OVMSA-2015-0067 - xen security update
| Type: | SECURITY |
| Severity: | IMPORTANT |
| Release Date: | 2015-06-11 |
Description
[4.3.0-55.el6.22.52]
- x86/traps: loop in the correct direction in compat_iret()
This is XSA-136.
Reviewed-by: Jan Beulich
Acked-by: Chuck Anderson
Reviewed-by: John Haxby [bug 21219185] {CVE-2015-4164}
[4.3.0-55.el6.22.51]
- pcnet: force the buffer access to be in bounds during tx
4096 is the maximum length per TMD and it is also currently the size of
the relay buffer pcnet driver uses for sending the packet data to QEMU
for further processing. With packet spanning multiple TMDs it can
happen that the overall packet size will be bigger than sizeof(buffer),
which results in memory corruption.
Fix this by only allowing to queue maximum sizeof(buffer) bytes.
This is CVE-2015-3209.
Signed-off-by: Petr Matousek
Reported-by: Matt Tait
Reviewed-by: Peter Maydell
Reviewed-by: Stefan Hajnoczi
Acked-by: Chuck Anderson
Reviewed-by: John Haxby [bug 21218590] {CVE-2015-3209}
[4.3.0-55.el6.22.50]
- pcnet: fix Negative array index read
From: Gonglei
s->xmit_pos maybe assigned to a negative value (-1),
but in this branch variable s->xmit_pos as an index to
array s->buffer. Let's add a check for s->xmit_pos.
upstream-commit-id: 7b50d00911ddd6d56a766ac5671e47304c20a21b
Signed-off-by: Gonglei
Signed-off-by: Paolo Bonzini
Reviewed-by: Jason Wang
Reviewed-by: Jason Wang
Signed-off-by: Stefan Hajnoczi
Acked-by: Chuck Anderson
Reviewed-by: John Haxby [bug 21218590] {CVE-2015-3209}
[4.3.0-55.el6.22.49]
- pcnet: force the buffer access to be in bounds during tx
4096 is the maximum length per TMD and it is also currently the size of
the relay buffer pcnet driver uses for sending the packet data to QEMU
for further processing. With packet spanning multiple TMDs it can
happen that the overall packet size will be bigger than sizeof(buffer),
which results in memory corruption.
Fix this by only allowing to queue maximum sizeof(buffer) bytes.
This is CVE-2015-3209.
Signed-off-by: Petr Matousek
Reported-by: Matt Tait
Reviewed-by: Peter Maydell
Reviewed-by: Stefan Hajnoczi
Acked-by: Chuck Anderson [bug 21218590] {CVE-2015-3209}
[4.3.0-55.el6.22.48]
- pcnet: fix Negative array index read
From: Gonglei
s->xmit_pos maybe assigned to a negative value (-1),
but in this branch variable s->xmit_pos as an index to
array s->buffer. Let's add a check for s->xmit_pos.
upstream-commit-id: 7b50d00911ddd6d56a766ac5671e47304c20a21b
Signed-off-by: Gonglei
Signed-off-by: Paolo Bonzini
Reviewed-by: Jason Wang
Reviewed-by: Jason Wang
Signed-off-by: Stefan Hajnoczi
Acked-by: Chuck Anderson
Reviewed-by: John Haxby [bug 21218590] {CVE-2015-3209}
[4.3.0-55.el6.22.47]
- gnttab: add missing version check to GNTTABOP_swap_grant_ref handling
... avoiding NULL derefs when the version to use wasn't set yet (via
GNTTABOP_setup_table or GNTTABOP_set_version).
This is XSA-134.
Signed-off-by: Jan Beulich
Acked-by: Ian Campbell
Acked-by: Chuck Anderson
Reviewed-by: John Haxby [bug 21218010] {CVE-2015-4163}
Related CVEs
Updated Packages
| Release/Architecture | Filename | MD5sum | Superseded By Advisory |
|
| Oracle VM 3.3 (x86_64) | xen-4.3.0-55.el6.22.52.src.rpm | 307bc15543be3b7ef8f88b8ba66d9d5c | OVMSA-2021-0014 |
| xen-4.3.0-55.el6.22.52.x86_64.rpm | f539cda4414c1bd20f1c130880d1c005 | OVMSA-2021-0014 |
| xen-tools-4.3.0-55.el6.22.52.x86_64.rpm | 109df97f337a8d2ea2a77169c4cdf032 | OVMSA-2021-0014 |
This page is generated automatically and has not been checked for errors or omissions. For clarification
or corrections please contact the Oracle Linux ULN team
