OVMSA-2017-0159 - xen security update
| Type: | SECURITY |
| Impact: | IMPORTANT |
| Release Date: | 2017-10-24 |
Description
[4.1.3-25.el5.223.86]
- The code of OVM3.2.9 is quite old, there is no get_page/put_page pair to protect
the ownership and references of page table page which is mapped in
emulate_map_dest().
This patch fix it by adding get_page() in emulate_gva_to_mfn() to match
put_page() in xsa219-4.5.patch so that it works.
Signed-off-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 26816043]
[4.1.3-25.el5.223.85]
- From: Jan Beulich
Subject: gnttab: also validate PTE permissions upon destroy/replace
In order for PTE handling to match up with the reference counting done
by common code, presence and writability of grant mapping PTEs must
also be taken into account; validating just the frame number is not
enough. This is in particular relevant if a guest fiddles with grant
PTEs via non-grant hypercalls.
Note that the flags being passed to replace_grant_host_mapping()
already happen to be those of the existing mapping, so no new function
parameter is needed.
This is XSA-234.
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 26721589]
[4.1.3-25.el5.223.84]
- From: Juergen Gross
Subject: tools/xenstore: dont unlink connection object twice
A connection object of a domain with associated stubdom has two
parents: the domain and the stubdom. When cleaning up the list of
active domains in domain_cleanup() make sure not to unlink the
connection twice from the same domain. This could happen when the
domain and its stubdom are being destroyed at the same time leading
to the domain loop being entered twice.
Additionally don't use talloc_free() in this case as it will remove
a random parent link, leading eventually to a memory leak. Use
talloc_unlink() instead specifying the context from which the
connection object should be removed.
This is XSA-233.
Signed-off-by: Juergen Gross
Reviewed-by: Ian Jackson
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 26721577]
[4.1.3-25.el5.223.83]
- From: George Dunlap
Subject: xen/mm: make sure node is less than MAX_NUMNODES
The output of MEMF_get_node(memflags) can be as large as nodeid_t can
hold (currently 255). This is then used as an index to arrays of size
MAX_NUMNODE, which is 64 on x86 and 1 on ARM, can be passed in by an
untrusted guest (via memory_exchange and increase_reservation) and is
not currently bounds-checked.
Check the value in page_alloc.c before using it, and also check the
value in the hypercall call sites and return -EINVAL if appropriate.
Don't permit domains other than the hardware or control domain to
allocate node-constrained memory.
This is XSA-231.
Signed-off-by: George Dunlap
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
Conflict:
xen/common/memory.c
Use IS_PRIV() instead of is_hardware_domain() and is_control_domain() in
original patch.
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 26721505]
Related CVEs
Updated Packages
| Release/Architecture | Filename | sha256 | Superseded By Advisory | Channel Label |
|
| Oracle VM 3.2 (x86_64) | xen-4.1.3-25.el5.223.86.src.rpm | f7f44de67c08dc473d2ed55ef49e0b665b67be1db0b05c49d0fa98ff6dd20f5d | OVMBA-2024-0012 | ovm3_3.2.1_x86_64_patch |
| xen-4.1.3-25.el5.223.86.x86_64.rpm | ff91d3e2992aff515e4405aef3c76eee1f6c920830cebbacf421ae9719a3b970 | OVMBA-2024-0012 | ovm3_3.2.1_x86_64_patch |
| xen-devel-4.1.3-25.el5.223.86.x86_64.rpm | c44ada21152e5b7b1d4832b4d93ae401b531a6ec99900fe75d6db1e364dfc474 | OVMSA-2019-0048 | ovm3_3.2.1_x86_64_patch |
| xen-tools-4.1.3-25.el5.223.86.x86_64.rpm | f5cb3535593701c67bfeaf054352c64ebd3597668e0a0656ba9caeddfdaf4069 | OVMBA-2024-0012 | ovm3_3.2.1_x86_64_patch |
This page is generated automatically and has not been checked for errors or omissions. For clarification
or corrections please contact the Oracle Linux ULN team
