OVMSA-2019-0048

OVMSA-2019-0048 - xen security update

Type:SECURITY
Severity:IMPORTANT
Release Date:2019-10-31

Description


[4.1.3-25.el5.223.221]
- VMX: disable apicv by default
The APIC virtualization is not used in the past by Oracle VM 3.2.X.
However, the feature was backported in order to resolve complex conflicts
during CVE backport.
Unfortunately there is bug with the feature Virtual Interrupt Delivery
which is not used in the past.
Therefore apicv is enforced to disable by default forever.
This patch is not from upstream.
Signed-off-by: Dongli Zhang
Reviewed-by: Joe Jin [bug 30333121]

[4.1.3-25.el5.223.220]
- VMX: add boot parameter to enable/disable APIC-v dynamically
Add a boot parameter to enable/disable the APIC-v dynamically. APIC-v is
enabled by default. User can use apicv=0 to disable it.
Signed-off-by: Yang Zhang
upstream commit: 0c006b41a283a0a569c863d44abde5aa5750ae01
Conflicts:
- SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE is not used
Signed-off-by: Dongli Zhang
Reviewed-by: Joe Jin [bug 30333121]

[4.1.3-25.el5.223.219]
- From 81ad679d1b6318b76fcff70fd64a9bf5043950af Mon Sep 17 00:00:00 2001
From: Jan Beulich
Date: Tue, 13 Nov 2018 14:10:30 -0500
Subject: [PATCH OVM3.2 5/5] x86: work around HLE host lockup erratum
XACQUIRE prefixed accesses to the 4Mb range of memory starting at 1Gb
are liable to lock up the processor. Disallow use of this memory range.
Unfortunately the available Core Gen7 and Gen8 spec updates are pretty
old, so I can only guess that they're similarly affected when Core Gen6
is and the Xeon counterparts are, too.
This is part of XSA-282.
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
Only offset differences in backport. No CVE has been assigned yet.
Based off of xsa282-4.8-2.patch.
Signed-off-by: Ross Philipson
Reviewed-by: Darren Kenny
Based on OVM3.4.6 commit c0358138c05033bb21883b219899b0e282803222
Signed-off-by: Zhenzhong Duan
Reviewed-by: Patrick Colp [bug 28902185] {CVE-2018-19967}

[4.1.3-25.el5.223.218]
- From 905377ba89655a01824683d68c5966aef956edab Mon Sep 17 00:00:00 2001
From: Jan Beulich
Date: Tue, 13 Nov 2018 14:10:00 -0500
Subject: [PATCH OVM3.2 4/5] x86: extend get_platform_badpages() interface
Use a structure so along with an address (now frame number) an order can
also be specified.
This is part of XSA-282.
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
Only offset differences in backport. No CVE has been assigned yet.
Based off of xsa282-4.9-1.patch
Ross Philipson
Reviewed-by: Darren Kenny
Conflict:
xen/include/asm-x86/mm.h - context
Based on OVM3.4.6 commit 03dd463e1bd14493a9c408806dd11cfa3eb94b89
Signed-off-by: Zhenzhong Duan
Reviewed-by: Patrick Colp [bug 28902185] {CVE-2018-19967}

[4.1.3-25.el5.223.217]
- From 754d6e803b72644be691b548783e62bffefd45ae Mon Sep 17 00:00:00 2001
From: Xudong Hao
Date: Wed, 21 Nov 2018 01:28:04 +0800
Subject: [PATCH OVM3.2 3/5] x86: reserve pages when SandyBridge integrated graphics
SNB graphics devices have a bug that prevent them from accessing certain
memory ranges, namely anything below 1M and in the pages listed in the
table.
Xen does not initialize below 1MB to heap, i.e. below 1MB pages don't be
allocated, so it's unnecessary to reserve memory below the 1 MB mark
that has not already been reserved.
So reserve those pages listed in the table at xen boot if set detect a
SNB gfx device on the CPU to avoid GPU hangs.
Signed-off-by: Xudong Hao
Acked-by: Keir Fraser
Backported from upstream commit db537fe3023bf157b85c8246782cb72a6f989b31
Conflicts:
xen/arch/x86/mm.c - context
xen/include/asm-x86/mm.h - context
xen/include/asm-x86/pci.h - add this new header file
Prerequisite patch for XSA-282.
Signed-off-by: Zhenzhong Duan
Reviewed-by: Patrick Colp [bug 28902185] {CVE-2018-19967}

[4.1.3-25.el5.223.216]
- From 8a18370e7d4612da333052358123700d4cfc8791 Mon Sep 17 00:00:00 2001
From: Liu, Jinsong
Date: Tue, 28 Feb 2012 09:06:27 +0100
Subject: [PATCH OVM3.2 2/5] X86: expose HLE/RTM features to dom0
Intel recently release 2 new features, HLE and RTM.
Refer to http://software.intel.com/file/41417.
This patch expose them to dom0.
Signed-off-by: Liu, Jinsong
Committed-by: Jan Beulich
Backported from upstream commit 6af7deded7aae2a90c7eec5e7b1ce053362e73f0
Conflicts:
arch/x86/traps.c - reorder the code to match upstream
include/asm-x86/cpufeature.h -context
Prerequisite patch for XSA-282.
Signed-off-by: Zhenzhong Duan
Reviewed-by: Patrick Colp [bug 28902185] {CVE-2018-19967}

[4.1.3-25.el5.223.215]
- From 8ec7489ea8d2c543692a01a80d1e11f0e3afa8f4 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 9 Jan 2019 15:07:27 +0800
Subject: [PATCH OVM3.2 1/5] x86/mm: Don't perform flush after failing to update a guests L1e
If the L1e update hasn't occured, the flush cannot do anything useful. This
skips the potentially expensive vcpumask_to_pcpumask() conversion, and
broadcast TLB shootdown.
More importantly however, we might be in the error path due to a bad va
parameter from the guest, and this should not propagate into the TLB flushing
logic. The INVPCID instruction for example raises #GP for a non-canonical
address.
This is XSA-279.
Reported-by: Matthew Daley
Signed-off-by: Andrew Cooper
Reviewed-by: Jan Beulich
Backported from upstream xsa279-4.9.patch
Signed-off-by: Zhenzhong Duan
Reviewed-by: Patrick Colp [bug 28952380] {CVE-2018-19965}


Related CVEs


CVE-2018-19965
CVE-2018-19967

Updated Packages


Release/ArchitectureFilenameMD5sumSuperseded By Advisory
Oracle VM 3.2 (x86_64) xen-4.1.3-25.el5.223.221.src.rpm9c20719cae4ae33f033e2c798e5554c7OVMSA-2021-0014
xen-4.1.3-25.el5.223.221.x86_64.rpm2ee8af949df224053613d02b8a2b00bcOVMSA-2021-0014
xen-devel-4.1.3-25.el5.223.221.x86_64.rpmb9a9537b3fe5491b6dfb0f9ad18c1af4-
xen-tools-4.1.3-25.el5.223.221.x86_64.rpmfc2d3d30b488d419261b263bb0cb1b7dOVMSA-2021-0014



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete