OVMSA-2017-0096

OVMSA-2017-0096 - xen security update

Type:SECURITY
Severity:IMPORTANT
Release Date:2017-05-03

Description


[4.1.3-25.el5.223.62]
- Fix a segfault due to a buggy backport of xsa206
The buggy backport of xsa206-4.4-0001-xenstored-apply-a-write-transaction-rate-limit.patch
ignored the case when timeout is NULL, lead to xenstored segfault
Only OVM3.2 has such issue.
Signed-off-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25886290]

[4.1.3-25.el5.223.61]
- x86: correct create_bounce_frame
We may push up to 96 bytes on the guest (kernel) stack, so we should
also cover as much in the early range check. Note that this is the
simplest possible patch, which has the theoretical potential of
breaking a guest: We only really push 96 bytes when invoking the
failsafe callback, ordinary exceptions only have 56 or 64 bytes pushed
(without / with error code respectively). There is, however, no PV OS
known to place a kernel stack there.
This is XSA-215.
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25927758]

[4.1.3-25.el5.223.60]
- x86: discard type information when stealing pages
While a page having just a single general reference left necessarily
has a zero type reference count too, its type may still be valid (and
in validated state; at present this is only possible and relevant for
PGT_seg_desc_page, as page tables have their type forcibly zapped when
their type reference count drops to zero, and
PGT_{writable,shared}_page pages don't require any validation). In
such a case when the page is being re-used with the same type again,
validation is being skipped. As validation criteria differ between
32- and 64-bit guests, pages to be transferred between guests need to
have their validation indicator zapped (and with it we zap all other
type information at once).
This is XSA-214.
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25927706]

[4.1.3-25.el5.223.59]
- multicall: deal with early exit conditions
In particular changes to guest privilege level require the multicall
sequence to be aborted, as hypercalls are permitted from kernel mode
only. While likely not very useful in a multicall, also properly handle
the return value in the HYPERVISOR_iret case (which should be the guest
specified value).
This is XSA-213.
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
Acked-by: Julien Grall
OVM3.2 does not support ARM arch.
xen/arch/arm/traps.c and xen/include/asm-arm/multicall.h are ignored.
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25927706]

[4.1.3-25.el5.223.58]
- From 3d4e3e903e3b4bbfdab4924a71bdab28fb62f84f Mon Sep 17 00:00:00 2001
From: Jan Beulich
Date: Fri, 11 Nov 2011 14:27:41 +0100
Subject: [PATCH] multicall: don't ignore failure from __copy_to_guest() upon preemption
At once adjust perf counter updates to also count calls from here even
if a guest memory access failed.
Signed-off-by: Jan Beulich
Acked-by: Keir Fraser
Prerequisite patch for xsa213-4.5.patch
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25927639]

[4.1.3-25.el5.223.57]
- memory: properly check guest memory ranges in XENMEM_exchange handling
The use of guest_handle_okay() here (as introduced by the XSA-29 fix)
is insufficient here, guest_handle_subrange_okay() needs to be used
instead.
Note that the uses are okay in
- XENMEM_add_to_physmap_batch handling due to the size field being only
16 bits wide,
- livepatch_list() due to the limit of 1024 enforced on the
number-of-entries input (leaving aside the fact that this can be
called by a privileged domain only anyway),
- compat mode handling due to counts there being limited to 32 bits,
- everywhere else due to guest arrays being accessed sequentially from
index zero.
This is XSA-212.
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25760602] {CVE-2017-7228}

[4.1.3-25.el5.223.56]
- From b3fb58b61ebbe229af35edf6487994c76e4d22f2 Mon Sep 17 00:00:00 2001
From: Ian Jackson
Date: Sat, 18 Mar 2017 17:13:27 +0000
Subject: [PATCH 2/2] xenstored: Log when the write transaction rate limit
bites
Signed-off-by: Ian Jackson
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25745239]

[4.1.3-25.el5.223.55]
- From c91e4cbe19cf6d51b075d4ef3adf6fa50bb16b7a Mon Sep 17 00:00:00 2001
From: Ian Jackson
Date: Sat, 18 Mar 2017 17:12:39 +0000
Subject: [PATCH 1/2] xenstored: apply a write transaction rate limit
This avoids a rogue client being about to stall another client (eg the
toolstack) indefinitely.
This is XSA-206.
Signed-off-by: Ian Jackson
Backported to 4.8 (not entirely trivial).
Signed-off-by: George Dunlap
Acked-by: Ian Jackson
Conflicts:
tools/xenstore/Makefile
tools/xenstore/xenstored_core.c
OVM3.2 is stilling using select while OVM3.3 or above has switched to poll.
XSA206 patchset is targeting the new code, some extra changes added to make
it adapt to OVM3.2.
wrl_check_timeout is a case of such, poll use int type for timeout while select
use type (struct timeval *), so I update wrl_check_timeout to use
(struct timeval **) to pass a pointer to timeout variable instead of (int *)
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25745239]

[4.1.3-25.el5.223.54]
- From dc4eee43ac608337ae96a174e0a5c1278168bd56 Mon Sep 17 00:00:00 2001
From: Ian Jackson
Date: Thu, 9 Mar 2017 11:14:55 +0000
Subject: [PATCH] cirrus/vnc: zap drop bitblit support from console code.
From: Gerd Hoffmann
There is a special code path (dpy_gfx_copy) to allow graphic emulation
notify user interface code about bitblit operations carryed out by
guests. It is supported by cirrus and vnc server. The intended purpose
is to optimize display scrolls and just send over the scroll op instead
of a full display update.
This is rarely used these days though because modern guests simply don't
use the cirrus blitter any more. Any linux guest using the cirrus drm
driver doesn't. Any windows guest newer than winxp doesn't ship with a
cirrus driver any more and thus uses the cirrus as simple framebuffer.
So this code tends to bitrot and bugs can go unnoticed for a long time.
See for example commit '3e10c3e vnc: fix qemu crash because of SIGSEGV'
which fixes a bug lingering in the code for almost a year, added by
commit 'c7628bf vnc: only alloc server surface with clients connected'.
Also the vnc server will throttle the frame rate in case it figures the
network can't keep up (send buffers are full). This doesn't work with
dpy_gfx_copy, for any copy operation sent to the vnc client we have to
send all outstanding updates beforehand, otherwise the vnc client might
run the client side blit on outdated data and thereby corrupt the
display. So this dpy_gfx_copy 'optimization' might even make things
worse on slow network links.
Lets kill it once for all.
Signed-off-by: Gerd Hoffmann
These changes (dropping dpy_copy and all its references and
implementations) reimplemented for qemu-xen-traditional.
This is XSA-211.
Signed-off-by: Ian Jackson
Conflicts:
hw/cirrus_vga.c
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25699238] {CVE-2016-9603}

[4.1.3-25.el5.223.53]
- From: Gerd Hoffmann
Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
and blit width, at all. Oops. Fix it.
Security impact: high.
The missing blit destination check allows to write to host memory.
Basically same as CVE-2014-8106 for the other blit variants.
The missing blit width check allows to overflow cirrus_bltbuf,
with the attractive target cirrus_srcptr (current cirrus_bltbuf write
position) being located right after cirrus_bltbuf in CirrusVGAState.
Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
hasn't full control over cirrus_srcptr though, only one byte can be
changed. Once the first byte has been modified further writes land
elsewhere.
[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ]
Fixed compilation by removing extra parameter to blit_is_unsafe. -iwj
Reported-by: Gerd Hoffmann
Signed-off-by: Gerd Hoffmann
Signed-off-by: Ian Jackson
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25670976] {CVE-2017-2620}

[4.1.3-25.el5.223.52]
- From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
From: Li Qiang
Date: Mon, 13 Feb 2017 15:22:15 +0000
Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.
This is XSA-208.
upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
Signed-off-by: Li Qiang
{ kraxel: with backward blits (negative pitch) addr is the topmost
address, so check it as-is against vram size ]
[ This is CVE-2017-2615 / XSA-208 - Ian Jackson ]
Cc: qemu-stable@nongnu.org
Cc: P J P
Cc: Laszlo Ersek
Cc: Paolo Bonzini
Cc: Wolfgang Bumiller
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
Signed-off-by: Gerd Hoffmann
Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
Reviewed-by: Laszlo Ersek
Signed-off-by: Stefano Stabellini
Signed-off-by: Ian Jackson
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25670920] {CVE-2017-2615}

[4.1.3-25.el5.223.51]
- From 5e4ed9cded14f2d8445150c8a6d225b283bed3fa Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Sat, 21 Feb 2015 17:16:42 +0000
Subject: [PATCH] CVE-2014-8106: cirrus: fix blit region check
Backport of qemu-upstream:
* bf25983345ca44aec3dd92c57142be45452bd38a
* d3532a0db02296e687711b8cdc7791924efccea0
Signed-off-by: Andrew Cooper
Prerequisite patch for XSA208
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25670920] {CVE-2017-2615}

[4.1.3-25.el5.223.50]
- IOMMU: always call teardown callback
There is a possible scenario when (d)->need_iommu remains unset
during guest domain execution. For example, when no devices
were assigned to it. Taking into account that teardown callback
is not called when (d)->need_iommu is unset we might have unreleased
resourses after destroying domain.
So, always call teardown callback to roll back actions
that were performed in init callback.
This is XSA-207.
Reviewed-by: Jan Beulich
Tested-by: Jan Beulich
Tested-by: Julien Grall
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25491908]


Related CVEs


CVE-2017-2615
CVE-2017-2620
CVE-2016-9603
CVE-2017-7228
CVE-2017-8903
CVE-2017-8904
CVE-2017-8905

Updated Packages


Release/ArchitectureFilenameMD5sumSuperseded By Advisory
Oracle VM 3.2 (x86_64) xen-4.1.3-25.el5.223.62.src.rpme16374fd904076d7992e304d6fbf3ec5OVMSA-2021-0014
xen-4.1.3-25.el5.223.62.x86_64.rpm8100ecf0c75f1a40f2edce34a00a0566OVMSA-2021-0014
xen-devel-4.1.3-25.el5.223.62.x86_64.rpmae5b1f63be205dfc4fd8bbe8a3165481OVMSA-2019-0048
xen-tools-4.1.3-25.el5.223.62.x86_64.rpmbfe954dbb924afa3d78a059b58f9c236OVMSA-2021-0014



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete