[Oraclevm-errata] OVMSA-2016-0104 Important: Oracle VM 3.2 xen security update
Errata Announcements for Oracle VM
oraclevm-errata at oss.oracle.com
Thu Sep 8 14:42:15 PDT 2016
Oracle VM Security Advisory OVMSA-2016-0104
The following updated rpms for Oracle VM 3.2 have been uploaded to the
Unbreakable Linux Network:
x86_64:
xen-4.1.3-25.el5.223.36.x86_64.rpm
xen-devel-4.1.3-25.el5.223.36.x86_64.rpm
xen-tools-4.1.3-25.el5.223.36.x86_64.rpm
SRPMS:
http://oss.oracle.com/oraclevm/server/3.2/SRPMS-updates/xen-4.1.3-25.el5.223.36.src.rpm
Description of changes:
[4.1.3-25.el5.223.36]
- From: Andrew Cooper <andrew.cooper3 at citrix.com>
Subject: x86/shadow: Avoid overflowing sh_ctxt->seg_reg[]
hvm_get_seg_reg() does not perform a range check on its input
segment, calls
hvm_get_segment_register() and writes straight into sh_ctxt->seg_reg[].
x86_seg_none is outside the bounds of sh_ctxt->seg_reg[], and will
hit a BUG()
in {vmx,svm}_get_segment_register().
HVM guests running with shadow paging can end up performing a virtual to
linear translation with x86_seg_none. This is used for addresses
which are
already linear. However, none of this is a legitimate pagetable
update, so
fail the emulation in such a case.
This is XSA-187
Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
Reviewed-by: Tim Deegan <tim at xen.org>
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com> [bug
24592947] {CVE-2016-7094}
[4.1.3-25.el5.223.35]
- x86/32on64: don't allow recursive page tables from L3
L3 entries are special in PAE mode, and hence can't reasonably be used
for setting up recursive (and hence linear) page table mappings. Since
abuse is possible when the guest in fact gets run on 4-level page
tables, this needs to be excluded explicitly.
This is XSA-185.
Signed-off-by: Jan Beulich <jbeulich at suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com>
Conflict:
xen/arch/x86/mm.c
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com> [bug
24592799] {CVE-2016-7092}
More information about the Oraclevm-errata
mailing list