[Oraclevm-errata] OVMSA-2015-0111 Important: Oracle VM 3.3 xen security update

Errata Announcements for Oracle VM oraclevm-errata at oss.oracle.com
Tue Aug 4 12:15:21 PDT 2015


Oracle VM Security Advisory OVMSA-2015-0111

The following updated rpms for Oracle VM 3.3 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
xen-4.3.0-55.el6.47.54.x86_64.rpm
xen-tools-4.3.0-55.el6.47.54.x86_64.rpm


SRPMS:
http://oss.oracle.com/oraclevm/server/3.3/SRPMS-updates/xen-4.3.0-55.el6.47.54.src.rpm



Description of changes:

[4.3.0-55.el6.47.54]
- rtl8139: check TCP Data Offset field (qemu traditional)
   The TCP Data Offset field contains the length of the header.  Make sure
   it is valid and does not exceed the IP data length.
   Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
   Blind-porting to Xen 4.1.4 by Sebastian Pipping <sebastian at pipping.org>
   This is 7/7 qemu traditional XSA-140 CVE-2015-5165
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21535438] 
{CVE-2015-5165}

[4.3.0-55.el6.47.53]
- rtl8139: skip offload on short TCP header (qemu traditional)
   TCP Large Segment Offload accesses the TCP header in the packet.  If the
   packet is too short we must not attempt to access header fields:
   tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
   int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
   Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
   Blind-porting to Xen 4.1.4 by Sebastian Pipping <sebastian at pipping.org>
   This is 6/7 qemu traditional XSA-140 CVE-2015-5165
   Conflicts:
   added "(qemu traditional)" to the patch subject line
   tools/qemu-xen-traditional-dir/hw/rtl8139.c
   different patch context
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21535438] 
{CVE-2015-5165}

[4.3.0-55.el6.47.52]
- rtl8139: check IP Total Length field (qemu traditional)
   The IP Total Length field includes the IP header and data.  Make sure it
   is valid and does not exceed the Ethernet payload size.
   Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
   Blind-porting to Xen 4.1.4 by Sebastian Pipping <sebastian at pipping.org>
   This is 5/7 qemu traditional XSA-140 CVE-2015-5165
   Conflicts:
   added "(qemu traditional)" to the patch subject line
   tools/qemu-xen-traditional-dir/hw/rtl8139.c
   different patch context
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21535438] 
{CVE-2015-5165}

[4.3.0-55.el6.47.51]
- rtl8139: check IP Header Length field (qemu traditional)
   The IP Header Length field was only checked in the IP checksum case, but
   is used in other cases too.
   Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
   Blind-porting to Xen 4.1.4 by Sebastian Pipping <sebastian at pipping.org>
   This is 4/7 qemu traditional XSA-140 CVE-2015-5165
   Conflicts:
   added "(qemu traditional)" to the patch subject line
   tools/qemu-xen-traditional-dir/hw/rtl8139.c
   different patch context
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21535438] 
{CVE-2015-5165}

[4.3.0-55.el6.47.50]
- rtl8139: skip offload on short Ethernet/IP header (qemu traditional)
   Transmit offload features access Ethernet and IP headers the packet.  If
   the packet is too short we must not attempt to access header fields:
   int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
   ...
   eth_payload_data = saved_buffer + ETH_HLEN;
   ...
   ip = (ip_header*)eth_payload_data;
   if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
   Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
   Blind-porting to Xen 4.1.4 by Sebastian Pipping <sebastian at pipping.org>
   This is 3/7 qemu traditional XSA-140 CVE-2015-5165
   Conflicts:
   added "(qemu traditional)" to the patch subject line
   tools/qemu-xen-traditional-dir/hw/rtl8139.c
   different patch context
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21535438] 
{CVE-2015-5165}

[4.3.0-55.el6.47.49]
- rtl8139: drop tautologous if (ip) {...} statement (qemu traditional)
   The previous patch stopped using the ip pointer as an indicator that the
   IP header is present.  When we reach the if (ip) {...} statement we know
   ip is always non-NULL.
   Remove the if statement to reduce nesting.
   Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
   Blind-porting to Xen 4.1.4 by Sebastian Pipping <sebastian at pipping.org>
   This is 2/7 qemu traditional XSA-140 CVE-2015-5165
   Conflicts:
   added "(qemu traditional)" to the patch subject line
   tools/qemu-xen-traditional-dir/hw/rtl8139.c
   DPRINTF() changed to DEBUG_PRINT()
   args to rtl8139_transfer_frame()
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21535438] 
{CVE-2015-5165}

[4.3.0-55.el6.47.48]
- rtl8139: avoid nested ifs in IP header parsing (qemu traditional)
   Transmit offload needs to parse packet headers.  If header fields have
   unexpected values the offload processing is skipped.
   The code currently uses nested ifs because there is relatively little
   input validation.  The next patches will add missing input validation
   and a goto label is more appropriate to avoid deep if statement nesting.
   Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
   Blind-porting to Xen 4.1.4 by Sebastian Pipping <sebastian at pipping.org>
   This is 1/7 qemu traditional XSA-140 CVE-2015-5165
   Conflicts:
   added "(qemu traditional)" to the patch subject line
   replaced incorrect 3/7 patch comment block with 1/7
   tools/qemu-xen-traditional-dir/hw/rtl8139.c
   DPRINTF() changed to DEBUG_PRINT()
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21535438] 
{CVE-2015-5165}

[4.3.0-55.el6.47.47]
- rtl8139: check TCP Data Offset field
   The TCP Data Offset field contains the length of the header.  Make sure
   it is valid and does not exceed the IP data length.
   Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
   This is 7/7 XSA-140 CVE-2015-5165
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21535438] 
{CVE-2015-5165}

[4.3.0-55.el6.47.46]
- rtl8139: skip offload on short TCP header
   TCP Large Segment Offload accesses the TCP header in the packet.  If the
   packet is too short we must not attempt to access header fields:
   tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
   int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
   Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
   This is 6/7 XSA-140 CVE-2015-5165
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21535438] 
{CVE-2015-5165}

[4.3.0-55.el6.47.45]
- rtl8139: check IP Total Length field
   The IP Total Length field includes the IP header and data.  Make sure it
   is valid and does not exceed the Ethernet payload size.
   Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
   This is 5/7 XSA-140 CVE-2015-5165
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21535438] 
{CVE-2015-5165}

[4.3.0-55.el6.47.44]
- rtl8139: check IP Header Length field
   The IP Header Length field was only checked in the IP checksum case, but
   is used in other cases too.
   Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
   This is 4/7 XSA-140 CVE-2015-5165
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21535438] 
{CVE-2015-5165}

[4.3.0-55.el6.47.43]
- rtl8139: skip offload on short Ethernet/IP header
   Transmit offload features access Ethernet and IP headers the packet.  If
   the packet is too short we must not attempt to access header fields:
   int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
   ...
   eth_payload_data = saved_buffer + ETH_HLEN;
   ...
   ip = (ip_header*)eth_payload_data;
   if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
   Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
   This is 3/7 XSA-140 CVE-2015-5165
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21535438] 
{CVE-2015-5165}

[4.3.0-55.el6.47.42]
- rtl8139: drop tautologous if (ip) {...} statement
   The previous patch stopped using the ip pointer as an indicator that the
   IP header is present.  When we reach the if (ip) {...} statement we know
   ip is always non-NULL.
   Remove the if statement to reduce nesting.
   Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
   This is 2/7 XSA-140 CVE-2015-5165
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21535438] 
{CVE-2015-5165}

[4.3.0-55.el6.47.41]
- rtl8139: avoid nested ifs in IP header parsing
   Transmit offload needs to parse packet headers.  If header fields have
   unexpected values the offload processing is skipped.
   The code currently uses nested ifs because there is relatively little
   input validation.  The next patches will add missing input validation
   and a goto label is more appropriate to avoid deep if statement nesting.
   Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
   This is 1/7 XSA-140 CVE-2015-5165
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21535438] 
{CVE-2015-5165}

[4.3.0-55.el6.47.40]
- pci: completely unhook the unplugged IDEDevice from the corresponding 
BlockBackend
   pci_piix3_xen_ide_unplug should completely unhook the unplugged
   IDEDevice from the corresponding BlockBackend, otherwise the next call
   to release_drive will try to detach the drive again.
   Suggested-by: Kevin Wolf <kwolf at redhat.com>
   Signed-off-by: Stefano Stabellini <stefano.stabellini at eu.citrix.com>
   This is XSA-139 / CVE-2015-5166
   Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21518709] 
{CVE-2015-5166}



More information about the Oraclevm-errata mailing list