OracleVM 3.2 : xen (OVMSA-2017-0159)

high Nessus Plugin ID 104138

Synopsis

The remote OracleVM host is missing one or more security updates.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

- The code of OVM3.2.9 is quite old, there is no get_page/put_page pair to protect the ownership and references of page table page which is mapped in emulate_map_dest. This patch fix it by adding get_page in emulate_gva_to_mfn to match put_page in xsa219-4.5.patch so that it works.

- From: Jan Beulich Subject: gnttab: also validate PTE permissions upon destroy/replace In order for PTE handling to match up with the reference counting done by common code, presence and writability of grant mapping PTEs must also be taken into account validating just the frame number is not enough. This is in particular relevant if a guest fiddles with grant PTEs via non-grant hypercalls. Note that the flags being passed to replace_grant_host_mapping already happen to be those of the existing mapping, so no new function parameter is needed. This is XSA-234.

- From: Juergen Gross Subject: tools/xenstore: don't unlink connection object twice A connection object of a domain with associated stubdom has two parents: the domain and the stubdom. When cleaning up the list of active domains in domain_cleanup make sure not to unlink the connection twice from the same domain. This could happen when the domain and its stubdom are being destroyed at the same time leading to the domain loop being entered twice. Additionally don't use talloc_free in this case as it will remove a random parent link, leading eventually to a memory leak. Use talloc_unlink instead specifying the context from which the connection object should be removed. This is XSA-233.

- From: George Dunlap Subject: xen/mm: make sure node is less than MAX_NUMNODES The output of MEMF_get_node(memflags) can be as large as nodeid_t can hold (currently 255). This is then used as an index to arrays of size MAX_NUMNODE, which is 64 on x86 and 1 on ARM, can be passed in by an untrusted guest (via memory_exchange and increase_reservation) and is not currently bounds-checked. Check the value in page_alloc.c before using it, and also check the value in the hypercall call sites and return -EINVAL if appropriate. Don't permit domains other than the hardware or control domain to allocate node-constrained memory. This is XSA-231.

Conflict: xen/common/memory.c Use IS_PRIV instead of is_hardware_domain and is_control_domain in original patch.

Solution

Update the affected xen / xen-devel / xen-tools packages.

See Also

http://www.nessus.org/u?6376c0c5

Plugin Details

Severity: High

ID: 104138

File Name: oraclevm_OVMSA-2017-0159.nasl

Version: 3.3

Type: local

Published: 10/25/2017

Updated: 1/4/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:xen, p-cpe:/a:oracle:vm:xen-devel, p-cpe:/a:oracle:vm:xen-tools, cpe:/o:oracle:vm_server:3.2

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Patch Publication Date: 10/24/2017

Vulnerability Publication Date: 10/24/2017