[Oraclevm-errata] OVMSA-2014-0001 Important: Oracle VM 3.2 xen security update

Errata Announcements for Oracle VM oraclevm-errata at oss.oracle.com
Thu Feb 13 09:44:40 PST 2014 

Oracle VM Security Advisory OVMSA-2014-0001

The following updated rpms for Oracle VM 3.2 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
xen-4.1.3-25.el5.88.3.x86_64.rpm
xen-devel-4.1.3-25.el5.88.3.x86_64.rpm
xen-tools-4.1.3-25.el5.88.3.x86_64.rpm


SRPMS:
http://oss.oracle.com/oraclevm/server/3.2/SRPMS-updates/xen-4.1.3-25.el5.88.3.src.rpm



Description of changes:

[4.1.3-25.el5.88.3]
- flask: restrict allocations done by hypercall interface
   Other than in 4.2 and newer, we're not having an overflow issue here,
   but uncontrolled exposure of the operations opens the host to be driven
   out of memory by an arbitrary guest. Since all operations other than
   FLASK_LOAD simply deal with ASCII strings, limiting the allocations
   (and incoming buffer sizes) to a page worth of memory seems like the
   best thing we can do.
   Consequently, in order to not expose the larger allocation to arbitrary
   guests, the permission check for FLASK_LOAD needs to be pulled ahead of
   the allocation (and it's perhaps worth noting that - afaict - it was
   pointlessly done with the sel_sem spin lock held).
   Note that this breaks FLASK_AVC_CACHESTATS on systems with sufficiently
   many CPUs (as requiring a buffer bigger than PAGE_SIZE there). No
   attempt is made to address this here, as it would needlessly complicate
   this fix with rather little gain.
   This is XSA-84.
   Reported-by: Matthew Daley <mattd at bugfuzz.com>
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   The index of boolean variables in FLASK_{GET,SET}BOOL was not always
   checked against the bounds of the array.
   Reported-by: John McDermott <john.mcdermott at nrl.navy.mil>
   Signed-off-by: Daniel De Graaf <dgdegra at tycho.nsa.gov>
   Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 
18205362] {CVE-2014-1892,CVE-2014-1893}

[4.1.3-25.el5.88.2]
- libxc: Fix out-of-memory error handling in xc_cpupool_getinfo()
   Avoid freeing info then returning it to the caller.
   This is XSA-88.
   Coverity-ID: 1056192
   Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
   Reviewed-by: Jan Beulich <jbeulich at suse.com>
   Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com>
   Reviewed-by: Reviewed-by: John Haxby <john.haxby at oracle.com> [bug 
18206135] {CVE-2014-XXXX}

More information about the Oraclevm-errata mailing list