OVMSA-2016-0008 - xen security update
| Type: | SECURITY |
| Severity: | IMPORTANT |
| Release Date: | 2016-01-25 |
Description
[4.1.3-25.el5.209.9]
- VT-d: fix TLB flushing in dma_pte_clear_one()
From: Jan Beulich
The TLB flush code was wrong since xen-4.1.3-25.el5.127.20 (commit:
vtd-Refactor-iotlb-flush-code.patch), both ovm-3.2.9 and ovm-3.2.10 were
affected.
The third parameter of __intel_iommu_iotlb_flush() is to indicate
whether the to be flushed entry was a present one. A few lines before,
we bailed if !dma_pte_present(*pte), so there's no need to check the
flag here again - we can simply always pass TRUE here.
This is CVE-2013-6375 / XSA-78.
Suggested-by: Cheng Yueqiang
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
Acked-by: Keir Fraser
(cherry picked from commit 85c72f9fe764ed96f5c149efcdd69ab7c18bfe3d)
Signed-off-by: Bob Liu
Reviewed-by: Konrad Rzeszutek Wilk
Acked-by: Chuck Anderson [bug 22551212] {CVE-2013-6375}
[4.1.3-25.el5.209.8]
- x86/VMX: prevent INVVPID failure due to non-canonical guest address
While INVLPG (and on SVM INVLPGA) don't fault on non-canonical
addresses, INVVPID fails (in the 'individual address' case) when passed
such an address.
Since such intercepted INVLPG are effectively no-ops anyway, don't fix
this in vmx_invlpg_intercept(), but instead have paging_invlpg() never
return true in such a case.
This is XSA-168.
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
Acked-by: Ian Campbell
Acked-by: Chuck Anderson [bug 22585479] {CVE-2016-1571}
[4.1.3-25.el5.209.7]
- x86/mm: PV superpage handling lacks sanity checks
MMUEXT_{,UN}MARK_SUPER fail to check the input MFN for validity before
dereferencing pointers into the superpage frame table.
get_superpage() has a similar issue.
This is XSA-167.
Reported-by: Qinghao Tang
Signed-off-by: Jan Beulich
Acked-by: Ian Campbell
Acked-by: Chuck Anderson [bug 22585464] {CVE-2016-1570}
[4.1.3-25.el5.209.6]
- xend/image: Don't throw VMException when using backend domains for disks.
If we are using backend domains the disk image may not be
accessible within the host (domain0). As such it is OK to
continue on.
The 'addStoreEntries' in DevController.py already does the check
to make sure that when the 'backend' configuration is used - that
said domain exists.
As such the only change we need to do is to exclude the disk
image location if the domain is not dom0.
Reviewed-by: Konrad Rzeszutek Wilk
Acked-by: Adnan Misherfi
Signed-off-by: Zhigang Wang
Signed-off-by: Joe Jin [bug 22242536]
[4.1.3-25.el5.209.5]
- memory: fix XENMEM_exchange error handling
assign_pages() can fail due to the domain getting killed in parallel,
which should not result in a hypervisor crash.
Also delete a redundant put_gfn() - all relevant paths leading to the
'fail' label already do this (and there are also paths where it was
plain wrong). All of the put_gfn()-s got introduced by 51032ca058
('Modify naming of queries into the p2m'), including the otherwise
unneeded initializer for k (with even a kind of misleading comment -
the compiler warning could actually have served as a hint that the use
is wrong).
This is XSA-159.
Signed-off-by: Jan Beulich
Acked-by: Ian Campbell
Based on xen.org's xsa159.patch
Conflicts:
OVM 3.2 does not have the change (51032ca058) that is backed out
in xen/common/memory.c or the put_gfn() in xen/common/memory.c
Acked-by: Chuck Anderson
Reviewed-by: John Haxby [bug 22326081] {CVE-2015-8339,CVE-2015-8340}
Related CVEs
Updated Packages
| Release/Architecture | Filename | MD5sum | Superseded By Advisory |
|
| Oracle VM 3.2 (x86_64) | xen-4.1.3-25.el5.209.9.src.rpm | d732afb4531389c740c7f9e37c252822 | OVMSA-2021-0014 |
| xen-4.1.3-25.el5.209.9.x86_64.rpm | 61a539f503569a64b6547a98dbf83ebf | OVMSA-2021-0014 |
| xen-devel-4.1.3-25.el5.209.9.x86_64.rpm | 08fa95ed535f26b6287c1dc912a47710 | OVMSA-2019-0048 |
| xen-tools-4.1.3-25.el5.209.9.x86_64.rpm | 76d1183f7e1db04f03aa0492e2e9acf3 | OVMSA-2021-0014 |
This page is generated automatically and has not been checked for errors or omissions. For clarification
or corrections please contact the Oracle Linux ULN team
