[Oraclevm-errata] OVMSA-2016-0104 Important: Oracle VM 3.2 xen security update

[Errata Announcements for Oracle VM]

Oracle VM Security Advisory OVMSA-2016-0104

The following updated rpms for Oracle VM 3.2 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
xen-4.1.3-25.el5.223.36.x86_64.rpm
xen-devel-4.1.3-25.el5.223.36.x86_64.rpm
xen-tools-4.1.3-25.el5.223.36.x86_64.rpm


SRPMS:
http://oss.oracle.com/oraclevm/server/3.2/SRPMS-updates/xen-4.1.3-25.el5.223.36.src.rpm



Description of changes:

[4.1.3-25.el5.223.36]
- From: Andrew Cooper <andrew.cooper3 at citrix.com>
   Subject: x86/shadow: Avoid overflowing sh_ctxt->seg_reg[]
   hvm_get_seg_reg() does not perform a range check on its input 
segment, calls
   hvm_get_segment_register() and writes straight into sh_ctxt->seg_reg[].
   x86_seg_none is outside the bounds of sh_ctxt->seg_reg[], and will 
hit a BUG()
   in {vmx,svm}_get_segment_register().
   HVM guests running with shadow paging can end up performing a virtual to
   linear translation with x86_seg_none.  This is used for addresses 
which are
   already linear.  However, none of this is a legitimate pagetable 
update, so
   fail the emulation in such a case.
   This is XSA-187
   Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
   Reviewed-by: Tim Deegan <tim at xen.org>
   Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com> [bug 
24592947] {CVE-2016-7094}

[4.1.3-25.el5.223.35]
- x86/32on64: don't allow recursive page tables from L3
   L3 entries are special in PAE mode, and hence can't reasonably be used
   for setting up recursive (and hence linear) page table mappings. Since
   abuse is possible when the guest in fact gets run on 4-level page
   tables, this needs to be excluded explicitly.
   This is XSA-185.
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com>
   Conflict:
   xen/arch/x86/mm.c
   Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com> [bug 
24592799] {CVE-2016-7092}