[Oraclevm-errata] OVMSA-2015-0112 Important: Oracle VM 3.2 xen security update
Errata Announcements for Oracle VM
oraclevm-errata at oss.oracle.com
Tue Aug 4 12:15:40 PDT 2015
Oracle VM Security Advisory OVMSA-2015-0112
The following updated rpms for Oracle VM 3.2 have been uploaded to the
Unbreakable Linux Network:
x86_64:
xen-4.1.3-25.el5.127.68.x86_64.rpm
xen-devel-4.1.3-25.el5.127.68.x86_64.rpm
xen-tools-4.1.3-25.el5.127.68.x86_64.rpm
SRPMS:
http://oss.oracle.com/oraclevm/server/3.2/SRPMS-updates/xen-4.1.3-25.el5.127.68.src.rpm
Description of changes:
[4.1.3-25.el5.127.68]
- rtl8139: check TCP Data Offset field (qemu traditional)
The TCP Data Offset field contains the length of the header. Make sure
it is valid and does not exceed the IP data length.
Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
Blind-porting to Xen 4.1.4 by Sebastian Pipping <sebastian at pipping.org>
This is 7/7 qemu traditional XSA-140 CVE-2015-5165
Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21537082]
{CVE-2015-5165}
[4.1.3-25.el5.127.67]
- rtl8139: skip offload on short TCP header (qemu traditional)
TCP Large Segment Offload accesses the TCP header in the packet. If the
packet is too short we must not attempt to access header fields:
tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
Blind-porting to Xen 4.1.4 by Sebastian Pipping <sebastian at pipping.org>
This is 6/7 qemu traditional XSA-140 CVE-2015-5165
Conflicts:
added "(qemu traditional)" to the patch subject line
tools/qemu-xen-traditional-dir/hw/rtl8139.c
different patch context
Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21537082]
{CVE-2015-5165}
[4.1.3-25.el5.127.66]
- rtl8139: check IP Total Length field (qemu traditional)
The IP Total Length field includes the IP header and data. Make sure it
is valid and does not exceed the Ethernet payload size.
Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
Blind-porting to Xen 4.1.4 by Sebastian Pipping <sebastian at pipping.org>
This is 5/7 qemu traditional XSA-140 CVE-2015-5165
Conflicts:
added "(qemu traditional)" to the patch subject line
tools/qemu-xen-traditional-dir/hw/rtl8139.c
different patch context
Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21537082]
{CVE-2015-5165}
[4.1.3-25.el5.127.65]
- rtl8139: check IP Header Length field (qemu traditional)
The IP Header Length field was only checked in the IP checksum case, but
is used in other cases too.
Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
Blind-porting to Xen 4.1.4 by Sebastian Pipping <sebastian at pipping.org>
This is 4/7 qemu traditional XSA-140 CVE-2015-5165
Conflicts:
added "(qemu traditional)" to the patch subject line
tools/qemu-xen-traditional-dir/hw/rtl8139.c
different patch context
Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21537082]
{CVE-2015-5165}
[4.1.3-25.el5.127.64]
- rtl8139: skip offload on short Ethernet/IP header (qemu traditional)
Transmit offload features access Ethernet and IP headers the packet. If
the packet is too short we must not attempt to access header fields:
int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
...
eth_payload_data = saved_buffer + ETH_HLEN;
...
ip = (ip_header*)eth_payload_data;
if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
Blind-porting to Xen 4.1.4 by Sebastian Pipping <sebastian at pipping.org>
This is 3/7 qemu traditional XSA-140 CVE-2015-5165
Conflicts:
added "(qemu traditional)" to the patch subject line
tools/qemu-xen-traditional-dir/hw/rtl8139.c
different patch context
Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21537082]
{CVE-2015-5165}
[4.1.3-25.el5.127.63]
- rtl8139: drop tautologous if (ip) {...} statement (qemu traditional)
The previous patch stopped using the ip pointer as an indicator that the
IP header is present. When we reach the if (ip) {...} statement we know
ip is always non-NULL.
Remove the if statement to reduce nesting.
Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
Blind-porting to Xen 4.1.4 by Sebastian Pipping <sebastian at pipping.org>
This is 2/7 qemu traditional XSA-140 CVE-2015-5165
Conflicts:
added "(qemu traditional)" to the patch subject line
tools/qemu-xen-traditional-dir/hw/rtl8139.c
DPRINTF() changed to DEBUG_PRINT()
args to rtl8139_transfer_frame()
Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21537082]
{CVE-2015-5165}
[4.1.3-25.el5.127.62]
- rtl8139: avoid nested ifs in IP header parsing (qemu traditional)
Transmit offload needs to parse packet headers. If header fields have
unexpected values the offload processing is skipped.
The code currently uses nested ifs because there is relatively little
input validation. The next patches will add missing input validation
and a goto label is more appropriate to avoid deep if statement nesting.
Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
Blind-porting to Xen 4.1.4 by Sebastian Pipping <sebastian at pipping.org>
This is 1/7 qemu traditional XSA-140 CVE-2015-5165
Conflicts:
added "(qemu traditional)" to the patch subject line
replaced incorrect 3/7 patch comment block with 1/7
tools/qemu-xen-traditional-dir/hw/rtl8139.c
DPRINTF() changed to DEBUG_PRINT()
Acked-by: Chuck Anderson <chuck.anderson at oracle.com>
Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 21537082]
{CVE-2015-5165}
[4.1.3-25.el5.127.61]
- x86: limit checks in hypercall_xlat_continuation() to actual arguments
HVM/PVH guests can otherwise trigger the final BUG_ON() in that
function by entering 64-bit mode, setting the high halves of affected
registers to non-zero values, leaving 64-bit mode, and issuing a
hypercall that might get preempted and hence become subject to
continuation argument translation (HYPERVISOR_memory_op being the only
one possible for HVM, PVH also having the option of using
HYPERVISOR_mmuext_op). This issue got introduced when HVM code was
switched to use compat_memory_op() - neither that nor
hypercall_xlat_continuation() were originally intended to be used by
other than PV guests (which can't enter 64-bit mode and hence have no
way to alter the high halves of 64-bit registers).
This is CVE-2014-8866 / XSA-111.
Signed-off-by: Jan Beulich <jbeulich at suse.com>
Reviewed-by: Tim Deegan <tim at xen.org>
master commit: 0ad715304b04739fd2fc9517ce8671d3947c7621
master date: 2014-11-27 14:00:23 +0100
Signed-off-by: Zhenzhong Duan <zhenzhong.duan at oracle.com> [bug
20361761] {CVE-2014-8866}
More information about the Oraclevm-errata
mailing list