[Oraclevm-errata] OVMSA-2021-0014 Important: Oracle VM 3.4 xen security update

Errata Announcements for Oracle VM oraclevm-errata at oss.oracle.com
Wed Jun 2 17:23:31 PDT 2021 

Oracle VM Security Advisory OVMSA-2021-0014

The following updated rpms for Oracle VM 3.4 have been uploaded to the Unbreakable Linux Network:

x86_64:
xen-4.4.4-222.0.38.el6.x86_64.rpm
xen-tools-4.4.4-222.0.38.el6.x86_64.rpm


SRPMS:
http://oss.oracle.com/oraclevm/server/3.4/SRPMS-updates/xen-4.4.4-222.0.38.el6.src.rpm



Description of changes:

[4.4.4-222.0.38.el6]
- BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8
- BUILDINFO: xen commit=91f4eacb323ac58aa441333108e09b5aec9eb16d
- BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff
- BUILDINFO: QEMU traditional commit=4a8ded640f04b41cdb15ce7c4c0a2c812c1b9e4d
- BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e
- BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee
- x86/vpt: do not take pt_migrate rwlock in some cases (Boris Ostrovsky)  [Orabug: 32753153]

[4.4.4-222.0.37.el6]
- BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8
- BUILDINFO: xen commit=a9e1387e41cc38851624e0720b29db8b57ca89d7
- BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff
- BUILDINFO: QEMU traditional commit=4a8ded640f04b41cdb15ce7c4c0a2c812c1b9e4d
- BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e
- BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee
- x86/pt: add a MSI unmask flag to XEN_DOMCTL_bind_pt_irq (Roger Pau Monné)  [Orabug: 31689681]
- MSI-X: Update MSI-X table by qemu cached data (Joe Jin)  [Orabug: 31689681]

[4.4.4-222.0.36.el6]
- BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8
- BUILDINFO: xen commit=0f37e86df8ec1eb320c422109292e0c8c909cdcb
- BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff
- BUILDINFO: QEMU traditional commit=cf459aa4ae4ff6b7bfc208006b47c9992642c4cf
- BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e
- BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee
- tools/xenstore: Preserve bad client until they are destroyed (Harsha Shamsundara Havanur)  [Orabug: 32222985]  {CVE-2020-29483}
- tools/xenstore: drop watch event messages exceeding maximum size (Juergen Gross)  [Orabug: 32222999]  {CVE-2020-29484}
- tools/xenstore: revoke access rights for removed domains (Juergen Gross)  [Orabug: 32223441]  {CVE-2020-29481}
- tools/xenstore: avoid watch events for nodes without access (Juergen Gross)  [Orabug: 32223392]  {CVE-2020-29480}
- tools/xenstore: allow special watches for privileged callers only (Juergen Gross)  [Orabug: 32223392]  {CVE-2020-29480}
- tools/xenstore: introduce node_perms structure (Juergen Gross)  [Orabug: 32223392]  {CVE-2020-29480}
- tools/xenstore: fire watches only when removing a specific node (Juergen Gross)  [Orabug: 32223392]  {CVE-2020-29480}
- tools/xenstore: rework node removal (Juergen Gross)  [Orabug: 32223392]  {CVE-2020-29480}
- tools/xenstore: check privilege for XS_IS_DOMAIN_INTRODUCED (Juergen Gross)  [Orabug: 32223392]  {CVE-2020-29480}
- tools/xenstore: simplify and rename check_event_node() (Juergen Gross)  [Orabug: 32223392]  {CVE-2020-29480}
- tools/xenstore: fix node accounting after failed node creation (Juergen Gross)  [Orabug: 32223392]  {CVE-2020-29480}
- tools/xenstore: ignore transaction id for [un]watch (Juergen Gross)  [Orabug: 32223392]  {CVE-2020-29480}
- tools/xenstore: allow removing child of a node exceeding quota (Juergen Gross)  [Orabug: 32223392]  {CVE-2020-29480}
- xenstore: rename XS_DEBUG wire command (Juergen Gross)  [Orabug: 32223392]

[4.4.4-222.0.35.el6]
- BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8
- BUILDINFO: xen commit=0328cfcc83b78e2baf53b1538d63c48e801ca0af
- BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff
- BUILDINFO: QEMU traditional commit=cf459aa4ae4ff6b7bfc208006b47c9992642c4cf
- BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e
- BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee
- evtchn/FIFO: re-order and synchronize (with) map_control_block() (Jan Beulich)  [Orabug: 32223369]  {CVE-2020-29570} {CVE-2020-29570}

[4.4.4-222.0.34.el6]
- BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8
- BUILDINFO: xen commit=5a3c71327c8a30bafe9ffb44ebf91bf812843b9e
- BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff
- BUILDINFO: QEMU traditional commit=cf459aa4ae4ff6b7bfc208006b47c9992642c4cf
- BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e
- BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee
- vnuma: dont fail guest creation when cpus are defined incorrectly (Elena Ufimtseva)  [Orabug: 32422162]

[4.4.4-222.0.33.el6]
- BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8
- BUILDINFO: xen commit=82dc0841ad3c101958ceb66540f1df95511b5c21
- BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff
- BUILDINFO: QEMU traditional commit=cf459aa4ae4ff6b7bfc208006b47c9992642c4cf
- BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e
- BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee
- xenstore: rework of transaction handling (Juergen Gross)  [Orabug: 31386711]
- xenstore: undo function rename (Juergen Gross)  [Orabug: 31386711]
- xenstore: let write_node() and some callers return errno (Juergen Gross)  [Orabug: 31386711]
- xenstore: add missing checks for allocation failure (Juergen Gross)  [Orabug: 31386711]
- xenstore: set correct error code when violating quota (Juergen Gross)  [Orabug: 31386711]
- xenstore: bump TDB_VERSION (Jan Beulich)  [Orabug: 31386711]
- tools/xenstore: avoid unterminated string in xs_directory_part() (Juergen Gross)  [Orabug: 31386711]
- xenstore: handle memory allocation failures in xenstored (Juergen Gross)  [Orabug: 31386711]
- xenstore: add small default data buffer to internal struct (Juergen Gross)  [Orabug: 31386711]
- xenstore: add helper functions for wire argument parsing (Juergen Gross)  [Orabug: 31386711]
- xenstore: make functions static (Juergen Gross)  [Orabug: 31386711]
- xenstore: let command functions return error or success (Juergen Gross)  [Orabug: 31386711]
- xenstore: use array for xenstore wire command handling (Juergen Gross)  [Orabug: 31386711]
- xenstore: support XS_DIRECTORY_PART in libxenstore (Juergen Gross)  [Orabug: 31386711]
- xenstore: add support for reading directory with many children (Juergen Gross)  [Orabug: 31386711]
- xenstore: add per-node generation counter (Juergen Gross)  [Orabug: 31386711]
- xenstore: use common tdb record header in xenstore (Juergen Gross)  [Orabug: 31386711]
- xenstore: call add_change_node() directly when writing node (Juergen Gross)  [Orabug: 31386711]
- xenstore: modify add_change_node() parameter types (Juergen Gross)  [Orabug: 31386711]
- xenstore: fix add_change_node() (Juergen Gross)  [Orabug: 31386711]

[4.4.4-222.0.32.el6]
- BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8
- BUILDINFO: xen commit=ed97d5a18855cbdb4d2c841bf2d7a33bdb8330a3
- BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff
- BUILDINFO: QEMU traditional commit=cf459aa4ae4ff6b7bfc208006b47c9992642c4cf
- BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e
- BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee
- x86/msr: Allow read access to some RAPL MSRs (Boris Ostrovsky)  [Orabug: 32301333]

[4.4.4-222.0.31.el6]
- BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8
- BUILDINFO: xen commit=48a687f29fd7d4b43657dec312658a5795fb4ac6
- BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff
- BUILDINFO: QEMU traditional commit=cf459aa4ae4ff6b7bfc208006b47c9992642c4cf
- BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e
- BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee
- xend: Allow a few quick reboots (Boris Ostrovsky)  [Orabug: 32204275]
- evtchn: Update active_evtchns count in get_free_port() (Boris Ostrovsky)  [Orabug: 32204275]

[4.4.4-222.0.30.el6]
- BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8
- BUILDINFO: xen commit=2b241cb1b3a9a127d397564aea44d7ddc51f52fd
- BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff
- BUILDINFO: QEMU traditional commit=cf459aa4ae4ff6b7bfc208006b47c9992642c4cf
- BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e
- BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee
- x86/msr: Disallow guest access to the RAPL MSRs (Andrew Cooper)  [Orabug: 32176091]
- x86/msr: fix handling of MSR_IA32_PERF_{STATUS/CTL} (Roger Pau Monné)  [Orabug: 32176091]
- memory: fix off-by-one in XSA-346 change (Jan Beulich)  [Orabug: 31984408]
- IOMMU: hold page ref until after deferred TLB flush (Jan Beulich)  [Orabug: 31984408]  {CVE-2020-27671}
- IOMMU: suppress "iommu_dont_flush_iotlb" when about to free a page (Jan Beulich)  [Orabug: 31984408]  {CVE-2020-27671}
- x86/mm: Prevent some races in hypervisor mapping updates (Hongyan Xia)  [Orabug: 31984388]  {CVE-2020-27672}
- x86/mm: Refactor modify_xen_mappings to have one exit path (Wei Liu)  [Orabug: 31984388]  {CVE-2020-27672}
- x86/mm: Refactor map_pages_to_xen to have only a single exit path (Wei Liu)  [Orabug: 31984388]  {CVE-2020-27672}

[4.4.4-222.0.29.el6]
- BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8
- BUILDINFO: xen commit=cba4b0a210ce8dffa327341fdc4d86ee1da050e6
- BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff
- BUILDINFO: QEMU traditional commit=cf459aa4ae4ff6b7bfc208006b47c9992642c4cf
- BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e
- BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee
- xen: Handle evtchn_destroy()'s -ERESTART (Boris Ostrovsky)  [Orabug: 31940694]

[4.4.4-222.0.28.el6]
- BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8
- BUILDINFO: xen commit=440b733fe2aebb5b89ea2546901a425571e0b734
- BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff
- BUILDINFO: QEMU traditional commit=cf459aa4ae4ff6b7bfc208006b47c9992642c4cf
- BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e
- BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee
- evtchn: cut short evtchn_reset()'s loop in the common case (Jan Beulich)  [Orabug: 31940694]

[4.4.4-222.0.27.el6]
- BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8
- BUILDINFO: xen commit=d44bd82498d256d265f95619e365f79916e57f0e
- BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff
- BUILDINFO: QEMU traditional commit=cf459aa4ae4ff6b7bfc208006b47c9992642c4cf
- BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e
- BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee
- evtchn: arrange for preemption in evtchn_reset() (Jan Beulich)  [Orabug: 31865158]  {CVE-2020-25601}
- evtchn: arrange for preemption in evtchn_destroy() (Jan Beulich)  [Orabug: 31865158]  {CVE-2020-25601}
- evtchn: address races with evtchn_reset() (Jan Beulich)  [Orabug: 31865142]  {CVE-2020-25599}
- evtchn: convert per-channel lock to be IRQ-safe (Jan Beulich)  [Orabug: 31865142]  {CVE-2020-25599}
- evtchn: evtchn_reset() shouldn't succeed with still-open ports (Jan Beulich)  [Orabug: 31865142]  {CVE-2020-25599}
- evtchn/x86: enforce correct upper limit for 32-bit guests (Jan Beulich)  [Orabug: 31865129]  {CVE-2020-25600}
- xen/evtchn: Add missing barriers when accessing/allocating an event channel (Julien Grall)  [Orabug: 31865104]  {CVE-2020-25603}
- evtchn: relax port_is_valid() (Jan Beulich)  [Orabug: 31865047]  {CVE-2020-25597}
- x86/MSI-X: restrict reading of table/PBA bases from BARs (Jan Beulich)  [Orabug: 31865021]  {CVE-2020-25595}
- x86/msi: get rid of read_msi_msg (Roger Pau Monné)  [Orabug: 31865021]  {CVE-2020-25595}
- x86/vpt: fix race when migrating timers between vCPUs (Roger Pau Monné)  [Orabug: 31864999]  {CVE-2020-25604}
- evtchn: use a per-event channel lock for sending events (David Vrabel)
- evtchn: defer freeing struct evtchn's until evtchn_destroy_final() (David Vrabel)
- evtchn: clear xen_consumer when clearing state (David Vrabel)
- evtchn: remove the locking when unmasking an event channel (David Vrabel)
- evtchn: simplify port_is_valid() (David Vrabel)
- evtchn: factor out freeing an event channel (David Vrabel)
- evtchn: simplify sending of notifications (Jan Beulich)

More information about the Oraclevm-errata mailing list