OracleVM 3.2 : xen (OVMSA-2015-0058) (Venom)

High Nessus Plugin ID 83483


The remote OracleVM host is missing one or more security updates.


The remote OracleVM system is missing necessary patches to address critical security updates :

- force the fifo access to be in bounds of the allocated buffer This is CVE-2015-3456. [bug 21078935] (CVE-2015-3456)

- xen: limit guest control of PCI command register Otherwise the guest can abuse that control to cause e.g.
PCIe Unsupported Request responses (by disabling memory and/or I/O decoding and subsequently causing [CPU side] accesses to the respective address ranges), which (depending on system configuration) may be fatal to the host. This is CVE-2015-2756 / XSA-126.

Conflicts: tools/ioemu-remote/hw/pass-through.c (CVE-2015-2756)

- Limit XEN_DOMCTL_memory_mapping hypercall to only process up to 64 GFNs (or less) Said hypercall for large BARs can take quite a while. As such we can require that the hypercall MUST break up the request in smaller values. Another approach is to add preemption to it - whether we do the preemption using hypercall_create_continuation or returning EAGAIN to userspace (and have it re-invocate the call) - either way the issue we cannot easily solve is that in 'map_mmio_regions' if we encounter an error we MUST call 'unmap_mmio_regions' for the whole BAR region. Since the preemption would re-use input fields such as nr_mfns, first_gfn, first_mfn - we would lose the original values
- and only undo what was done in the current round (i.e.
ignoring anything that was done prior to earlier preemptions). Unless we re-used the return value as 'EAGAIN|nr_mfns_done<<10' but that puts a limit (since the return value is a long) on the amount of nr_mfns that can provided. This patch sidesteps this problem by :

- Setting an hard limit of nr_mfns having to be 64 or less.

- Toolstack adjusts correspondingly to the nr_mfn limit.

- If the there is an error when adding the toolstack will call the remove operation to remove the whole region.
The need to break this hypercall down is for large BARs can take more than the guest (initial domain usually) time-slice. This has the negative result in that the guest is locked out for a long duration and is unable to act on any pending events. We also augment the code to return zero if nr_mfns instead of trying to the hypercall. Suggested-by: Jan Beulich

This is CVE-2015-2752 / XSA-125. Conflicts:
xen/arch/x86/domctl.c (CVE-2015-2752)


Update the affected xen / xen-devel / xen-tools packages.

See Also

Plugin Details

Severity: High

ID: 83483

File Name: oraclevm_OVMSA-2015-0058.nasl

Version: $Revision: 2.13 $

Type: local

Published: 2015/05/15

Modified: 2017/02/17

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 7.7

Temporal Score: 6

Vector: CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:ND

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:xen, p-cpe:/a:oracle:vm:xen-devel, p-cpe:/a:oracle:vm:xen-tools, cpe:/o:oracle:vm_server:3.2

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2015/05/14

Exploitable With

Core Impact

Reference Information

CVE: CVE-2015-2752, CVE-2015-2756, CVE-2015-3456

BID: 72577, 73448, 74640

OSVDB: 120061, 120062, 122072

IAVA: 2015-A-0112