[Oraclevm-errata] OVMSA-2017-0096 Important: Oracle VM 3.2 xen security update
Errata Announcements for Oracle VM
oraclevm-errata at oss.oracle.com
Wed May 3 14:22:14 PDT 2017
Oracle VM Security Advisory OVMSA-2017-0096
The following updated rpms for Oracle VM 3.2 have been uploaded to the
Unbreakable Linux Network:
x86_64:
xen-4.1.3-25.el5.223.62.x86_64.rpm
xen-devel-4.1.3-25.el5.223.62.x86_64.rpm
xen-tools-4.1.3-25.el5.223.62.x86_64.rpm
SRPMS:
http://oss.oracle.com/oraclevm/server/3.2/SRPMS-updates/xen-4.1.3-25.el5.223.62.src.rpm
Description of changes:
[4.1.3-25.el5.223.62]
- Fix a segfault due to a buggy backport of xsa206
The buggy backport of
xsa206-4.4-0001-xenstored-apply-a-write-transaction-rate-limit.patch
ignored the case when timeout is NULL, lead to xenstored segfault
Only OVM3.2 has such issue.
Signed-off-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25886290]
[4.1.3-25.el5.223.61]
- x86: correct create_bounce_frame
We may push up to 96 bytes on the guest (kernel) stack, so we should
also cover as much in the early range check. Note that this is the
simplest possible patch, which has the theoretical potential of
breaking a guest: We only really push 96 bytes when invoking the
failsafe callback, ordinary exceptions only have 56 or 64 bytes pushed
(without / with error code respectively). There is, however, no PV OS
known to place a kernel stack there.
This is XSA-215.
Signed-off-by: Jan Beulich <jbeulich at suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com>
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25927758]
[4.1.3-25.el5.223.60]
- x86: discard type information when stealing pages
While a page having just a single general reference left necessarily
has a zero type reference count too, its type may still be valid (and
in validated state; at present this is only possible and relevant for
PGT_seg_desc_page, as page tables have their type forcibly zapped when
their type reference count drops to zero, and
PGT_{writable,shared}_page pages don't require any validation). In
such a case when the page is being re-used with the same type again,
validation is being skipped. As validation criteria differ between
32- and 64-bit guests, pages to be transferred between guests need to
have their validation indicator zapped (and with it we zap all other
type information at once).
This is XSA-214.
Signed-off-by: Jan Beulich <jbeulich at suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com>
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25927706]
[4.1.3-25.el5.223.59]
- multicall: deal with early exit conditions
In particular changes to guest privilege level require the multicall
sequence to be aborted, as hypercalls are permitted from kernel mode
only. While likely not very useful in a multicall, also properly handle
the return value in the HYPERVISOR_iret case (which should be the guest
specified value).
This is XSA-213.
Signed-off-by: Jan Beulich <jbeulich at suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com>
Acked-by: Julien Grall <julien.grall at arm.com>
OVM3.2 does not support ARM arch.
xen/arch/arm/traps.c and xen/include/asm-arm/multicall.h are ignored.
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25927706]
[4.1.3-25.el5.223.58]
- From 3d4e3e903e3b4bbfdab4924a71bdab28fb62f84f Mon Sep 17 00:00:00 2001
From: Jan Beulich <jbeulich at suse.com>
Date: Fri, 11 Nov 2011 14:27:41 +0100
Subject: [PATCH] multicall: don't ignore failure from
__copy_to_guest() upon preemption
At once adjust perf counter updates to also count calls from here even
if a guest memory access failed.
Signed-off-by: Jan Beulich <jbeulich at suse.com>
Acked-by: Keir Fraser <keir at xen.org>
Prerequisite patch for xsa213-4.5.patch
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25927639]
[4.1.3-25.el5.223.57]
- memory: properly check guest memory ranges in XENMEM_exchange handling
The use of guest_handle_okay() here (as introduced by the XSA-29 fix)
is insufficient here, guest_handle_subrange_okay() needs to be used
instead.
Note that the uses are okay in
- XENMEM_add_to_physmap_batch handling due to the size field being only
16 bits wide,
- livepatch_list() due to the limit of 1024 enforced on the
number-of-entries input (leaving aside the fact that this can be
called by a privileged domain only anyway),
- compat mode handling due to counts there being limited to 32 bits,
- everywhere else due to guest arrays being accessed sequentially from
index zero.
This is XSA-212.
Signed-off-by: Jan Beulich <jbeulich at suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com>
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug
25760602] {CVE-2017-7228}
[4.1.3-25.el5.223.56]
- From b3fb58b61ebbe229af35edf6487994c76e4d22f2 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson at eu.citrix.com>
Date: Sat, 18 Mar 2017 17:13:27 +0000
Subject: [PATCH 2/2] xenstored: Log when the write transaction rate limit
bites
Signed-off-by: Ian Jackson <ian.jackson at eu.citrix.com>
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25745239]
[4.1.3-25.el5.223.55]
- From c91e4cbe19cf6d51b075d4ef3adf6fa50bb16b7a Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson at eu.citrix.com>
Date: Sat, 18 Mar 2017 17:12:39 +0000
Subject: [PATCH 1/2] xenstored: apply a write transaction rate limit
This avoids a rogue client being about to stall another client (eg the
toolstack) indefinitely.
This is XSA-206.
Signed-off-by: Ian Jackson <Ian.Jackson at eu.citrix.com>
Backported to 4.8 (not entirely trivial).
Signed-off-by: George Dunlap <george.dunlap at citrix.com>
Acked-by: Ian Jackson <Ian.Jackson at eu.citrix.com>
Conflicts:
tools/xenstore/Makefile
tools/xenstore/xenstored_core.c
OVM3.2 is stilling using select while OVM3.3 or above has switched to
poll.
XSA206 patchset is targeting the new code, some extra changes added
to make
it adapt to OVM3.2.
wrl_check_timeout is a case of such, poll use int type for timeout
while select
use type (struct timeval *), so I update wrl_check_timeout to use
(struct timeval **) to pass a pointer to timeout variable instead of
(int *)
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25745239]
[4.1.3-25.el5.223.54]
- From dc4eee43ac608337ae96a174e0a5c1278168bd56 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson at eu.citrix.com>
Date: Thu, 9 Mar 2017 11:14:55 +0000
Subject: [PATCH] cirrus/vnc: zap drop bitblit support from console code.
From: Gerd Hoffmann <kraxel at redhat.com>
There is a special code path (dpy_gfx_copy) to allow graphic emulation
notify user interface code about bitblit operations carryed out by
guests. It is supported by cirrus and vnc server. The intended purpose
is to optimize display scrolls and just send over the scroll op instead
of a full display update.
This is rarely used these days though because modern guests simply don't
use the cirrus blitter any more. Any linux guest using the cirrus drm
driver doesn't. Any windows guest newer than winxp doesn't ship with a
cirrus driver any more and thus uses the cirrus as simple framebuffer.
So this code tends to bitrot and bugs can go unnoticed for a long time.
See for example commit "3e10c3e vnc: fix qemu crash because of SIGSEGV"
which fixes a bug lingering in the code for almost a year, added by
commit "c7628bf vnc: only alloc server surface with clients connected".
Also the vnc server will throttle the frame rate in case it figures the
network can't keep up (send buffers are full). This doesn't work with
dpy_gfx_copy, for any copy operation sent to the vnc client we have to
send all outstanding updates beforehand, otherwise the vnc client might
run the client side blit on outdated data and thereby corrupt the
display. So this dpy_gfx_copy "optimization" might even make things
worse on slow network links.
Lets kill it once for all.
Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
These changes (dropping dpy_copy and all its references and
implementations) reimplemented for qemu-xen-traditional.
This is XSA-211.
Signed-off-by: Ian Jackson <ian.jackson at eu.citrix.com>
Conflicts:
hw/cirrus_vga.c
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug
25699238] {CVE-2016-9603}
[4.1.3-25.el5.223.53]
- From: Gerd Hoffmann <kraxel at redhat.com>
Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to
cirrus_bitblt_cputovideo
CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
and blit width, at all. Oops. Fix it.
Security impact: high.
The missing blit destination check allows to write to host memory.
Basically same as CVE-2014-8106 for the other blit variants.
The missing blit width check allows to overflow cirrus_bltbuf,
with the attractive target cirrus_srcptr (current cirrus_bltbuf write
position) being located right after cirrus_bltbuf in CirrusVGAState.
Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
hasn't full control over cirrus_srcptr though, only one byte can be
changed. Once the first byte has been modified further writes land
elsewhere.
[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ]
Fixed compilation by removing extra parameter to blit_is_unsafe. -iwj
Reported-by: Gerd Hoffmann <ghoffman at redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
Signed-off-by: Ian Jackson <ian.jackson at eu.citrix.com>
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug
25670976] {CVE-2017-2620}
[4.1.3-25.el5.223.52]
- From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s at 360.cn>
Date: Mon, 13 Feb 2017 15:22:15 +0000
Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.
This is XSA-208.
upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
{ kraxel: with backward blits (negative pitch) addr is the topmost
address, so check it as-is against vram size ]
[ This is CVE-2017-2615 / XSA-208 - Ian Jackson ]
Cc: qemu-stable at nongnu.org
Cc: P J P <ppandit at redhat.com>
Cc: Laszlo Ersek <lersek at redhat.com>
Cc: Paolo Bonzini <pbonzini at redhat.com>
Cc: Wolfgang Bumiller <w.bumiller at proxmox.com>
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
Message-id: 1485938101-26602-1-git-send-email-kraxel at redhat.com
Reviewed-by: Laszlo Ersek <lersek at redhat.com>
Signed-off-by: Stefano Stabellini <sstabellini at kernel.org>
Signed-off-by: Ian Jackson <ian.jackson at eu.citrix.com>
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug
25670920] {CVE-2017-2615}
[4.1.3-25.el5.223.51]
- From 5e4ed9cded14f2d8445150c8a6d225b283bed3fa Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3 at citrix.com>
Date: Sat, 21 Feb 2015 17:16:42 +0000
Subject: [PATCH] CVE-2014-8106: cirrus: fix blit region check
Backport of qemu-upstream:
* bf25983345ca44aec3dd92c57142be45452bd38a
* d3532a0db02296e687711b8cdc7791924efccea0
Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
Prerequisite patch for XSA208
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug
25670920] {CVE-2017-2615}
[4.1.3-25.el5.223.50]
- IOMMU: always call teardown callback
There is a possible scenario when (d)->need_iommu remains unset
during guest domain execution. For example, when no devices
were assigned to it. Taking into account that teardown callback
is not called when (d)->need_iommu is unset we might have unreleased
resourses after destroying domain.
So, always call teardown callback to roll back actions
that were performed in init callback.
This is XSA-207.
Reviewed-by: Jan Beulich <jbeulich at suse.com>
Tested-by: Jan Beulich <jbeulich at suse.com>
Tested-by: Julien Grall <julien.grall at arm.com>
Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 25491908]
More information about the Oraclevm-errata
mailing list