OVMSA-2016-0171 - xen security update
| Type: | SECURITY |
| Severity: | IMPORTANT |
| Release Date: | 2016-12-07 |
Description
[4.3.0-55.el6.119.62]
- qemu_up: ioport_read, ioport_write: be defensive about 32-bit addresses
On x86, ioport addresses are 16-bit. That these functions take 32-bit
arguments is a mistake. Changing the argument type to 16-bit will
discard the top bits of any erroneous values from elsewhere in qemu.
Also, check just before use that the value is in range. (This turns
an ill-advised change to MAX_IOPORTS into a possible guest crash
rather than a privilege escalation vulnerability.)
And, in the Xen ioreq processor, clamp incoming ioport addresses to
16-bit values. Xen will never write >16-bit values but the guest may
have access to the ioreq ring. We want to defend the rest of the qemu
code from wrong values.
This is XSA-199.
Signed-off-by: Ian Jackson
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25149316] {CVE-2016-9637}
[4.3.0-55.el6.119.61]
- qemu: ioport_read, ioport_write: be defensive about 32-bit addresses
On x86, ioport addresses are 16-bit. That these functions take 32-bit
arguments is a mistake. Changing the argument type to 16-bit will
discard the top bits of any erroneous values from elsewhere in qemu.
Also, check just before use that the value is in range. (This turns
an ill-advised change to MAX_IOPORTS into a possible guest crash
rather than a privilege escalation vulnerability.)
And, in the Xen ioreq processor, clamp incoming ioport addresses to
16-bit values. Xen will never write >16-bit values but the guest may
have access to the ioreq ring. We want to defend the rest of the qemu
code from wrong values.
This is XSA-199.
Signed-off-by: Ian Jackson
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25149316] {CVE-2016-9637}
Related CVEs
Updated Packages
| Release/Architecture | Filename | MD5sum | Superseded By Advisory |
|
| Oracle VM 3.3 (x86_64) | xen-4.3.0-55.el6.119.62.src.rpm | ec9c06c332c0ab02c9a27721883e33d6 | OVMSA-2021-0014 |
| xen-4.3.0-55.el6.119.62.x86_64.rpm | c3a6cc3bb083c2b240e65af189d8e6f6 | OVMSA-2021-0014 |
| xen-tools-4.3.0-55.el6.119.62.x86_64.rpm | a25310c9f38a1a9e415cf4bf4b10fa6b | OVMSA-2021-0014 |
This page is generated automatically and has not been checked for errors or omissions. For clarification
or corrections please contact the Oracle Linux ULN team
