OVMSA-2015-0111

ULN >
Oracle Linux Errata repository >
OVMSA-2015-0111

OVMSA-2015-0111 - xen security update

Type:	SECURITY
Impact:	IMPORTANT
Release Date:	2015-08-04

Description

[4.3.0-55.el6.47.54]
- rtl8139: check TCP Data Offset field (qemu traditional)
The TCP Data Offset field contains the length of the header. Make sure
it is valid and does not exceed the IP data length.
Signed-off-by: Stefan Hajnoczi
Blind-porting to Xen 4.1.4 by Sebastian Pipping
This is 7/7 qemu traditional XSA-140 CVE-2015-5165
Acked-by: Chuck Anderson
Reviewed-by: John Haxby [bug 21535438] {CVE-2015-5165}

[4.3.0-55.el6.47.53]
- rtl8139: skip offload on short TCP header (qemu traditional)
TCP Large Segment Offload accesses the TCP header in the packet. If the
packet is too short we must not attempt to access header fields:
tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
Signed-off-by: Stefan Hajnoczi
Blind-porting to Xen 4.1.4 by Sebastian Pipping
This is 6/7 qemu traditional XSA-140 CVE-2015-5165
Conflicts:
added '(qemu traditional)' to the patch subject line
tools/qemu-xen-traditional-dir/hw/rtl8139.c
different patch context
Acked-by: Chuck Anderson
Reviewed-by: John Haxby [bug 21535438] {CVE-2015-5165}

[4.3.0-55.el6.47.52]
- rtl8139: check IP Total Length field (qemu traditional)
The IP Total Length field includes the IP header and data. Make sure it
is valid and does not exceed the Ethernet payload size.
Signed-off-by: Stefan Hajnoczi
Blind-porting to Xen 4.1.4 by Sebastian Pipping
This is 5/7 qemu traditional XSA-140 CVE-2015-5165
Conflicts:
added '(qemu traditional)' to the patch subject line
tools/qemu-xen-traditional-dir/hw/rtl8139.c
different patch context
Acked-by: Chuck Anderson
Reviewed-by: John Haxby [bug 21535438] {CVE-2015-5165}

[4.3.0-55.el6.47.51]
- rtl8139: check IP Header Length field (qemu traditional)
The IP Header Length field was only checked in the IP checksum case, but
is used in other cases too.
Signed-off-by: Stefan Hajnoczi
Blind-porting to Xen 4.1.4 by Sebastian Pipping
This is 4/7 qemu traditional XSA-140 CVE-2015-5165
Conflicts:
added '(qemu traditional)' to the patch subject line
tools/qemu-xen-traditional-dir/hw/rtl8139.c
different patch context
Acked-by: Chuck Anderson
Reviewed-by: John Haxby [bug 21535438] {CVE-2015-5165}

[4.3.0-55.el6.47.50]
- rtl8139: skip offload on short Ethernet/IP header (qemu traditional)
Transmit offload features access Ethernet and IP headers the packet. If
the packet is too short we must not attempt to access header fields:
int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
...
eth_payload_data = saved_buffer + ETH_HLEN;
...
ip = (ip_header*)eth_payload_data;
if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
Signed-off-by: Stefan Hajnoczi
Blind-porting to Xen 4.1.4 by Sebastian Pipping
This is 3/7 qemu traditional XSA-140 CVE-2015-5165
Conflicts:
added '(qemu traditional)' to the patch subject line
tools/qemu-xen-traditional-dir/hw/rtl8139.c
different patch context
Acked-by: Chuck Anderson
Reviewed-by: John Haxby [bug 21535438] {CVE-2015-5165}

[4.3.0-55.el6.47.49]
- rtl8139: drop tautologous if (ip) {...} statement (qemu traditional)
The previous patch stopped using the ip pointer as an indicator that the
IP header is present. When we reach the if (ip) {...} statement we know
ip is always non-NULL.
Remove the if statement to reduce nesting.
Signed-off-by: Stefan Hajnoczi
Blind-porting to Xen 4.1.4 by Sebastian Pipping
This is 2/7 qemu traditional XSA-140 CVE-2015-5165
Conflicts:
added '(qemu traditional)' to the patch subject line
tools/qemu-xen-traditional-dir/hw/rtl8139.c
DPRINTF() changed to DEBUG_PRINT()
args to rtl8139_transfer_frame()
Acked-by: Chuck Anderson
Reviewed-by: John Haxby [bug 21535438] {CVE-2015-5165}

[4.3.0-55.el6.47.48]
- rtl8139: avoid nested ifs in IP header parsing (qemu traditional)
Transmit offload needs to parse packet headers. If header fields have
unexpected values the offload processing is skipped.
The code currently uses nested ifs because there is relatively little
input validation. The next patches will add missing input validation
and a goto label is more appropriate to avoid deep if statement nesting.
Signed-off-by: Stefan Hajnoczi
Blind-porting to Xen 4.1.4 by Sebastian Pipping
This is 1/7 qemu traditional XSA-140 CVE-2015-5165
Conflicts:
added '(qemu traditional)' to the patch subject line
replaced incorrect 3/7 patch comment block with 1/7
tools/qemu-xen-traditional-dir/hw/rtl8139.c
DPRINTF() changed to DEBUG_PRINT()
Acked-by: Chuck Anderson
Reviewed-by: John Haxby [bug 21535438] {CVE-2015-5165}

[4.3.0-55.el6.47.47]
- rtl8139: check TCP Data Offset field
The TCP Data Offset field contains the length of the header. Make sure
it is valid and does not exceed the IP data length.
Signed-off-by: Stefan Hajnoczi
This is 7/7 XSA-140 CVE-2015-5165
Acked-by: Chuck Anderson
Reviewed-by: John Haxby [bug 21535438] {CVE-2015-5165}

[4.3.0-55.el6.47.46]
- rtl8139: skip offload on short TCP header
TCP Large Segment Offload accesses the TCP header in the packet. If the
packet is too short we must not attempt to access header fields:
tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
Signed-off-by: Stefan Hajnoczi
This is 6/7 XSA-140 CVE-2015-5165
Acked-by: Chuck Anderson
Reviewed-by: John Haxby [bug 21535438] {CVE-2015-5165}

[4.3.0-55.el6.47.45]
- rtl8139: check IP Total Length field
The IP Total Length field includes the IP header and data. Make sure it
is valid and does not exceed the Ethernet payload size.
Signed-off-by: Stefan Hajnoczi
This is 5/7 XSA-140 CVE-2015-5165
Acked-by: Chuck Anderson
Reviewed-by: John Haxby [bug 21535438] {CVE-2015-5165}

[4.3.0-55.el6.47.44]
- rtl8139: check IP Header Length field
The IP Header Length field was only checked in the IP checksum case, but
is used in other cases too.
Signed-off-by: Stefan Hajnoczi
This is 4/7 XSA-140 CVE-2015-5165
Acked-by: Chuck Anderson
Reviewed-by: John Haxby [bug 21535438] {CVE-2015-5165}

[4.3.0-55.el6.47.43]
- rtl8139: skip offload on short Ethernet/IP header
Transmit offload features access Ethernet and IP headers the packet. If
the packet is too short we must not attempt to access header fields:
int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
...
eth_payload_data = saved_buffer + ETH_HLEN;
...
ip = (ip_header*)eth_payload_data;
if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
Signed-off-by: Stefan Hajnoczi
This is 3/7 XSA-140 CVE-2015-5165
Acked-by: Chuck Anderson
Reviewed-by: John Haxby [bug 21535438] {CVE-2015-5165}

[4.3.0-55.el6.47.42]
- rtl8139: drop tautologous if (ip) {...} statement
The previous patch stopped using the ip pointer as an indicator that the
IP header is present. When we reach the if (ip) {...} statement we know
ip is always non-NULL.
Remove the if statement to reduce nesting.
Signed-off-by: Stefan Hajnoczi
This is 2/7 XSA-140 CVE-2015-5165
Acked-by: Chuck Anderson
Reviewed-by: John Haxby [bug 21535438] {CVE-2015-5165}

[4.3.0-55.el6.47.41]
- rtl8139: avoid nested ifs in IP header parsing
Transmit offload needs to parse packet headers. If header fields have
unexpected values the offload processing is skipped.
The code currently uses nested ifs because there is relatively little
input validation. The next patches will add missing input validation
and a goto label is more appropriate to avoid deep if statement nesting.
Signed-off-by: Stefan Hajnoczi
This is 1/7 XSA-140 CVE-2015-5165
Acked-by: Chuck Anderson
Reviewed-by: John Haxby [bug 21535438] {CVE-2015-5165}

[4.3.0-55.el6.47.40]
- pci: completely unhook the unplugged IDEDevice from the corresponding BlockBackend
pci_piix3_xen_ide_unplug should completely unhook the unplugged
IDEDevice from the corresponding BlockBackend, otherwise the next call
to release_drive will try to detach the drive again.
Suggested-by: Kevin Wolf
Signed-off-by: Stefano Stabellini
This is XSA-139 / CVE-2015-5166
Acked-by: Chuck Anderson
Reviewed-by: John Haxby [bug 21518709] {CVE-2015-5166}

Related CVEs

CVE-2015-5166

CVE-2015-5165

Updated Packages

Release/Architecture	Filename	sha256	Superseded By Advisory	Channel Label

Oracle VM 3.3 (x86_64)	xen-4.3.0-55.el6.47.54.src.rpm	7055fecfcb9ffc40565f54dffcf75f6c644f1d337ca537caecead034c806fa13	OVMBA-2024-0012	ovm3_x86_64_3.3_patch
	xen-4.3.0-55.el6.47.54.x86_64.rpm	40627f0a0aa029f06b7aaf2480a582adc2bdf3f8c79b9e4d88d7b553df900172	OVMBA-2024-0012	ovm3_x86_64_3.3_patch
	xen-tools-4.3.0-55.el6.47.54.x86_64.rpm	021ace15e899e9f0dd10c4f7973ca71d276bbcbf80630e27b5463ccd6ab6c45a	OVMBA-2024-0012	ovm3_x86_64_3.3_patch

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

Technical information

Oracle Linux Support

Connect

Contact Us

Global contacts
Oracle 1-800-633-0691