OracleVM 3.1 : xen (OVMSA-2012-0034)
Medium Nessus Plugin ID 79479
SynopsisThe remote OracleVM host is missing one or more security updates.
DescriptionThe remote OracleVM system is missing necessary patches to address critical security updates :
- Xen Security Advisory CVE-2012-3433 / XSA-11 HVM guest destroy p2m teardown host DoS vulnerability An HVM guest is able to manipulate its physical address space such that tearing down the guest takes an extended period amount of time searching for shared pages. This causes the domain 0 VCPU which tears down the domain to be blocked in the destroy hypercall. This causes that domain 0 VCPU to become unavailable and may cause the domain 0 kernel to panic. There is no requirement for memory sharing to be in use. From the patch description:
xen: only check for shared pages while any exist on teardown Avoids worst case behavour when guest has a large p2m. This is XSA-11 / CVE-2012-nnn
- Xen Security Advisory XSA-10 HVM guest user mode MMIO emulation DoS vulnerability Internal data of the emulator for MMIO operations may, under certain rare conditions, at the end of one emulation cycle be left in a state affecting a subsequent emulation such that this second emulation would fail, causing an exception to be reported to the guest kernel where none is expected.
NOTE: No CVE number! The patch description is as follow:
x86/hvm: don't leave emulator in inconsistent state The fact that handle_mmio, and thus the instruction emulator, is being run through twice for emulations that require involvement of the device model, allows for the second run to see a different guest state than the first one. Since only the MMIO-specific emulation routines update the vCPU's io_state, if they get invoked on the second pass, internal state (and particularly this variable) can be left in a state making successful emulation of a subsequent MMIO operation impossible.
Consequently, whenever the emulator invocation returns without requesting a retry of the guest instruction, reset io_state.
- Add 'allowhugepage' flag as a synonym for 'allowsuperpage' for compatibility with previous releases.
SolutionUpdate the affected xen / xen-devel / xen-tools packages.