OVMSA-2016-0103 - xen security update
| Type: | SECURITY |
| Severity: | IMPORTANT |
| Release Date: | 2016-09-08 |
Description
[4.3.0-55.el6.119.51]
- From: Andrew Cooper
Subject: x86/shadow: Avoid overflowing sh_ctxt->seg_reg[]
hvm_get_seg_reg() does not perform a range check on its input segment, calls
hvm_get_segment_register() and writes straight into sh_ctxt->seg_reg[].
x86_seg_none is outside the bounds of sh_ctxt->seg_reg[], and will hit a BUG()
in {vmx,svm}_get_segment_register().
HVM guests running with shadow paging can end up performing a virtual to
linear translation with x86_seg_none. This is used for addresses which are
already linear. However, none of this is a legitimate pagetable update, so
fail the emulation in such a case.
This is XSA-187
Signed-off-by: Andrew Cooper
Reviewed-by: Tim Deegan
Backported-by: Zhenzhong Duan [bug 24592926] {CVE-2016-7094}
[4.3.0-55.el6.119.50]
- x86/32on64: don't allow recursive page tables from L3
L3 entries are special in PAE mode, and hence can't reasonably be used
for setting up recursive (and hence linear) page table mappings. Since
abuse is possible when the guest in fact gets run on 4-level page
tables, this needs to be excluded explicitly.
This is XSA-185.
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
Backported-by: Zhenzhong Duan [bug 24592637] {CVE-2016-7092}
Related CVEs
Updated Packages
| Release/Architecture | Filename | MD5sum | Superseded By Advisory |
|
| Oracle VM 3.3 (x86_64) | xen-4.3.0-55.el6.119.51.src.rpm | fc72ef4bdc8d32a0afcdb56904f5530b | OVMSA-2021-0014 |
| xen-4.3.0-55.el6.119.51.x86_64.rpm | c08bf05e09af5965af9b13f187295d75 | OVMSA-2021-0014 |
| xen-tools-4.3.0-55.el6.119.51.x86_64.rpm | 0508304fdf5465d564f656a639919690 | OVMSA-2021-0014 |
This page is generated automatically and has not been checked for errors or omissions. For clarification
or corrections please contact the Oracle Linux ULN team
