Security update for Xen

SUSE Security Update: Security update for Xen
Announcement ID: SUSE-SU-2014:0372-1
Rating: important
References: #831120 #833483 #842417 #846849 #848014 #849667 #849668 #853049 #860163 #860302 #861256
Affected Products:
  • SUSE Linux Enterprise Server 11 SP2 LTSS

  • An update that solves 10 vulnerabilities and has one errata is now available.


    The SUSE Linux Enterprise Server 11 Service Pack 2 LTSS Xen
    hypervisor and toolset has been updated to fix various
    security issues and several bugs.

    The following security issues have been addressed:


    XSA-88: CVE-2014-1950: Use-after-free vulnerability
    in the xc_cpupool_getinfo function in Xen 4.1.x through
    4.3.x, when using a multithreaded toolstack, does not
    properly handle a failure by the xc_cpumap_alloc function,
    which allows local users with access to management
    functions to cause a denial of service (heap corruption)
    and possibly gain privileges via unspecified vectors.


    XSA-87: CVE-2014-1666: The do_physdev_op function in
    Xen 4.1.5,, 4.2.2 through 4.2.3, and 4.3.x does not
    properly restrict access to the (1) PHYSDEVOP_prepare_msix
    and (2) PHYSDEVOP_release_msix operations, which allows
    local PV guests to cause a denial of service (host or guest
    malfunction) or possibly gain privileges via unspecified
    vectors. (bnc#860302)


    XSA-84: CVE-2014-1894: Xen 3.2 (and presumably
    earlier) exhibit both problems with the overflow issue
    being present for more than just the suboperations listed
    above. (bnc#860163)


    XSA-84: CVE-2014-1892 CVE-2014-1893: Xen 3.3 through
    4.1, while not affected by the above overflow, have a
    different overflow issue on FLASK_{GET,SET}BOOL and expose
    unreasonably large memory allocation to aribitrary guests.


    XSA-84: CVE-2014-1891: The FLASK_{GET,SET}BOOL,
    FLASK_USER and FLASK_CONTEXT_TO_SID suboperations of the
    flask hypercall are vulnerable to an integer overflow on
    the input size. The hypercalls attempt to allocate a buffer
    which is 1 larger than this size and is therefore
    vulnerable to integer overflow and an attempt to allocate
    then access a zero byte buffer. (bnc#860163)


    XSA-82: CVE-2013-6885: The microcode on AMD 16h 00h
    through 0Fh processors does not properly handle the
    interaction between locked instructions and write-combined
    memory types, which allows local users to cause a denial of
    service (system hang) via a crafted application, aka the
    errata 793 issue. (bnc#853049)


    XSA-76: CVE-2013-4554: Xen 3.0.3 through 4.1.x
    (possibly, 4.2.x (possibly 4.2.3), and 4.3.x
    (possibly 4.3.1) does not properly prevent access to
    hypercalls, which allows local guest users to gain
    privileges via a crafted application running in ring 1 or
    2. (bnc#849668)


    XSA-74: CVE-2013-4553: The XEN_DOMCTL_getmemlist
    hypercall in Xen 3.4.x through 4.3.x (possibly 4.3.1) does
    not always obtain the page_alloc_lock and mm_rwlock in the
    same order, which allows local guest administrators to
    cause a denial of service (host deadlock). (bnc#849667)


    XSA-60: CVE-2013-2212: The vmx_set_uc_mode function
    in Xen 3.3 through 4.3, when disabling chaches, allows
    local HVM guests with access to memory mapped I/O regions
    to cause a denial of service (CPU consumption and possibly
    hypervisor or guest kernel panic) via a crafted GFN range.

    Also the following non-security bugs have been fixed:

    * Boot Failure with xen kernel in UEFI mode with error
    "No memory for trampoline" (bnc#833483)
    * Fixed Xen hypervisor panic on 8-blades nPar with
    46-bit memory addressing. (bnc#848014)
    * In HP's UEFI x86_64 platform and sles11sp3 with xen
    environment, dom0 will soft lockup on multiple blades nPar.
    * Soft lockup with PCI passthrough and many VCPUs

    Security Issue references:

    * CVE-2013-2212
    * CVE-2013-4553
    * CVE-2013-4554
    * CVE-2013-6885
    * CVE-2014-1666
    * CVE-2014-1891
    * CVE-2014-1892
    * CVE-2014-1893
    * CVE-2014-1894
    * CVE-2014-1950


    Everyone using the Xen hypervisor should update.

    Special Instructions and Notes:

    Please reboot the system after installing this update.

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Server 11 SP2 LTSS:
      zypper in -t patch slessp2-xen-201402-8964

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Server 11 SP2 LTSS (i586 x86_64):
    • xen-devel-4.1.6_06-0.5.1
    • xen-kmp-default-4.1.6_06_3.0.101_0.7.17-0.5.1
    • xen-kmp-trace-4.1.6_06_3.0.101_0.7.17-0.5.1
    • xen-libs-4.1.6_06-0.5.1
    • xen-tools-domU-4.1.6_06-0.5.1
    • SUSE Linux Enterprise Server 11 SP2 LTSS (x86_64):
    • xen-4.1.6_06-0.5.1
    • xen-doc-html-4.1.6_06-0.5.1
    • xen-doc-pdf-4.1.6_06-0.5.1
    • xen-libs-32bit-4.1.6_06-0.5.1
    • xen-tools-4.1.6_06-0.5.1
    • SUSE Linux Enterprise Server 11 SP2 LTSS (i586):
    • xen-kmp-pae-4.1.6_06_3.0.101_0.7.17-0.5.1