilk)  [Orabug: 20642069]
- rds_rdma: setup connection before rds_cmsg_send (Wengang Wang) 
[Orabug: 20232581]
- megaraid_sas : Firmware crash dump feature support 
(Sumit.Saxena at avagotech.com)  [Orabug: 21620491]

- udp: fix behavior of wrong checksums (Eric Dumazet)  [Orabug: 
21628851]  {CVE-2015-5364} {CVE-2015-5366}
- scsi: don't add scsi_device if its already visible (Subhash Jadavani) 
  [Orabug: 21611207]
- NVMe: Don't write cq doorbell on suspended queues (Keith Busch) 
[Orabug: 21591104]
- IB/ipoib: Potential false positive with peer support for 
ib-crc-as-csum (Yuval Shaia)  [Orabug: 21350399]
- mlx4: indicate memory resource exhaustion (Ajaykumar Hotchandani) 
[Orabug: 21097014]
- rds: return EMSGSIZE for oversize requests before processing/queueing 
(Mukesh Kacker)  [Orabug: 21079258]

- md: use kzalloc() when bitmap is disabled (Benjamin Randazzo) 
[Orabug: 21563042]  {CVE-2015-5697}
- netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len (Andrey 
Vagin)  [Orabug: 21562780]  {CVE-2014-9715}

- block: remove artifical max_hw_sectors cap (Joe Jin)  [Orabug: 21455630]
- idr: fix unexpected ID-removal when idr_remove(unallocated_id) (Lai 
Jiangshan)  [Orabug: 21446790]
- idr: remove WARN_ON_ONCE() on negative IDs (Tejun Heo)  [Orabug: 
- ipc,shm: fix shm_file deletion races (Greg Thelen)  [Orabug: 21446790]
- rds: avoid call to flush_mrs() in specific condition (Ajaykumar 
Hotchandani)  [Orabug: 21379403]
- rds: print vendor error (Wengang Wang)  [Orabug: 21361643]
- Xen-netback: Fix issue caused by using gso_type wrongly (Annie Li) 
[Orabug: 21358903]
- xen-netback: fix fragments error handling in checksum_setup_ip() (Wei 
Yongjun)  [Orabug: 21358903]
- xen-netback: make sure skb linear area covers checksum field (Paul 
Durrant)  [Orabug: 21358903]
- xen-netback: reset network header before passing skb to checksum 
funtion (Annie Li)  [Orabug: 21358903]
- xen-netback: fix fragment detection in checksum setup (Paul Durrant) 
[Orabug: 21358903]
- xen-netback: fix gso_prefix check (Paul Durrant)  [Orabug: 21358903]
- xen-netback: include definition of csum_ipv6_magic (Andy Whitcroft) 
[Orabug: 21358903]
- xen-netback: enable IPv6 TCP GSO to the guest (Paul Durrant)  [Orabug: 
- xen-netback: handle IPv6 TCP GSO packets from the guest (Paul Durrant) 
  [Orabug: 21358903]
- xen-netback: Unconditionally set NETIF_F_RXCSUM (Paul Durrant) 
[Orabug: 21358903]
- xen-netback: add support for IPv6 checksum offload from guest (Paul 
Durrant)  [Orabug: 21358903]
- xen-netback: switch to use skb_partial_csum_set() (Jason Wang) 
[Orabug: 21358903]
- xen-netback: add support for IPv6 checksum offload to guest (Paul 
Durrant)  [Orabug: 21358903]
- vfs: allow umount to handle mountpoints without revalidating them 
(Jeff Layton)  [Orabug: 21321002]
- rds: rds_ib_device.refcount overflow (Wengang Wang)  [Orabug: 21288594]
- sched: Optimize task_sched_runtime() (Peter Zijlstra)  [Orabug: 20739920]
- IPoIB: Fix ipoib_hard_header() return value (Doug Ledford)  [Orabug: 

- x86, tls: Interpret an all-zero struct user_desc as "no segment" (Andy 
Lutomirski)  [Orabug: 21514969]
- x86, tls, ldt: Stop checking lm in LDT_empty (Andy Lutomirski) 
[Orabug: 21514969]

- KVM: x86: SYSENTER emulation is broken (Nadav Amit)  [Orabug: 
21502740]  {CVE-2015-0239} {CVE-2015-0239}
- x86/tls: Validate TLS entries to protect espfix (Andy Lutomirski) 
[Orabug: 20223777]  {CVE-2014-8133}
- fs: take i_mutex during prepare_binprm for set[ug]id executables (Jann 
Horn)  [Orabug: 21502255]  {CVE-2015-3339}
- eCryptfs: Remove buggy and unnecessary write in file name decode 
routine (Michael Halcrow)  [Orabug: 21502066]  {CVE-2014-9683}

- ipv6: Don't reduce hop limit for an interface (D.S. Ljungmark) 
[Orabug: 21444791]  {CVE-2015-2922}
- ipv4: Missing sk_nulls_node_init() in ping_unhash(). (David S. Miller) 
  [Orabug: 21444688]  {CVE-2015-3636}
- x86/asm/entry/64: Remove a bogus 'ret_from_fork' optimization (Andy 
Lutomirski)  [Orabug: 21308308]  {CVE-2015-2830}
- x86, mm/ASLR: Fix stack randomization on 64-bit systems (Hector 
Marco-Gisbert)  [Orabug: 21307918]  {CVE-2015-1593} {CVE-2015-1593}

- NFS hangs in __ocfs2_cluster_lock due to race with ocfs2_unblock_lock 
(Tariq Saeed)  [Orabug: 20933419]
- jbd2: fix hung processes in jbd2_journal_lock_updates() (Jan Kara)
- rds: make sure base connection is up on both sides (Ajaykumar 
Hotchandani)  [Orabug: 20011421]

- x86_64, vdso: Fix the vdso address randomization algorithm (Andy 
Lutomirski)  [Orabug: 21226730]  {CVE-2014-9585}
- isofs: Fix infinite looping over CE entries (Jan Kara)  [Orabug: 
21225976]  {CVE-2014-9420}
- x86_64, switch_to(): Load TLS descriptors before switching DS and ES 
(Andy Lutomirski)  [Orabug: 21225938]  {CVE-2014-9419}

- IB/ipoib: Disable TSO in connected mode (Yuval Shaia)  [Orabug: 20637991]

- ib/rds: fixed big endianness conversion issue for dp->dp_ack_seq (Qing 
Huang)  [Orabug: 21057517]
- ib/rds: fixed crashes caused by incoming requests with wrong 
destination (Qing Huang)  [Orabug: 20823711]
- af_unix: dont send SCM_CREDENTIALS by default (Eric Dumazet)  [Orabug: 
- scm: Capture the full credentials of the scm sender (Tim Chen) 
[Orabug: 20604916]
- af_unix: limit recursion level (Eric Dumazet)  [Orabug: 20604916]
- af_unix: Allow credentials to work across user and pid namespaces. 
(Eric W. Biederman)  [Orabug: 20604916]
- scm: Capture the full credentials of the scm sender. (Eric W. 
Biederman)  [Orabug: 20604916]
- RDS: Handle RDMA_CM_EVENT_TIMEWAIT_EXIT (Venkat Venkatsubra)  [Orabug: 
- mlx4_ib: Memory leak on Dom0 with SRIOV. (Venkat Venkatsubra) 
[Orabug: 20508779]
- BUG_ON(lockres->l_level != DLM_LOCK_EX && !checkpointed) tripped in 
ocfs2_ci_checkpointed (Tariq Saeed)  [Orabug: 20189959]
- sched: Prevent divide by zero when cpu power calculation is 0 (Todd 
Vierling)  [Orabug: 17936435]
- crypto: aesni - fix memory usage in GCM decryption (Stephan Mueller) 
[Orabug: 21077389]  {CVE-2015-3331}

- kexec: export free_huge_page to VMCOREINFO (Atsushi Kumagai)  [Orabug: 
- kexec: save PG_head_mask in VMCOREINFO (Petr Tesarik)  [Orabug: 20313589]

- Revert "Support checksum and gso offload of ipv6 in netback" (Annie 
Li)  [Orabug: 20492244]
- ocfs2/cluster: Cluster up now includes network connections too (Sunil 
Mushran)  [Orabug: 19803036]
- oracleasm: Restrict logical block size reporting (Martin K. Petersen) 
  [Orabug: 19699681]
- oracleasm: Report logical block size (Martin K. Petersen)  [Orabug: 
- ocfs2: dlm: fix lock migration crash (Junxiao Bi)  [Orabug: 18317308]
- xfs: fix sgid inheritance for subdirectories inheriting default acls 
[V3] (Carlos Maiolino)  [Orabug: 17423815]
- RDS/IP: RDS takes 10 seconds to plumb the second IP back (Mukesh 
Kacker)  [Orabug: 20231857]
- RDS/IB: Tune failover-on-reboot scheduling (Mukesh Kacker)  [Orabug: 
- RDS: mark netdev UP for intfs added post module load (Mukesh Kacker) 
[Orabug: 20130536]
- SUNRPC: Prevent an rpc_task wakeup race (Trond Myklebust)  [Orabug: 
- sunrpc: clarify comments on rpc_make_runnable (Jeff Layton)  [Orabug: 

- xen/pciback: Don't disable PCI_COMMAND on PCI device reset. (Konrad 
Rzeszutek Wilk)  [Orabug: 20807440]  {CVE-2015-2150}
- xen-blkfront: fix accounting of reqs when migrating (Roger Pau Monne) 
  [Orabug: 20727114]
- Revert "qla2xxx: Ramp down queue depth for attached SCSI devices when 
driver resources are low." (Chad Dupuis)  [Orabug: 20657415]
- x86/xen: allow privcmd hypercalls to be preempted (David Vrabel) 
[Orabug: 20618759]
- sched: Expose preempt_schedule_irq() (Thomas Gleixner)  [Orabug: 
- isofs: Fix unchecked printing of ER records (Jan Kara)  [Orabug: 
20930552]  {CVE-2014-9584}
- selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID. 
(Stephen Smalley)  [Orabug: 20930502]  {CVE-2014-3215}
- Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs 
(Andy Lutomirski)  [Orabug: 20930518]  {CVE-2014-3215}
- IB/core: Prevent integer overflow in ib_umem_get address arithmetic 
(Shachar Raindel)  [Orabug: 20788393]  {CVE-2014-8159} {CVE-2014-8159}
- xen-pciback: limit guest control of command register (Jan Beulich) 
[Orabug: 20704156]  {CVE-2015-2150} {CVE-2015-2150}
- net: sctp: fix slab corruption from use after free on INIT collisions 
(Daniel Borkmann)  [Orabug: 20780348]  {CVE-2015-1421}

More information about the Oraclevm-errata mailing list