OVMSA-2015-0057 - xen security update
| Type: | SECURITY |
| Severity: | CRITICAL |
| Release Date: | 2015-05-14 |
Description
[4.3.0-55.el6.22.24]
- fdc: force the fifo access to be in bounds of the allocated buffer
During processing of certain commands such as FD_CMD_READ_ID and
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
get out of bounds leading to memory corruption with values coming
from the guest.
Fix this by making sure that the index is always bounded by the
allocated memory.
This is CVE-2015-3456.
Signed-off-by: Petr Matousek
Reviewed-by: John Snow
XSA-133
Acked-by: Chuck Anderson [bug 21078640] {CVE-2015-3456}
[4.3.0-55.el6.22.23]
- fdc: force the fifo access to be in bounds of the allocated buffer
During processing of certain commands such as FD_CMD_READ_ID and
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
get out of bounds leading to memory corruption with values coming
from the guest.
Fix this by making sure that the index is always bounded by the
allocated memory.
This is CVE-2015-3456.
Signed-off-by: Petr Matousek
Reviewed-by: John Snow
XSA-133
Acked-by: Chuck Anderson [bug 21078640] {CVE-2015-3456}
[4.3.0-55.el6.22.22]
- domctl: don't allow a toolstack domain to call domain_pause() on itself
These DOMCTL subops were accidentally declared safe for disaggregation
in the wake of XSA-77.
This is XSA-127.
Signed-off-by: Andrew Cooper
Reviewed-by: Jan Beulich
Acked-by: Ian Campbell
Acked-by: Chuck Anderson
Reviewed-by: Konrad Rzeszutek Wilk [bug 20739551] {CVE-2015-2751}
[4.3.0-55.el6.22.21]
- xen: limit guest control of PCI command register
Otherwise the guest can abuse that control to cause e.g. PCIe
Unsupported Request responses (by disabling memory and/or I/O decoding
and subsequently causing [CPU side] accesses to the respective address
ranges), which (depending on system configuration) may be fatal to the
host.
This is CVE-2015-2756 / XSA-126.
Signed-off-by: Jan Beulich
Reviewed-by: Stefano Stabellini
Acked-by: Ian Campbell
Conflicts:
tools/qemu-xen-traditional-dir/hw/pass-through.c
Acked-by: Chuck Anderson [bug 20739354] {CVE-2015-2756}
[4.3.0-55.el6.22.20]
- xen: limit guest control of PCI command register
Otherwise the guest can abuse that control to cause e.g. PCIe
Unsupported Request responses (by disabling memory and/or I/O decoding
and subsequently causing [CPU side] accesses to the respective address
ranges), which (depending on system configuration) may be fatal to the
host.
This is CVE-2015-2756 / XSA-126.
Signed-off-by: Jan Beulich
Reviewed-by: Stefano Stabellini
Acked-by: Ian Campbell
Acked-by: Chuck Anderson
Reviewed-by: Konrad Rzeszutek Wilk [bug 20739354] {CVE-2015-2756}
[4.3.0-55.el6.22.19]
- Limit XEN_DOMCTL_memory_mapping hypercall to only process up to 64 GFNs (or less)
Said hypercall for large BARs can take quite a while. As such
we can require that the hypercall MUST break up the request
in smaller values.
Another approach is to add preemption to it - whether we do the
preemption using hypercall_create_continuation or returning
EAGAIN to userspace (and have it re-invocate the call) - either
way the issue we cannot easily solve is that in 'map_mmio_regions'
if we encounter an error we MUST call 'unmap_mmio_regions' for the
whole BAR region.
Since the preemption would re-use input fields such as nr_mfns,
first_gfn, first_mfn - we would lose the original values -
and only undo what was done in the current round (i.e. ignoring
anything that was done prior to earlier preemptions).
Unless we re-used the return value as 'EAGAIN|nr_mfns_done<<10' but
that puts a limit (since the return value is a long) on the amount
of nr_mfns that can provided.
This patch sidesteps this problem by:
- Setting an hard limit of nr_mfns having to be 64 or less.
- Toolstack adjusts correspondingly to the nr_mfn limit.
- If the there is an error when adding the toolstack will call the
remove operation to remove the whole region.
The need to break this hypercall down is for large BARs can take
more than the guest (initial domain usually) time-slice. This has
the negative result in that the guest is locked out for a long
duration and is unable to act on any pending events.
We also augment the code to return zero if nr_mfns instead
of trying to the hypercall.
Suggested-by: Jan Beulich
Acked-by: Jan Beulich
Signed-off-by: Konrad Rzeszutek Wilk
Acked-by: Ian Campbell
This is CVE-2015-2752 / XSA-125.
Acked-by: Chuck Anderson
Reviewed-by: Konrad Rzeszutek Wilk [bug 20732350] {CVE-2015-2752}
Related CVEs
Updated Packages
| Release/Architecture | Filename | MD5sum | Superseded By Advisory |
|
| Oracle VM 3.3 (x86_64) | xen-4.3.0-55.el6.22.24.src.rpm | 1f31ceca093db64f746b7240e9f45f09 | OVMSA-2021-0014 |
| xen-4.3.0-55.el6.22.24.x86_64.rpm | 24d9e7623451adcb3afb37cca94973d6 | OVMSA-2021-0014 |
| xen-tools-4.3.0-55.el6.22.24.x86_64.rpm | 38c7b13316f9eb9f3b4b8cd66fb479d1 | OVMSA-2021-0014 |
This page is generated automatically and has not been checked for errors or omissions. For clarification
or corrections please contact the Oracle Linux ULN team
