OracleVM 3.2 : xen (OVMSA-2017-0178)

high Nessus Plugin ID 105251

Synopsis

The remote OracleVM host is missing one or more security updates.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

- From 2a99aa99fc84a45f505f84802af56b006d14c52e Mon Sep 17 00:00:00 2001 From: Andrew Cooper Date: Fri, 19 Aug 2016 15:08:10 +0100 Subject: [PATCH] xen/physmap: Do not permit a guest to populate PoD pages for itself PoD is supposed to be entirely transparent to guest, but this interface has been left exposed for a long time. The use of PoD requires careful co-ordination by the toolstack with the XENMEM_[get,set]_pod_target hypercalls, and xenstore ballooning target. The best a guest can do without toolstack cooperation crash. Furthermore, there are combinations of features (e.g. c/s c63868ff 'libxl:
disallow PCI device assignment for HVM guest when PoD is enabled') which a toolstack might wish to explicitly prohibit (in this case, because the two simply don't function in combination). In such cases, the guest mustn't be able to subvert the configuration chosen by the toolstack.

Conflict: xen/common/memory.c

- Due to the history performance reason, we decide to disable PoD feature in old OVM product. Please don't set maxmem>memory XSA-246,XSA-247 [bug 27120669] (CVE-2017-17044, CVE-2017-17045)

- x86/shadow: correct SH_LINEAR mapping detection in sh_guess_wrmap The fix for XSA-243 / CVE-2017-15592 (c/s bf2b4eadcf379) introduced a change in behaviour for sh_guest_wrmap, where it had to cope with no shadow linear mapping being present. As the name suggests, guest_vtable is a mapping of the guests pagetable, not Xen's pagetable, meaning that it isn't the pagetable we need to check for the shadow linear slot in. The practical upshot is that a shadow HVM vcpu which switches into 4-level paging mode, with an L4 pagetable that contains a mapping which aliases Xen's SH_LINEAR_PT_VIRT_START will fool the safety check for whether a SHADOW_LINEAR mapping is present. As the check passes (when it should have failed), Xen subsequently falls over the missing mapping with a pagefault such as:
(XEN) Pagetable walk from ffff8140a0503880: (XEN) L4[0x102] = 000000046c218063 ffffffffffffffff (XEN) L3[0x102] = 000000046c218063 ffffffffffffffff (XEN) L2[0x102] = 000000046c218063 ffffffffffffffff (XEN) L1[0x103] = 0000000000000000 ffffffffffffffff This is part of XSA-243. (CVE-2017-15592)

- dpci: Fix a race during unbinding of MSI interrupt The check of hvm_irq_dpci->mapping and read of flags are not protected in same critical area, so the unbind of MSI interrupt may intercepts between them. Like below scene:
CPU0 CPU1

---- ---- hvm_do_IRQ_dpci !test_bit(mirq, dpci->mapping)) return 0 spin_lock(&d->event_lock) hvm_irq_dpci->mirq[machine_gsi].flags = 0 clear_bit(machine_gsi, hvm_irq_dpci->mapping) spin_unlock(&d->event_lock) <SoftIRQ> hvm_dirq_assist spin_lock(&d->event_lock) if ( pt_irq_need_timer(hvm_irq_dpci->mirq[pirq].flags)) set_timer spin_unlock(&d->event_lock) Then set_timer is mistakenly called which access uninitialized timer struct. Then page fault happen and a backtrace like below: (XEN) Xen call trace: (XEN) [<ffff82c480124c92>] set_timer+0x92/0x170 (XEN) [<ffff82c48013bb03>] hvm_dirq_assist+0x1c3/0x1e0 (XEN) [<ffff82c4801235ff>] do_tasklet_work_percpu+0x7f/0x120 (XEN) [<ffff82c480121915>] __do_softirq+0x65/0x90 (XEN) [<ffff82c4801f7fb6>] process_softirqs+0x6/0x10 (XEN) (XEN) Pagetable walk from 0000000000000008: (XEN) L4[0x000] = 0000002104cc1067 0000000000289430 (XEN) L3[0x000] = 000000212ecd8067 00000000002b3447 (XEN) L2[0x000] = 0000000000000000 ffffffffffffffff (XEN) (XEN) **************************************** (XEN) Panic on CPU 41: (XEN) FATAL PAGE FAULT (XEN) [error_code=0002] (XEN) Faulting linear address:
0000000000000008 (XEN)
**************************************** This issue is OVM3.2 only as OVM3.3 or above already has similar fix in pt_pirq_iterate

Solution

Update the affected xen / xen-devel / xen-tools packages.

See Also

http://www.nessus.org/u?88e7e3ea

Plugin Details

Severity: High

ID: 105251

File Name: oraclevm_OVMSA-2017-0178.nasl

Version: 3.6

Type: local

Published: 12/14/2017

Updated: 1/4/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.5

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:xen, p-cpe:/a:oracle:vm:xen-devel, p-cpe:/a:oracle:vm:xen-tools, cpe:/o:oracle:vm_server:3.2

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 12/13/2017

Vulnerability Publication Date: 10/18/2017

Reference Information

CVE: CVE-2017-15592, CVE-2017-17044, CVE-2017-17045