Security update for Xen (important)

The SUSE Linux Enterprise Server 11 Service Pack 2 LTSS Xen
hypervisor and toolset has been updated to fix various
security issues and several bugs.

The following security issues have been addressed:

XSA-88: CVE-2014-1950: Use-after-free vulnerability
in the xc_cpupool_getinfo function in Xen 4.1.x through
4.3.x, when using a multithreaded toolstack, does not
properly handle a failure by the xc_cpumap_alloc function,
which allows local users with access to management
functions to cause a denial of service (heap corruption)
and possibly gain privileges via unspecified vectors.
(bnc#861256)

XSA-87: CVE-2014-1666: The do_physdev_op function in
Xen 4.1.5, 4.1.6.1, 4.2.2 through 4.2.3, and 4.3.x does not
properly restrict access to the (1) PHYSDEVOP_prepare_msix
and (2) PHYSDEVOP_release_msix operations, which allows
local PV guests to cause a denial of service (host or guest
malfunction) or possibly gain privileges via unspecified
vectors. (bnc#860302)

XSA-84: CVE-2014-1894: Xen 3.2 (and presumably
earlier) exhibit both problems with the overflow issue
being present for more than just the suboperations listed
above. (bnc#860163)

XSA-84: CVE-2014-1892 CVE-2014-1893: Xen 3.3 through
4.1, while not affected by the above overflow, have a
different overflow issue on FLASK_{GET,SET}BOOL and expose
unreasonably large memory allocation to aribitrary guests.
(bnc#860163)

XSA-84: CVE-2014-1891: The FLASK_{GET,SET}BOOL,
FLASK_USER and FLASK_CONTEXT_TO_SID suboperations of the
flask hypercall are vulnerable to an integer overflow on
the input size. The hypercalls attempt to allocate a buffer
which is 1 larger than this size and is therefore
vulnerable to integer overflow and an attempt to allocate
then access a zero byte buffer. (bnc#860163)

XSA-82: CVE-2013-6885: The microcode on AMD 16h 00h
through 0Fh processors does not properly handle the
interaction between locked instructions and write-combined
memory types, which allows local users to cause a denial of
service (system hang) via a crafted application, aka the
errata 793 issue. (bnc#853049)

XSA-76: CVE-2013-4554: Xen 3.0.3 through 4.1.x
(possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x
(possibly 4.3.1) does not properly prevent access to
hypercalls, which allows local guest users to gain
privileges via a crafted application running in ring 1 or
2. (bnc#849668)

XSA-74: CVE-2013-4553: The XEN_DOMCTL_getmemlist
hypercall in Xen 3.4.x through 4.3.x (possibly 4.3.1) does
not always obtain the page_alloc_lock and mm_rwlock in the
same order, which allows local guest administrators to
cause a denial of service (host deadlock). (bnc#849667)

XSA-60: CVE-2013-2212: The vmx_set_uc_mode function
in Xen 3.3 through 4.3, when disabling chaches, allows
local HVM guests with access to memory mapped I/O regions
to cause a denial of service (CPU consumption and possibly
hypervisor or guest kernel panic) via a crafted GFN range.
(bnc#831120)

Also the following non-security bugs have been fixed:

• Boot Failure with xen kernel in UEFI mode with error
  "No memory for trampoline" (bnc#833483)
• Fixed Xen hypervisor panic on 8-blades nPar with
  46-bit memory addressing. (bnc#848014)
• In HP’s UEFI x86_64 platform and sles11sp3 with xen
  environment, dom0 will soft lockup on multiple blades nPar.
  (bnc#842417)
• Soft lockup with PCI passthrough and many VCPUs
  (bnc#846849)