[Oraclevm-errata] OVMSA-2017-0096 Important: Oracle VM 3.2 xen security update

Errata Announcements for Oracle VM oraclevm-errata at oss.oracle.com
Wed May 3 14:22:14 PDT 2017


Oracle VM Security Advisory OVMSA-2017-0096

The following updated rpms for Oracle VM 3.2 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
xen-4.1.3-25.el5.223.62.x86_64.rpm
xen-devel-4.1.3-25.el5.223.62.x86_64.rpm
xen-tools-4.1.3-25.el5.223.62.x86_64.rpm


SRPMS:
http://oss.oracle.com/oraclevm/server/3.2/SRPMS-updates/xen-4.1.3-25.el5.223.62.src.rpm



Description of changes:

[4.1.3-25.el5.223.62]
- Fix a segfault due to a buggy backport of xsa206
   The buggy backport of 
xsa206-4.4-0001-xenstored-apply-a-write-transaction-rate-limit.patch
   ignored the case when timeout is NULL, lead to xenstored segfault
   Only OVM3.2 has such issue.
   Signed-off-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
   Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25886290]

[4.1.3-25.el5.223.61]
- x86: correct create_bounce_frame
   We may push up to 96 bytes on the guest (kernel) stack, so we should
   also cover as much in the early range check. Note that this is the
   simplest possible patch, which has the theoretical potential of
   breaking a guest: We only really push 96 bytes when invoking the
   failsafe callback, ordinary exceptions only have 56 or 64 bytes pushed
   (without / with error code respectively). There is, however, no PV OS
   known to place a kernel stack there.
   This is XSA-215.
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com>
   Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
   Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25927758]

[4.1.3-25.el5.223.60]
- x86: discard type information when stealing pages
   While a page having just a single general reference left necessarily
   has a zero type reference count too, its type may still be valid (and
   in validated state; at present this is only possible and relevant for
   PGT_seg_desc_page, as page tables have their type forcibly zapped when
   their type reference count drops to zero, and
   PGT_{writable,shared}_page pages don't require any validation). In
   such a case when the page is being re-used with the same type again,
   validation is being skipped. As validation criteria differ between
   32- and 64-bit guests, pages to be transferred between guests need to
   have their validation indicator zapped (and with it we zap all other
   type information at once).
   This is XSA-214.
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com>
   Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
   Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25927706]

[4.1.3-25.el5.223.59]
- multicall: deal with early exit conditions
   In particular changes to guest privilege level require the multicall
   sequence to be aborted, as hypercalls are permitted from kernel mode
   only. While likely not very useful in a multicall, also properly handle
   the return value in the HYPERVISOR_iret case (which should be the guest
   specified value).
   This is XSA-213.
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com>
   Acked-by: Julien Grall <julien.grall at arm.com>
   OVM3.2 does not support ARM arch.
   xen/arch/arm/traps.c and xen/include/asm-arm/multicall.h are ignored.
   Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
   Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25927706]

[4.1.3-25.el5.223.58]
- From 3d4e3e903e3b4bbfdab4924a71bdab28fb62f84f Mon Sep 17 00:00:00 2001
   From: Jan Beulich <jbeulich at suse.com>
   Date: Fri, 11 Nov 2011 14:27:41 +0100
   Subject: [PATCH] multicall: don't ignore failure from 
__copy_to_guest() upon preemption
   At once adjust perf counter updates to also count calls from here even
   if a guest memory access failed.
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Acked-by: Keir Fraser <keir at xen.org>
   Prerequisite patch for xsa213-4.5.patch
   Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
   Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25927639]

[4.1.3-25.el5.223.57]
- memory: properly check guest memory ranges in XENMEM_exchange handling
   The use of guest_handle_okay() here (as introduced by the XSA-29 fix)
   is insufficient here, guest_handle_subrange_okay() needs to be used
   instead.
   Note that the uses are okay in
   - XENMEM_add_to_physmap_batch handling due to the size field being only
   16 bits wide,
   - livepatch_list() due to the limit of 1024 enforced on the
   number-of-entries input (leaving aside the fact that this can be
   called by a privileged domain only anyway),
   - compat mode handling due to counts there being limited to 32 bits,
   - everywhere else due to guest arrays being accessed sequentially from
   index zero.
   This is XSA-212.
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com>
   Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
   Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 
25760602] {CVE-2017-7228}

[4.1.3-25.el5.223.56]
- From b3fb58b61ebbe229af35edf6487994c76e4d22f2 Mon Sep 17 00:00:00 2001
   From: Ian Jackson <ian.jackson at eu.citrix.com>
   Date: Sat, 18 Mar 2017 17:13:27 +0000
   Subject: [PATCH 2/2] xenstored: Log when the write transaction rate limit
   bites
   Signed-off-by: Ian Jackson <ian.jackson at eu.citrix.com>
   Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
   Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25745239]

[4.1.3-25.el5.223.55]
- From c91e4cbe19cf6d51b075d4ef3adf6fa50bb16b7a Mon Sep 17 00:00:00 2001
   From: Ian Jackson <ian.jackson at eu.citrix.com>
   Date: Sat, 18 Mar 2017 17:12:39 +0000
   Subject: [PATCH 1/2] xenstored: apply a write transaction rate limit
   This avoids a rogue client being about to stall another client (eg the
   toolstack) indefinitely.
   This is XSA-206.
   Signed-off-by: Ian Jackson <Ian.Jackson at eu.citrix.com>
   Backported to 4.8 (not entirely trivial).
   Signed-off-by: George Dunlap <george.dunlap at citrix.com>
   Acked-by: Ian Jackson <Ian.Jackson at eu.citrix.com>
   Conflicts:
   tools/xenstore/Makefile
   tools/xenstore/xenstored_core.c
   OVM3.2 is stilling using select while OVM3.3 or above has switched to 
poll.
   XSA206 patchset is targeting the new code, some extra changes added 
to make
   it adapt to OVM3.2.
   wrl_check_timeout is a case of such, poll use int type for timeout 
while select
   use type (struct timeval *), so I update wrl_check_timeout to use
   (struct timeval **) to pass a pointer to timeout variable instead of 
(int *)
   Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
   Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25745239]

[4.1.3-25.el5.223.54]
- From dc4eee43ac608337ae96a174e0a5c1278168bd56 Mon Sep 17 00:00:00 2001
   From: Ian Jackson <ian.jackson at eu.citrix.com>
   Date: Thu, 9 Mar 2017 11:14:55 +0000
   Subject: [PATCH] cirrus/vnc: zap drop bitblit support from console code.
   From: Gerd Hoffmann <kraxel at redhat.com>
   There is a special code path (dpy_gfx_copy) to allow graphic emulation
   notify user interface code about bitblit operations carryed out by
   guests.  It is supported by cirrus and vnc server.  The intended purpose
   is to optimize display scrolls and just send over the scroll op instead
   of a full display update.
   This is rarely used these days though because modern guests simply don't
   use the cirrus blitter any more.  Any linux guest using the cirrus drm
   driver doesn't.  Any windows guest newer than winxp doesn't ship with a
   cirrus driver any more and thus uses the cirrus as simple framebuffer.
   So this code tends to bitrot and bugs can go unnoticed for a long time.
   See for example commit "3e10c3e vnc: fix qemu crash because of SIGSEGV"
   which fixes a bug lingering in the code for almost a year, added by
   commit "c7628bf vnc: only alloc server surface with clients connected".
   Also the vnc server will throttle the frame rate in case it figures the
   network can't keep up (send buffers are full).  This doesn't work with
   dpy_gfx_copy, for any copy operation sent to the vnc client we have to
   send all outstanding updates beforehand, otherwise the vnc client might
   run the client side blit on outdated data and thereby corrupt the
   display.  So this dpy_gfx_copy "optimization" might even make things
   worse on slow network links.
   Lets kill it once for all.
   Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
   These changes (dropping dpy_copy and all its references and
   implementations) reimplemented for qemu-xen-traditional.
   This is XSA-211.
   Signed-off-by: Ian Jackson <ian.jackson at eu.citrix.com>
   Conflicts:
   hw/cirrus_vga.c
   Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
   Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 
25699238] {CVE-2016-9603}

[4.1.3-25.el5.223.53]
- From: Gerd Hoffmann <kraxel at redhat.com>
   Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to 
cirrus_bitblt_cputovideo
   CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
   and blit width, at all.  Oops.  Fix it.
   Security impact: high.
   The missing blit destination check allows to write to host memory.
   Basically same as CVE-2014-8106 for the other blit variants.
   The missing blit width check allows to overflow cirrus_bltbuf,
   with the attractive target cirrus_srcptr (current cirrus_bltbuf write
   position) being located right after cirrus_bltbuf in CirrusVGAState.
   Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
   hasn't full control over cirrus_srcptr though, only one byte can be
   changed.  Once the first byte has been modified further writes land
   elsewhere.
   [ This is CVE-2017-2620 / XSA-209  - Ian Jackson ]
   Fixed compilation by removing extra parameter to blit_is_unsafe. -iwj
   Reported-by: Gerd Hoffmann <ghoffman at redhat.com>
   Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
   Signed-off-by: Ian Jackson <ian.jackson at eu.citrix.com>
   Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
   Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 
25670976] {CVE-2017-2620}

[4.1.3-25.el5.223.52]
- From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
   From: Li Qiang <liqiang6-s at 360.cn>
   Date: Mon, 13 Feb 2017 15:22:15 +0000
   Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
   When doing bitblt copy in backward mode, we should minus the
   blt width first just like the adding in the forward mode. This
   can avoid the oob access of the front of vga's vram.
   This is XSA-208.
   upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
   Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
   { kraxel: with backward blits (negative pitch) addr is the topmost
   address, so check it as-is against vram size ]
   [ This is CVE-2017-2615 / XSA-208  - Ian Jackson ]
   Cc: qemu-stable at nongnu.org
   Cc: P J P <ppandit at redhat.com>
   Cc: Laszlo Ersek <lersek at redhat.com>
   Cc: Paolo Bonzini <pbonzini at redhat.com>
   Cc: Wolfgang Bumiller <w.bumiller at proxmox.com>
   Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
   Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
   Message-id: 1485938101-26602-1-git-send-email-kraxel at redhat.com
   Reviewed-by: Laszlo Ersek <lersek at redhat.com>
   Signed-off-by: Stefano Stabellini <sstabellini at kernel.org>
   Signed-off-by: Ian Jackson <ian.jackson at eu.citrix.com>
   Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
   Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 
25670920] {CVE-2017-2615}

[4.1.3-25.el5.223.51]
- From 5e4ed9cded14f2d8445150c8a6d225b283bed3fa Mon Sep 17 00:00:00 2001
   From: Andrew Cooper <andrew.cooper3 at citrix.com>
   Date: Sat, 21 Feb 2015 17:16:42 +0000
   Subject: [PATCH] CVE-2014-8106: cirrus: fix blit region check
   Backport of qemu-upstream:
   * bf25983345ca44aec3dd92c57142be45452bd38a
   * d3532a0db02296e687711b8cdc7791924efccea0
   Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
   Prerequisite patch for XSA208
   Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
   Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 
25670920] {CVE-2017-2615}

[4.1.3-25.el5.223.50]
- IOMMU: always call teardown callback
   There is a possible scenario when (d)->need_iommu remains unset
   during guest domain execution. For example, when no devices
   were assigned to it. Taking into account that teardown callback
   is not called when (d)->need_iommu is unset we might have unreleased
   resourses after destroying domain.
   So, always call teardown callback to roll back actions
   that were performed in init callback.
   This is XSA-207.
   Reviewed-by: Jan Beulich <jbeulich at suse.com>
   Tested-by: Jan Beulich <jbeulich at suse.com>
   Tested-by: Julien Grall <julien.grall at arm.com>
   Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
   Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25491908]




More information about the Oraclevm-errata mailing list