Ubuntu
linux package

Runtime microcode updates do not expose new features completely

Bug #1765040 reported by Jamie Iles
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Expired
Medium
Unassigned
Artful
Won't Fix
Medium
Unassigned

Bug Description

Unlike upstream, the artful kernel uses the scattered CPU bits arch/x86/kernel/cpu/scattered.c to get the IBRS/IBPB CPUID bits in the KVM CPUID ioctls(). However, these are not updated when loading new microcode at run-time. This means that if you boot a system with older microcode and then use late microcode loading at boot time or later, then the new features are not exposed to guests. So even though the host supports the SPEC_CTRL MSR, those bits are masked out in the guest, even when passing through host CPU capabilities.

Upstream does not have this problem because it uses cpuid_count() which does a raw cpuid when creating a guest rather than the scattered features. Two changes are needed - updating scattered features on microcode reload and using the runtime CPU data rather than the boot data.

Reproduced on "4.13.0-38-generic #43-Ubuntu SMP Wed Mar 14 15:20:44 UTC 2018". Boot with original vendor microcode, apply new microcode with "echo 1 > /sys/devices/system/cpu/microcode/reload" and then boot a guest. With the simple test case below in the guest, see that bits [27:26] are not set when they are in the host.

#include <stdio.h>
#include <stdlib.h>

int main(void)
{
        unsigned int edx;

        asm volatile("mov $7, %%eax\n\t"
                     "mov $0, %%ecx\n\t"
                     "cpuid\n\t"
                     "mov %%edx, %0" : "=r"(edx) : : "%edx", "%ecx", "%ebx");

        printf("%08x\n", edx);

        return 0;
}

Two compile tested patches attached, I have not yet checked other Ubuntu releases.

Tags: artful

CVE References

Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1765040

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: artful
Revision history for this message
Jamie Iles (jamie-7) wrote :

No applicable logs for this.

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Triaged
Changed in linux (Ubuntu Artful):
status: New → Triaged
importance: Undecided → Medium
Changed in linux (Ubuntu):
status: Triaged → Incomplete
information type: Public → Public Security
Revision history for this message
Jamie Iles (jamie-7) wrote :
Revision history for this message
Andy Whitcroft (apw) wrote : Closing unsupported series nomination.

This bug was nominated against a series that is no longer supported, ie artful. The bug task representing the artful nomination is being closed as Won't Fix.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu Artful):
status: Triaged → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for linux (Ubuntu) because there has been no activity for 60 days.]

Changed in linux (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.