This security update fixes a number of security issues in Xen in wheezy.
For Debian 7 Wheezy, these problems have been fixed in version
4.1.6.1-1+deb7u1.
We recommend that you upgrade your libidn packages.
- CVE-2015-2752
The XEN_DOMCTL_memory_mapping hypercall in Xen 3.2.x through 4.5.x,
when using a PCI passthrough device, is not preemptable, which
allows local x86 HVM domain users to cause a denial of service (host
CPU consumption) via a crafted request to the device model
(qemu-dm).
- CVE-2015-2756
QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict
access to PCI command registers, which might allow local HVM guest
users to cause a denial of service (non-maskable interrupt and host
crash) by disabling the (1) memory or (2) I/O decoding for a PCI
Express device and then accessing the device, which triggers an
Unsupported Request (UR) response.
- CVE-2015-5165
The C+ mode offload emulation in the RTL8139 network card device
model in QEMU, as used in Xen 4.5.x and earlier, allows remote
attackers to read process heap memory via unspecified vectors.
- CVE-2015-5307
The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x
through 4.6.x, allows guest OS users to cause a denial of service
(host OS panic or hang) by triggering many #AC (aka Alignment Check)
exceptions, related to svm.c and vmx.c.
- CVE-2015-7969
Multiple memory leaks in Xen 4.0 through 4.6.x allow local guest
administrators or domains with certain permission to cause a denial
of service (memory consumption) via a large number of teardowns of
domains with the vcpu pointer array allocated using the (1)
XEN_DOMCTL_max_vcpus hypercall or the xenoprofile state vcpu pointer
array allocated using the (2) XENOPROF_get_buffer or (3)
XENOPROF_set_passive hypercall.
- CVE-2015-7970
The p2m_pod_emergency_sweep function in arch/x86/mm/p2m-pod.c in Xen
3.4.x, 3.5.x, and 3.6.x is not preemptible, which allows local x86
HVM guest administrators to cause a denial of service (CPU
consumption and possibly reboot) via crafted memory contents that
triggers a “time-consuming linear scan,” related to
Populate-on-Demand.
- CVE-2015-7971
Xen 3.2.x through 4.6.x does not limit the number of printk console
messages when logging certain pmu and profiling hypercalls, which
allows local guests to cause a denial of service via a sequence of
crafted (1) HYPERCALL_xenoprof_op hypercalls, which are not properly
handled in the do_xenoprof_op function in common/xenoprof.c, or (2)
HYPERVISOR_xenpmu_op hypercalls, which are not properly handled in
the do_xenpmu_op function in arch/x86/cpu/vpmu.c.
- CVE-2015-7972
The (1) libxl_set_memory_target function in tools/libxl/libxl.c and
(2) libxl__build_post function in tools/libxl/libxl_dom.c in Xen
3.4.x through 4.6.x do not properly calculate the balloon size when
using the populate-on-demand (PoD) system, which allows local HVM
guest users to cause a denial of service (guest crash) via
unspecified vectors related to “heavy memory pressure.”
- CVE-2015-8104
The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x
through 4.6.x, allows guest OS users to cause a denial of service
(host OS panic or hang) by triggering many #DB (aka Debug)
exceptions, related to svm.c.
- CVE-2015-8339
The memory_exchange function in common/memory.c in Xen 3.2.x through
4.6.x does not properly hand back pages to a domain, which might
allow guest OS administrators to cause a denial of service (host
crash) via unspecified vectors related to domain teardown.
- CVE-2015-8340
The memory_exchange function in common/memory.c in Xen 3.2.x through
4.6.x does not properly release locks, which might allow guest OS
administrators to cause a denial of service (deadlock or host crash)
via unspecified vectors, related to XENMEM_exchange error handling.
- CVE-2015-8550
Xen, when used on a system providing PV backends, allows local guest
OS administrators to cause a denial of service (host OS crash) or
gain privileges by writing to memory shared between the frontend and
backend, aka a double fetch vulnerability.
- CVE-2015-8554
Buffer overflow in hw/pt-msi.c in Xen 4.6.x and earlier, when using
the qemu-xen-traditional (aka qemu-dm) device model, allows local
x86 HVM guest administrators to gain privileges by leveraging a
system with access to a passed-through MSI-X capable physical PCI
device and MSI-X table entries, related to a “write path.”
- CVE-2015-8555
Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86
FPU stack and XMM registers when XSAVE/XRSTOR are not used to manage
guest extended register state, which allows local guest domains to
obtain sensitive information from other domains via unspecified
vectors.
- CVE-2015-8615
The hvm_set_callback_via function in arch/x86/hvm/irq.c in Xen 4.6
does not limit the number of printk console messages when logging
the new callback method, which allows local HVM guest OS users to
cause a denial of service via a large number of changes to the
callback method (HVM_PARAM_CALLBACK_IRQ).
- CVE-2016-1570
The PV superpage functionality in arch/x86/mm.c in Xen 3.4.0, 3.4.1,
and 4.1.x through 4.6.x allows local PV guests to obtain sensitive
information, cause a denial of service, gain privileges, or have
unspecified other impact via a crafted page identifier (MFN) to the
(1) MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in the
HYPERVISOR_mmuext_op hypercall or (3) unknown vectors related to
page table updates.
- CVE-2016-1571
The paging_invlpg function in include/asm-x86/paging.h in Xen 3.3.x
through 4.6.x, when using shadow mode paging or nested
virtualization is enabled, allows local HVM guest users to cause a
denial of service (host crash) via a non-canonical guest address in
an INVVPID instruction, which triggers a hypervisor bug check.
- CVE-2016-2270
Xen 4.6.x and earlier allows local guest administrators to cause a
denial of service (host reboot) via vectors related to multiple
mappings of MMIO pages with different cachability settings.
- CVE-2016-2271
VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU,
allows local HVM guest users to cause a denial of service (guest
crash) via vectors related to a non-canonical RIP.