[Oraclevm-errata] OVMSA-2013-0085 Important: Oracle VM 3.2 xen security update
Errata Announcements for Oracle VM
oraclevm-errata at oss.oracle.com
Fri Dec 6 09:18:09 PST 2013
Oracle VM Security Advisory OVMSA-2013-0085
The following updated rpms for Oracle VM 3.2 have been uploaded to the
Unbreakable Linux Network:
x86_64:
xen-4.1.3-25.el5.88.x86_64.rpm
xen-devel-4.1.3-25.el5.88.x86_64.rpm
xen-tools-4.1.3-25.el5.88.x86_64.rpm
SRPMS:
http://oss.oracle.com/oraclevm/server/3.2/SRPMS-updates/xen-4.1.3-25.el5.88.src.rpm
Description of changes:
[4.1.3-25.el5.88]
- x86/HVM: only allow ring 0 guest code to make hypercalls
Anything else would allow for privilege escalation.
This is CVE-2013-4554 / XSA-76.
Signed-off-by: Jan Beulich <jbeulich at suse.com>
Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com>
Reviewed-by: Jerry Snitselaar <jerry.snitselaar at oracle.com> [bug
17822232] {CVE-2013-4554}
[4.1.3-25.el5.87]
- x86: restrict XEN_DOMCTL_getmemlist
Coverity ID 1055652
(See the code comment.)
This is CVE-2013-4553 / XSA-74.
Signed-off-by: Jan Beulich <jbeulich at suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com>
Reviewed-by: Tim Deegan <tim at xen.org>
Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com>
Reviewed-by: Jerry Snitselaar <jerry.snitselaar at oracle.com> [bug
17821622] {CVE-2013-4553}
[4.1.3-25.el5.86]
- gnttab: update version 1 of xsa73-4.1.patch to version 3
Version 1 of xsa73-4.1.patch had an error:
bool_t drop_dom_ref = (e->tot_pages-- == 0);
should have been:
bool_t drop_dom_ref = (e->tot_pages-- == 1);
Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
Consolidate error handling.
Signed-off-by: Jan Beulich <jbeulich at suse.com>
Reviewed-by: Keir Fraser <keir at xen.org>
Tested-by: Matthew Daley <mattjd at gmail.com>
Backported to Xen-4.1
Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com> [bug
17760875] {CVE-2013-4494}
[4.1.3-25.el5.85]
- Xen: Spread boot time page scrubbing across all available CPU's
Written by Malcolm Crossley <malcolm.crossley at citrix.com>
The page scrubbing is done in 256MB chunks in lockstep across all the
CPU's.
This allows for the boot CPU to hold the heap_lock whilst each chunk
is being
scrubbed and then release the heap_lock when all CPU's are finished
scrubing
their individual chunk. This allows for the heap_lock to not be held
continously and for pending softirqs are to be serviced periodically
across
all CPU's.
The page scrub memory chunks are allocated to the CPU's in a NUMA aware
fashion to reduce Socket interconnect overhead and improve performance.
This patch reduces the boot page scrub time on a 256GB 16 core AMD
Opteron
machine from 1 minute 46 seconds to 38 seconds.
Signed-off-by: Mukesh Rathor <mukesh.rathor at oracle.com> [bug 17723396]
[4.1.3-25.el5.84]
- gnttab: correct locking order reversal
Coverity ID 1087189
Correct a lock order reversal between a domains page allocation and grant
table locks.
This is XSA-73.
Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
Consolidate error handling.
Signed-off-by: Jan Beulich <jbeulich at suse.com>
Reviewed-by: Keir Fraser <keir at xen.org>
Tested-by: Matthew Daley <mattjd at gmail.com>
Backported to Xen-4.1
Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com> [bug
17723396] {CVE-2013-4494}
[4.1.3-25.el5.83]
- piix4acpi, xen, hotplug: Fix race with ACPI AML code and hotplug.
This is a race so the amount varies but on a 4PCPU box
I seem to get only ~14 out of 16 vCPUs I want to online.
The issue at hand is that QEMU xenstore.c hotplug code changes
the vCPU array and triggers an ACPI SCI for each vCPU
online/offline change. That means we modify the array of vCPUs
as the guests ACPI AML code is reading it - resulting in
the guest reading the data only once and not changing the
CPU states appropiately.
The fix is to seperate the vCPU array changes from the ACPI SCI
notification. The code now will enumerate all of the vCPUs
and change the vCPU array if there is a need for a change.
If a change did occur then only _one_ ACPI SCI pulse is sent
to the guest. The vCPU array at that point has the online/offline
modified to what the user wanted to have.
Specifically, if a user provided this command:
xl vcpu-set latest 16
(guest config has vcpus=1, maxvcpus=32) QEMU and the guest
(in this case Linux) would do:
QEMU: Guest OS:
-xenstore_process_vcpu_set_event
-> Gets an XenBus notification for CPU1
-> Updates the gpe_state.cpus_state bitfield.
-> Pulses the ACPI SCI
- ACPI SCI kicks in
-> Gets an XenBus notification for CPU2
-> Updates the gpe_state.cpus_state bitfield.
-> Pulses the ACPI SCI
-> Gets an XenBus notification for CPU3
-> Updates the gpe_state.cpus_state bitfield.
-> Pulses the ACPI SCI
...
- Method(PRST) invoked
-> Gets an XenBus notification for CPU12
-> Updates the gpe_state.cpus_state bitfield.
-> Pulses the ACPI SCI
- reads AF00 for CPU state
[gets 0xff]
- reads AF02 [gets 0x7f]
-> Gets an XenBus notification for CPU13
-> Updates the gpe_state.cpus_state bitfield.
-> Pulses the ACPI SCI
.. until VCPU 16
- Method PRST updates
PR01 through 13 FLG
entry.
- PR01->PR13 _MAD
invoked.
- Brings up 13 CPUs.
While QEMU updates the rest of the cpus_state bitfields the ACPI AML
only does the CPU hotplug on those it had read.
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
[v1: Use stack for the 'attr' instead of malloc/free]
Acked-by: Stefano Stabellini <stefano.stabellini at eu.citrix.com>
Acked-by: George Dunlap <george.dunlap at eu.citrix.com> (for 4.3 release)
Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com> [bug 17504060]
[4.1.3-25.el5.82]
- piix4acpi, xen: Clarify that the qemu_set_irq calls just do an IRQ pulse.
The "qemu_cpu_notify" raises and lowers the ACPI SCI line when the
vCPU state has changed.
Instead of doing the two functions, just use one function that
describes exactly what it does.
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com> [bug 17504060]
[4.1.3-25.el5.81]
- piix4acpi, xen, vcpu hotplug: Split the notification from the changes.
This is a prepatory patch that splits the notification
of an vCPU change from the actual changes to the vCPU array.
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com> [bug 17504060]
[4.1.3-25.el5.80]
- Backported Carson's changes - Requests to connect on port 8003 with a
LOW/weak cipher are now rejected.
Signed-off-by: Carson Hovey [bug 17669909]
More information about the Oraclevm-errata
mailing list