[Oraclevm-errata] OVMSA-2017-0148 Important: Oracle VM 3.3 xen security update

Errata Announcements for Oracle VM oraclevm-errata at oss.oracle.com
Thu Aug 31 15:18:04 PDT 2017 

Oracle VM Security Advisory OVMSA-2017-0148

The following updated rpms for Oracle VM 3.3 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
xen-4.3.0-55.el6.186.45.x86_64.rpm
xen-tools-4.3.0-55.el6.186.45.x86_64.rpm


SRPMS:
http://oss.oracle.com/oraclevm/server/3.3/SRPMS-updates/xen-4.3.0-55.el6.186.45.src.rpm



Description of changes:

[4.3.0-55.el6.186.45]
- From: Jan Beulich <jbeulich at suse.com>
   Subject: gnttab: correct pin status fixup for copy
   Regardless of copy operations only setting GNTPIN_hst*, GNTPIN_dev*
   also need to be taken into account when deciding whether to clear
   _GTF_{read,writ}ing. At least for consistency with code elsewhere the
   read part better doesn't use any mask at all.
   This is XSA-230.
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com>
   Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
   Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 
26224363] {CVE-2017-12855}

[4.3.0-55.el6.186.44]
- From: Andrew Cooper <andrew.cooper3 at citrix.com>
   Subject: grant_table: Default to v1, and disallow transitive grants
   The reference counting and locking discipline for transitive grants 
is broken.
   Their use is therefore declared out of security support.
   This is XSA-226.
   Transitive grants are expected to be unconditionally available with grant
   table v2.  Hiding transitive grants alone is an ABI breakage for the 
guest.
   Modern versions of Linux and the Windows PV drivers use grant table 
v1, but
   older versions did use v2.
   In principle, disabling gnttab v2 entirely is the safer way to cause 
guests to
   avoid using transitive grants. However, some older guests which 
defaulted to
   using gnttab v2 don't tolerate falling back from v2 to v1 over migrate.
   This patch introduces a new command line option to control grant table
   behaviour.  One suboption allows a choice of the maximum grant table 
version
   Xen will allow the guest to use, and defaults to v2.  A different 
suboption
   independently controls whether transitive grants can be used.
   The default case is:
   gnttab=max_ver:2
   To disable gnttab v2 entirely, use:
   gnttab=max_ver:1
   To allow gnttab v2 and transitive grants, use:
   gnttab=max_ver:2,transitive
   Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
   Conflict:
   docs/misc/xen-command-line.markdown
   Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
   Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 
26567225] {CVE-2017-12135}

[4.3.0-55.el6.186.43]
- Revert wrong fix for xsa226 [bug 26567225]

[4.3.0-55.el6.186.42]
- From 3aab881c7331cf93ffd8d2f2dd9adfd18ed4fc99 Mon Sep 17 00:00:00 2001
   From: Andrew Cooper <andrew.cooper3 at citrix.com>
   Date: Tue, 20 Jun 2017 19:18:54 +0100
   Subject: [PATCH] x86/grant: Disallow misaligned PTEs
   Pagetable entries must be aligned to function correctly.  Disallow 
attempts
   from the guest to have a grant PTE created at a misaligned address, which
   would result in corruption of the L1 table with largely-guest-controlled
   values.
   This is XSA-227
   Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
   Reviewed-by: Jan Beulich <jbeulich at suse.com>
   Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
   Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 
26201029] {CVE-2017-12137}

[4.3.0-55.el6.186.41]
- Prerequisite patch for xsa227-4.5.patch
   There is no macro ASSERT_UNREACHABLE before OVM3.4 which is needed by
   xsa227-4.5.patch
   This chunk is picked from upstream commit 
cacdb0faaa121ac8f792d5bd34cc6bc7c72d21da
   Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
   Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 
26201029] {CVE-2017-12137}

[4.3.0-55.el6.186.40]
- From: Jan Beulich <jbeulich at suse.com>
   Subject: gnttab: don't use possibly unbounded tail calls
   There is no guarantee that the compiler would actually translate them
   to branches instead of calls, so only ones with a known recursion limit
   are okay:
   - __release_grant_for_copy() can call itself only once, as
   __acquire_grant_for_copy() won't permit use of multi-level transitive
   grants,
   - __acquire_grant_for_copy() is fine to call itself with the last
   argument false, as that prevents further recursion,
   - __acquire_grant_for_copy() must not call itself to recover from an
   observed change to the active entry's pin count
   This is XSA-226.
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com>
   Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com>
   Reviewed-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> [bug 
26567225] {CVE-2017-12135}

[4.3.0-55.el6.186.39]
- From 69549b08eb9bd3a525c07a97d952673a3d02c76a Mon Sep 17 00:00:00 2001
   From: Annie Li <annie.li at oracle.com>
   Date: Fri, 7 Jul 2017 14:36:08 -0400
   Subject: [PATCH] xen: increase default max grant frames and max maptrack
   frames
   Commit 9dfba034e increase default max grant frames to 128 which is
   still not enough when the guest has more cpus and vbd/vif devices,
   so set it to 256. Also the default max maptrack frames needs to be
   increased accordingly.
   Signed-off-by: Annie Li <annie.li at oracle.com>
   Acked-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
   Acked-by: Adnan Misherfi <adnan.misherfi at oracle.com>
   Backported-by: Zhenzhong Duan <zhenzhong.duan at oracle.com> [bug 26412357]

More information about the Oraclevm-errata mailing list