OVMSA-2017-0095

OVMSA-2017-0095 - xen security update

Type:SECURITY
Severity:IMPORTANT
Release Date:2017-05-02

Description


[4.3.0-55.el6.186.24]
- x86: correct create_bounce_frame
We may push up to 96 bytes on the guest (kernel) stack, so we should
also cover as much in the early range check. Note that this is the
simplest possible patch, which has the theoretical potential of
breaking a guest: We only really push 96 bytes when invoking the
failsafe callback, ordinary exceptions only have 56 or 64 bytes pushed
(without / with error code respectively). There is, however, no PV OS
known to place a kernel stack there.
This is XSA-215.
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25927751]

[4.3.0-55.el6.186.23]
- x86: discard type information when stealing pages
While a page having just a single general reference left necessarily
has a zero type reference count too, its type may still be valid (and
in validated state; at present this is only possible and relevant for
PGT_seg_desc_page, as page tables have their type forcibly zapped when
their type reference count drops to zero, and
PGT_{writable,shared}_page pages don't require any validation). In
such a case when the page is being re-used with the same type again,
validation is being skipped. As validation criteria differ between
32- and 64-bit guests, pages to be transferred between guests need to
have their validation indicator zapped (and with it we zap all other
type information at once).
This is XSA-214.
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25927697]

[4.3.0-55.el6.186.22]
- multicall: deal with early exit conditions
In particular changes to guest privilege level require the multicall
sequence to be aborted, as hypercalls are permitted from kernel mode
only. While likely not very useful in a multicall, also properly handle
the return value in the HYPERVISOR_iret case (which should be the guest
specified value).
This is XSA-213.
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
Acked-by: Julien Grall
Conflict:
xen/arch/arm/traps.c
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25927626]

[4.3.0-55.el6.186.21]
- From 9cd5ea821213a8d0e4e2ec7a9390713379a82a0a Mon Sep 17 00:00:00 2001
From: Ian Jackson
Date: Fri, 17 Mar 2017 12:28:02 +0000
Subject: [PATCH 2/2] xenstored: Log when the write transaction rate limit
bites
Signed-off-by: Ian Jackson
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25745231]

[4.3.0-55.el6.186.20]
- From c91e4cbe19cf6d51b075d4ef3adf6fa50bb16b7a Mon Sep 17 00:00:00 2001
From: Ian Jackson
Date: Sat, 18 Mar 2017 17:12:39 +0000
Subject: [PATCH 1/2] xenstored: apply a write transaction rate limit
This avoids a rogue client being about to stall another client (eg the
toolstack) indefinitely.
This is XSA-206.
Signed-off-by: Ian Jackson
Backported to 4.8 (not entirely trivial).
Signed-off-by: George Dunlap
Acked-by: Ian Jackson
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25745226]

[4.3.0-55.el6.186.19]
- Errataly pick an old verion of xsa206 patchset, revert them
xsa206-4.4-0001-xenstored-apply-a-write-transaction-rate-limit.patch
xsa206-4.4-0002-xenstored-Log-when-the-write-transaction-rate-limit-.patch [bug 25745231]

[4.3.0-55.el6.186.18]
- memory: properly check guest memory ranges in XENMEM_exchange handling
The use of guest_handle_okay() here (as introduced by the XSA-29 fix)
is insufficient here, guest_handle_subrange_okay() needs to be used
instead.
Note that the uses are okay in
- XENMEM_add_to_physmap_batch handling due to the size field being only
16 bits wide,
- livepatch_list() due to the limit of 1024 enforced on the
number-of-entries input (leaving aside the fact that this can be
called by a privileged domain only anyway),
- compat mode handling due to counts there being limited to 32 bits,
- everywhere else due to guest arrays being accessed sequentially from
index zero.
This is XSA-212.
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25760591] {CVE-2017-7228}

[4.3.0-55.el6.186.17]
- From 9cd5ea821213a8d0e4e2ec7a9390713379a82a0a Mon Sep 17 00:00:00 2001
From: Ian Jackson
Date: Fri, 17 Mar 2017 12:28:02 +0000
Subject: [PATCH 2/2] xenstored: Log when the write transaction rate limit
bites
Signed-off-by: Ian Jackson
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25745231]

[4.3.0-55.el6.186.16]
- From 2693dfd49fa0c0f2dc3ae8d21bda98c757d8bec4 Mon Sep 17 00:00:00 2001
From: Ian Jackson
Date: Fri, 17 Mar 2017 12:23:34 +0000
Subject: [PATCH 1/2] xenstored: apply a write transaction rate limit
This avoids a rogue client being about to stall another client (eg the
toolstack) indefinitely.
This is XSA-206.
Signed-off-by: Ian Jackson
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25745231]

[4.3.0-55.el6.186.15]
- From dc4eee43ac608337ae96a174e0a5c1278168bd56 Mon Sep 17 00:00:00 2001
From: Ian Jackson
Date: Thu, 9 Mar 2017 11:14:55 +0000
Subject: [PATCH] cirrus/vnc: zap drop bitblit support from console code.
From: Gerd Hoffmann
There is a special code path (dpy_gfx_copy) to allow graphic emulation
notify user interface code about bitblit operations carryed out by
guests. It is supported by cirrus and vnc server. The intended purpose
is to optimize display scrolls and just send over the scroll op instead
of a full display update.
This is rarely used these days though because modern guests simply don't
use the cirrus blitter any more. Any linux guest using the cirrus drm
driver doesn't. Any windows guest newer than winxp doesn't ship with a
cirrus driver any more and thus uses the cirrus as simple framebuffer.
So this code tends to bitrot and bugs can go unnoticed for a long time.
See for example commit '3e10c3e vnc: fix qemu crash because of SIGSEGV'
which fixes a bug lingering in the code for almost a year, added by
commit 'c7628bf vnc: only alloc server surface with clients connected'.
Also the vnc server will throttle the frame rate in case it figures the
network can't keep up (send buffers are full). This doesn't work with
dpy_gfx_copy, for any copy operation sent to the vnc client we have to
send all outstanding updates beforehand, otherwise the vnc client might
run the client side blit on outdated data and thereby corrupt the
display. So this dpy_gfx_copy 'optimization' might even make things
worse on slow network links.
Lets kill it once for all.
Signed-off-by: Gerd Hoffmann
These changes (dropping dpy_copy and all its references and
implementations) reimplemented for qemu-xen-traditional.
This is XSA-211.
Signed-off-by: Ian Jackson
Conflicts:
hw/cirrus_vga.c
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25699219] {CVE-2016-9603}

[4.3.0-55.el6.186.14]
- From 15268f91fbe75b38a851c458aef74e693d646ea5 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann
Date: Tue, 21 Feb 2017 10:54:59 -0800
Subject: [PATCH 2/2] cirrus: add blit_is_unsafe call to
cirrus_bitblt_cputovideo
CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
and blit width, at all. Oops. Fix it.
Security impact: high.
The missing blit destination check allows to write to host memory.
Basically same as CVE-2014-8106 for the other blit variants.
The missing blit width check allows to overflow cirrus_bltbuf,
with the attractive target cirrus_srcptr (current cirrus_bltbuf write
position) being located right after cirrus_bltbuf in CirrusVGAState.
Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
hasn't full control over cirrus_srcptr though, only one byte can be
changed. Once the first byte has been modified further writes land
elsewhere.
[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ]
Reported-by: Gerd Hoffmann
Signed-off-by: Gerd Hoffmann
cirrus_vga.c moved from hw/display/ to hw/
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25670969] {CVE-2017-2620}

[4.3.0-55.el6.186.13]
- From 52b7f43c8fa185ab856bcaacda7abc9a6fc07f84 Mon Sep 17 00:00:00 2001
From: Bruce Rogers
Date: Tue, 21 Feb 2017 10:54:38 -0800
Subject: [PATCH 1/2] display: cirrus: ignore source pitch value as needed in
blit_is_unsafe
Commit 4299b90 added a check which is too broad, given that the source
pitch value is not required to be initialized for solid fill operations.
This patch refines the blit_is_unsafe() check to ignore source pitch in
that case. After applying the above commit as a security patch, we
noticed the SLES 11 SP4 guest gui failed to initialize properly.
Signed-off-by: Bruce Rogers
Message-id: 20170109203520.5619-1-brogers@suse.com
Signed-off-by: Gerd Hoffmann
cirrus_vga.c moved from hw/display/ to hw/
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25670969] {CVE-2017-2620}

[4.3.0-55.el6.186.12]
- From: Gerd Hoffmann
Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
and blit width, at all. Oops. Fix it.
Security impact: high.
The missing blit destination check allows to write to host memory.
Basically same as CVE-2014-8106 for the other blit variants.
The missing blit width check allows to overflow cirrus_bltbuf,
with the attractive target cirrus_srcptr (current cirrus_bltbuf write
position) being located right after cirrus_bltbuf in CirrusVGAState.
Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
hasn't full control over cirrus_srcptr though, only one byte can be
changed. Once the first byte has been modified further writes land
elsewhere.
[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ]
Fixed compilation by removing extra parameter to blit_is_unsafe. -iwj
Reported-by: Gerd Hoffmann
Signed-off-by: Gerd Hoffmann
Signed-off-by: Ian Jackson
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25670969] {CVE-2017-2620}

[4.3.0-55.el6.186.11]
- From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
From: Li Qiang
Date: Mon, 13 Feb 2017 15:22:15 +0000
Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.
This is XSA-208.
upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
Signed-off-by: Li Qiang
{ kraxel: with backward blits (negative pitch) addr is the topmost
address, so check it as-is against vram size ]
Cc: qemu-stable@nongnu.org
Cc: P J P
Cc: Laszlo Ersek
Cc: Paolo Bonzini
Cc: Wolfgang Bumiller
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
Signed-off-by: Gerd Hoffmann
Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
Reviewed-by: Laszlo Ersek
Signed-off-by: Stefano Stabellini
cirrus_vga.c moved from hw/display/ to hw/
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25670969] {CVE-2017-2615}

[4.3.0-55.el6.186.10]
- From d3532a0db02296e687711b8cdc7791924efccea0 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann
Date: Wed, 19 Nov 2014 11:37:42 +0100
Subject: [PATCH] cirrus: fix blit region check
Issues:
* Doesn't check pitches correctly in case it is negative.
* Doesn't check width at all.
Turn macro into functions while being at it, also factor out the check
for one region which we then can simply call twice for src + dst.
This is CVE-2014-8106.
Reported-by: Paolo Bonzini
Signed-off-by: Gerd Hoffmann
Reviewed-by: Paolo Bonzini
Prerequisite patch for XSA208, cirrus_vga.c moved from hw/display/ to hw/
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25670969] {CVE-2017-2615}

[4.3.0-55.el6.186.9]
- From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
From: Li Qiang
Date: Mon, 13 Feb 2017 15:22:15 +0000
Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.
This is XSA-208.
upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
Signed-off-by: Li Qiang
{ kraxel: with backward blits (negative pitch) addr is the topmost
address, so check it as-is against vram size ]
[ This is CVE-2017-2615 / XSA-208 - Ian Jackson ]
Cc: qemu-stable@nongnu.org
Cc: P J P
Cc: Laszlo Ersek
Cc: Paolo Bonzini
Cc: Wolfgang Bumiller
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
Signed-off-by: Gerd Hoffmann
Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
Reviewed-by: Laszlo Ersek
Signed-off-by: Stefano Stabellini
Signed-off-by: Ian Jackson
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25670969] {CVE-2017-2615}

[4.3.0-55.el6.186.8]
- From 5e4ed9cded14f2d8445150c8a6d225b283bed3fa Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Sat, 21 Feb 2015 17:16:42 +0000
Subject: [PATCH] CVE-2014-8106: cirrus: fix blit region check
Backport of qemu-upstream:
* bf25983345ca44aec3dd92c57142be45452bd38a
* d3532a0db02296e687711b8cdc7791924efccea0
Signed-off-by: Andrew Cooper
Prerequisite patch for XSA208
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 25670969] {CVE-2017-2615}

[4.3.0-55.el6.186.7]
- IOMMU: always call teardown callback
There is a possible scenario when (d)->need_iommu remains unset
during guest domain execution. For example, when no devices
were assigned to it. Taking into account that teardown callback
is not called when (d)->need_iommu is unset we might have unreleased
resourses after destroying domain.
So, always call teardown callback to roll back actions
that were performed in init callback.
This is XSA-207.
Reviewed-by: Jan Beulich
Tested-by: Jan Beulich
Tested-by: Julien Grall
Backported-by: Zhenzhong Duan [bug 25491807]


Related CVEs


CVE-2017-2615
CVE-2017-2620
CVE-2016-9603
CVE-2017-7228
CVE-2017-8903
CVE-2017-8904
CVE-2017-8905

Updated Packages


Release/ArchitectureFilenameMD5sumSuperseded By Advisory
Oracle VM 3.3 (x86_64) xen-4.3.0-55.el6.186.24.src.rpm05f3f930bae86756c9e858f9785f2d58OVMSA-2021-0014
xen-4.3.0-55.el6.186.24.x86_64.rpm6e472638537ff84917236926a7b9be55OVMSA-2021-0014
xen-tools-4.3.0-55.el6.186.24.x86_64.rpmdf37fec33c67fedd308e7ad7606cc32bOVMSA-2021-0014



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete