[Oraclevm-errata] OVMSA-2017-0095 Important: Oracle VM 3.3 xen security update
Errata Announcements for Oracle VM
oraclevm-errata at oss.oracle.com
Wed May 3 09:15:49 PDT 2017
Oracle VM Security Advisory OVMSA-2017-0095
The following updated rpms for Oracle VM 3.3 have been uploaded to the
Unbreakable Linux Network:
x86_64:
xen-4.3.0-55.el6.186.24.x86_64.rpm
xen-tools-4.3.0-55.el6.186.24.x86_64.rpm
SRPMS:
http://oss.oracle.com/oraclevm/server/3.3/SRPMS-updates/xen-4.3.0-55.el6.186.24.src.rpm
Description of changes:
[4.3.0-55.el6.186.24]
- x86: correct create_bounce_frame
We may push up to 96 bytes on the guest (kernel) stack, so we should
also cover as much in the early range check. Note that this is the
simplest possible patch, which has the theoretical potential of
breaking a guest: We only really push 96 bytes when invoking the
failsafe callback, ordinary exceptions only have 56 or 64 bytes pushed
(without / with error code respectively). There is, however, no PV OS
known to place a kernel stack there.
This is XSA-215.
Signed-off-by: Jan Beulich <jbeulich at suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com>
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25927751]
[4.3.0-55.el6.186.23]
- x86: discard type information when stealing pages
While a page having just a single general reference left necessarily
has a zero type reference count too, its type may still be valid (and
in validated state; at present this is only possible and relevant for
PGT_seg_desc_page, as page tables have their type forcibly zapped when
their type reference count drops to zero, and
PGT_{writable,shared}_page pages don't require any validation). In
such a case when the page is being re-used with the same type again,
validation is being skipped. As validation criteria differ between
32- and 64-bit guests, pages to be transferred between guests need to
have their validation indicator zapped (and with it we zap all other
type information at once).
This is XSA-214.
Signed-off-by: Jan Beulich <jbeulich at suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com>
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25927697]
[4.3.0-55.el6.186.22]
- multicall: deal with early exit conditions
In particular changes to guest privilege level require the multicall
sequence to be aborted, as hypercalls are permitted from kernel mode
only. While likely not very useful in a multicall, also properly handle
the return value in the HYPERVISOR_iret case (which should be the guest
specified value).
This is XSA-213.
Signed-off-by: Jan Beulich <jbeulich at suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com>
Acked-by: Julien Grall <julien.grall at arm.com>
Conflict:
xen/arch/arm/traps.c
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25927626]
[4.3.0-55.el6.186.21]
- From 9cd5ea821213a8d0e4e2ec7a9390713379a82a0a Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson at eu.citrix.com>
Date: Fri, 17 Mar 2017 12:28:02 +0000
Subject: [PATCH 2/2] xenstored: Log when the write transaction rate limit
bites
Signed-off-by: Ian Jackson <ian.jackson at eu.citrix.com>
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25745231]
[4.3.0-55.el6.186.20]
- From c91e4cbe19cf6d51b075d4ef3adf6fa50bb16b7a Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson at eu.citrix.com>
Date: Sat, 18 Mar 2017 17:12:39 +0000
Subject: [PATCH 1/2] xenstored: apply a write transaction rate limit
This avoids a rogue client being about to stall another client (eg the
toolstack) indefinitely.
This is XSA-206.
Signed-off-by: Ian Jackson <Ian.Jackson at eu.citrix.com>
Backported to 4.8 (not entirely trivial).
Signed-off-by: George Dunlap <george.dunlap at citrix.com>
Acked-by: Ian Jackson <Ian.Jackson at eu.citrix.com>
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25745226]
[4.3.0-55.el6.186.19]
- Errataly pick an old verion of xsa206 patchset, revert them
xsa206-4.4-0001-xenstored-apply-a-write-transaction-rate-limit.patch
xsa206-4.4-0002-xenstored-Log-when-the-write-transaction-rate-limit-.patch
[bug 25745231]
[4.3.0-55.el6.186.18]
- memory: properly check guest memory ranges in XENMEM_exchange handling
The use of guest_handle_okay() here (as introduced by the XSA-29 fix)
is insufficient here, guest_handle_subrange_okay() needs to be used
instead.
Note that the uses are okay in
- XENMEM_add_to_physmap_batch handling due to the size field being only
16 bits wide,
- livepatch_list() due to the limit of 1024 enforced on the
number-of-entries input (leaving aside the fact that this can be
called by a privileged domain only anyway),
- compat mode handling due to counts there being limited to 32 bits,
- everywhere else due to guest arrays being accessed sequentially from
index zero.
This is XSA-212.
Signed-off-by: Jan Beulich <jbeulich at suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com>
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug
25760591] {CVE-2017-7228}
[4.3.0-55.el6.186.17]
- From 9cd5ea821213a8d0e4e2ec7a9390713379a82a0a Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson at eu.citrix.com>
Date: Fri, 17 Mar 2017 12:28:02 +0000
Subject: [PATCH 2/2] xenstored: Log when the write transaction rate limit
bites
Signed-off-by: Ian Jackson <ian.jackson at eu.citrix.com>
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25745231]
[4.3.0-55.el6.186.16]
- From 2693dfd49fa0c0f2dc3ae8d21bda98c757d8bec4 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson at eu.citrix.com>
Date: Fri, 17 Mar 2017 12:23:34 +0000
Subject: [PATCH 1/2] xenstored: apply a write transaction rate limit
This avoids a rogue client being about to stall another client (eg the
toolstack) indefinitely.
This is XSA-206.
Signed-off-by: Ian Jackson <Ian.Jackson at eu.citrix.com>
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25745231]
[4.3.0-55.el6.186.15]
- From dc4eee43ac608337ae96a174e0a5c1278168bd56 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson at eu.citrix.com>
Date: Thu, 9 Mar 2017 11:14:55 +0000
Subject: [PATCH] cirrus/vnc: zap drop bitblit support from console code.
From: Gerd Hoffmann <kraxel at redhat.com>
There is a special code path (dpy_gfx_copy) to allow graphic emulation
notify user interface code about bitblit operations carryed out by
guests. It is supported by cirrus and vnc server. The intended purpose
is to optimize display scrolls and just send over the scroll op instead
of a full display update.
This is rarely used these days though because modern guests simply don't
use the cirrus blitter any more. Any linux guest using the cirrus drm
driver doesn't. Any windows guest newer than winxp doesn't ship with a
cirrus driver any more and thus uses the cirrus as simple framebuffer.
So this code tends to bitrot and bugs can go unnoticed for a long time.
See for example commit "3e10c3e vnc: fix qemu crash because of SIGSEGV"
which fixes a bug lingering in the code for almost a year, added by
commit "c7628bf vnc: only alloc server surface with clients connected".
Also the vnc server will throttle the frame rate in case it figures the
network can't keep up (send buffers are full). This doesn't work with
dpy_gfx_copy, for any copy operation sent to the vnc client we have to
send all outstanding updates beforehand, otherwise the vnc client might
run the client side blit on outdated data and thereby corrupt the
display. So this dpy_gfx_copy "optimization" might even make things
worse on slow network links.
Lets kill it once for all.
Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
These changes (dropping dpy_copy and all its references and
implementations) reimplemented for qemu-xen-traditional.
This is XSA-211.
Signed-off-by: Ian Jackson <ian.jackson at eu.citrix.com>
Conflicts:
hw/cirrus_vga.c
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug
25699219] {CVE-2016-9603}
[4.3.0-55.el6.186.14]
- From 15268f91fbe75b38a851c458aef74e693d646ea5 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel at redhat.com>
Date: Tue, 21 Feb 2017 10:54:59 -0800
Subject: [PATCH 2/2] cirrus: add blit_is_unsafe call to
cirrus_bitblt_cputovideo
CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
and blit width, at all. Oops. Fix it.
Security impact: high.
The missing blit destination check allows to write to host memory.
Basically same as CVE-2014-8106 for the other blit variants.
The missing blit width check allows to overflow cirrus_bltbuf,
with the attractive target cirrus_srcptr (current cirrus_bltbuf write
position) being located right after cirrus_bltbuf in CirrusVGAState.
Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
hasn't full control over cirrus_srcptr though, only one byte can be
changed. Once the first byte has been modified further writes land
elsewhere.
[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ]
Reported-by: Gerd Hoffmann <ghoffman at redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
cirrus_vga.c moved from hw/display/ to hw/
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug
25670969] {CVE-2017-2620}
[4.3.0-55.el6.186.13]
- From 52b7f43c8fa185ab856bcaacda7abc9a6fc07f84 Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers at suse.com>
Date: Tue, 21 Feb 2017 10:54:38 -0800
Subject: [PATCH 1/2] display: cirrus: ignore source pitch value as
needed in
blit_is_unsafe
Commit 4299b90 added a check which is too broad, given that the source
pitch value is not required to be initialized for solid fill operations.
This patch refines the blit_is_unsafe() check to ignore source pitch in
that case. After applying the above commit as a security patch, we
noticed the SLES 11 SP4 guest gui failed to initialize properly.
Signed-off-by: Bruce Rogers <brogers at suse.com>
Message-id: 20170109203520.5619-1-brogers at suse.com
Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
cirrus_vga.c moved from hw/display/ to hw/
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug
25670969] {CVE-2017-2620}
[4.3.0-55.el6.186.12]
- From: Gerd Hoffmann <kraxel at redhat.com>
Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to
cirrus_bitblt_cputovideo
CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
and blit width, at all. Oops. Fix it.
Security impact: high.
The missing blit destination check allows to write to host memory.
Basically same as CVE-2014-8106 for the other blit variants.
The missing blit width check allows to overflow cirrus_bltbuf,
with the attractive target cirrus_srcptr (current cirrus_bltbuf write
position) being located right after cirrus_bltbuf in CirrusVGAState.
Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
hasn't full control over cirrus_srcptr though, only one byte can be
changed. Once the first byte has been modified further writes land
elsewhere.
[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ]
Fixed compilation by removing extra parameter to blit_is_unsafe. -iwj
Reported-by: Gerd Hoffmann <ghoffman at redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
Signed-off-by: Ian Jackson <ian.jackson at eu.citrix.com>
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug
25670969] {CVE-2017-2620}
[4.3.0-55.el6.186.11]
- From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s at 360.cn>
Date: Mon, 13 Feb 2017 15:22:15 +0000
Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.
This is XSA-208.
upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
{ kraxel: with backward blits (negative pitch) addr is the topmost
address, so check it as-is against vram size ]
Cc: qemu-stable at nongnu.org
Cc: P J P <ppandit at redhat.com>
Cc: Laszlo Ersek <lersek at redhat.com>
Cc: Paolo Bonzini <pbonzini at redhat.com>
Cc: Wolfgang Bumiller <w.bumiller at proxmox.com>
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
Message-id: 1485938101-26602-1-git-send-email-kraxel at redhat.com
Reviewed-by: Laszlo Ersek <lersek at redhat.com>
Signed-off-by: Stefano Stabellini <sstabellini at kernel.org>
cirrus_vga.c moved from hw/display/ to hw/
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug
25670969] {CVE-2017-2615}
[4.3.0-55.el6.186.10]
- From d3532a0db02296e687711b8cdc7791924efccea0 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel at redhat.com>
Date: Wed, 19 Nov 2014 11:37:42 +0100
Subject: [PATCH] cirrus: fix blit region check
Issues:
* Doesn't check pitches correctly in case it is negative.
* Doesn't check width at all.
Turn macro into functions while being at it, also factor out the check
for one region which we then can simply call twice for src + dst.
This is CVE-2014-8106.
Reported-by: Paolo Bonzini <pbonzini at redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini at redhat.com>
Prerequisite patch for XSA208, cirrus_vga.c moved from hw/display/ to hw/
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug
25670969] {CVE-2017-2615}
[4.3.0-55.el6.186.9]
- From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s at 360.cn>
Date: Mon, 13 Feb 2017 15:22:15 +0000
Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.
This is XSA-208.
upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
{ kraxel: with backward blits (negative pitch) addr is the topmost
address, so check it as-is against vram size ]
[ This is CVE-2017-2615 / XSA-208 - Ian Jackson ]
Cc: qemu-stable at nongnu.org
Cc: P J P <ppandit at redhat.com>
Cc: Laszlo Ersek <lersek at redhat.com>
Cc: Paolo Bonzini <pbonzini at redhat.com>
Cc: Wolfgang Bumiller <w.bumiller at proxmox.com>
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
Message-id: 1485938101-26602-1-git-send-email-kraxel at redhat.com
Reviewed-by: Laszlo Ersek <lersek at redhat.com>
Signed-off-by: Stefano Stabellini <sstabellini at kernel.org>
Signed-off-by: Ian Jackson <ian.jackson at eu.citrix.com>
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug
25670969] {CVE-2017-2615}
[4.3.0-55.el6.186.8]
- From 5e4ed9cded14f2d8445150c8a6d225b283bed3fa Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3 at citrix.com>
Date: Sat, 21 Feb 2015 17:16:42 +0000
Subject: [PATCH] CVE-2014-8106: cirrus: fix blit region check
Backport of qemu-upstream:
* bf25983345ca44aec3dd92c57142be45452bd38a
* d3532a0db02296e687711b8cdc7791924efccea0
Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
Prerequisite patch for XSA208
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug
25670969] {CVE-2017-2615}
[4.3.0-55.el6.186.7]
- IOMMU: always call teardown callback
There is a possible scenario when (d)->need_iommu remains unset
during guest domain execution. For example, when no devices
were assigned to it. Taking into account that teardown callback
is not called when (d)->need_iommu is unset we might have unreleased
resourses after destroying domain.
So, always call teardown callback to roll back actions
that were performed in init callback.
This is XSA-207.
Reviewed-by: Jan Beulich <jbeulich at suse.com>
Tested-by: Jan Beulich <jbeulich at suse.com>
Tested-by: Julien Grall <julien.grall at arm.com>
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com> [bug 25491807]
More information about the Oraclevm-errata
mailing list