OVMSA-2018-0225 - xen security update
Type: | SECURITY |
Severity: | IMPORTANT |
Release Date: | 2018-05-29 |
Description
[4.1.3-25.el5.223.170]
- From: Jan Beulich
Subject: x86/paging: don't unconditionally BUG() on finding SHARED_M2P_ENTRY
PV guests can fully control the values written into the P2M.
This is XSA-251.
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 27188660] {CVE-2017-17565}
[4.1.3-25.el5.223.169]
- From: Jan Beulich
Subject: x86/shadow: fix ref-counting error handling
The old-Linux handling in shadow_set_l4e() mistakenly ORed together the
results of sh_get_ref() and sh_pin(). As the latter failing is not a
correctness problem, simply ignore its return value.
In sh_set_toplevel_shadow() a failing sh_get_ref() must not be
accompanied by installing the entry, despite the domain being crashed.
This is XSA-250.
Signed-off-by: Jan Beulich
Reviewed-by: Tim Deegan
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 27188654] {CVE-2017-17564}
[4.1.3-25.el5.223.168]
- From: Jan Beulich
Subject: x86/shadow: fix refcount overflow check
Commit c385d27079 ('x86 shadow: for multi-page shadows, explicitly track
the first page') reduced the refcount width to 25, without adjusting the
overflow check. Eliminate the disconnect by using a manifest constant.
Interestingly, up to commit 047782fa01 ('Out-of-sync L1 shadows: OOS
snapshot') the refcount was 27 bits wide, yet the check was already
using 26.
This is XSA-249.
v2: Simplify expression back to the style it was.
Signed-off-by: Jan Beulich
Reviewed-by: George Dunlap
Reviewed-by: Tim Deegan
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 27188648] {CVE-2017-17563}
[4.1.3-25.el5.223.167]
- From: Jan Beulich
Subject: x86/mm: don't wrongly set page ownership
PV domains can obtain mappings of any pages owned by the correct domain,
including ones that aren't actually assigned as 'normal' RAM, but used
by Xen internally. At the moment such 'internal' pages marked as owned
by a guest include pages used to track logdirty bits, as well as p2m
pages and the 'unpaged pagetable' for HVM guests. Since the PV memory
management and shadow code conflict in their use of struct page_info
fields, and since shadow code is being used for log-dirty handling for
PV domains, pages coming from the shadow pool must, for PV domains, not
have the domain set as their owner.
While the change could be done conditionally for just the PV case in
shadow code, do it unconditionally (and for consistency also for HAP),
just to be on the safe side.
There's one special case though for shadow code: The page table used for
running a HVM guest in unpaged mode is subject to get_page() (in
set_shadow_status()) and hence must have its owner set.
This is XSA-248.
Signed-off-by: Jan Beulich
Reviewed-by: Tim Deegan
Reviewed-by: George Dunlap
Conflict:
xen/arch/x86/mm/hap/hap.c
xen/arch/x86/mm/shadow/common.c
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky [bug 27188645] {CVE-2017-17566}
Related CVEs
Updated Packages
Release/Architecture | Filename | MD5sum | Superseded By Advisory |
|
Oracle VM 3.2 (x86_64) | xen-4.1.3-25.el5.223.170.src.rpm | 69e1b957e27ecbc326c21667b2e08554 | OVMSA-2021-0014 |
| xen-4.1.3-25.el5.223.170.x86_64.rpm | d5a64c44a95cf8544fadf2c54d059dbe | OVMSA-2021-0014 |
| xen-devel-4.1.3-25.el5.223.170.x86_64.rpm | 9fee77426958976d7178dc4f87fee010 | OVMSA-2019-0048 |
| xen-tools-4.1.3-25.el5.223.170.x86_64.rpm | a0e0547c613459ced84dc27269b2c467 | OVMSA-2021-0014 |
This page is generated automatically and has not been checked for errors or omissions. For clarification
or corrections please contact the Oracle Linux ULN team