Ubuntu
qemu package

Add SPEC_CTRL and IBRS changes

Bug #1744882 reported by Christian Ehrhardt 
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Cloud Archive
Fix Released
Undecided
Unassigned
Kilo
Won't Fix
Undecided
Unassigned
Mitaka
Fix Released
Undecided
Unassigned
Ocata
Fix Released
Undecided
Unassigned
Pike
Fix Released
Undecided
Unassigned
qemu (Ubuntu)
Fix Released
Undecided
Christian Ehrhardt 
Trusty
Fix Released
Undecided
Marc Deslauriers
Xenial
Fix Released
Undecided
Marc Deslauriers
Artful
Fix Released
Undecided
Marc Deslauriers
Bionic
Fix Released
Undecided
Christian Ehrhardt 

Bug Description

The merge of [1] landed the spectre related changes for SPEC_CTRL and IBRS to qemu 2.12

It is announced in [2] that there shall be a 2.11.1 with the backport that we intend to pick.
The security team can use this merge at [1] to work on backwards security updates.
For 18.04 (not yet released) the intention for now is to pick 2.11.1 once available.

[1]: https://github.com/qemu/qemu/commit/5cad8ca516011695a37d5be905292722b5249da8
[2]: https://www.qemu.org/2018/01/04/spectre/

CVE References

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Set up the initial set, leaving the security SRUs for Marc to share is intentions.

Changed in qemu (Ubuntu Bionic):
assignee: nobody → ChristianEhrhardt (paelzer)
status: New → Triaged
tags: added: qemu-18.04
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hmm, I haven't seen any submission of these to qemu-stable yet.
Was the plan revised?

@mdeslaur - did you hear anything in that regard?

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I asked about the latter in [1], as I might have missed a major change of plans.

@mdeslaur - it is also up to you if this bug should go public or not and to dup it if you already have a better one that I don't know of.

[1]: https://lists.gnu.org/archive/html/qemu-devel/2018-01/msg05549.html

Marc Deslauriers (mdeslaur)
Changed in qemu (Ubuntu Trusty):
status: New → Confirmed
Changed in qemu (Ubuntu Xenial):
status: New → Confirmed
Changed in qemu (Ubuntu Artful):
status: New → In Progress
Changed in qemu (Ubuntu Trusty):
status: Confirmed → In Progress
Changed in qemu (Ubuntu Xenial):
status: Confirmed → In Progress
Changed in qemu (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in qemu (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in qemu (Ubuntu Artful):
assignee: nobody → Marc Deslauriers (mdeslaur)
Marc Deslauriers (mdeslaur)
information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu - 1:2.10+dfsg-0ubuntu3.4

---------------
qemu (1:2.10+dfsg-0ubuntu3.4) artful-security; urgency=medium

  * SECURITY UPDATE: Add support for Spectre mitigations (LP: #1744882)
    - debian/patches/CVE-2017-5715-1.patch: Change X86CPUDefinition::
      model_id to const char* in target/i386/cpu.c.
    - debian/patches/CVE-2017-5715-2.patch: Add support for SPEC_CTRL MSR
      in target/i386/cpu.h, target/i386/kvm.c, target/i386/machine.c.
    - debian/patches/CVE-2017-5715-3.patch: Add spec-ctrl CPUID bit in
      target/i386/cpu.c, target/i386/cpu.h.
    - debian/patches/CVE-2017-5715-4.patch: Add FEAT_8000_0008_EBX CPUID
      feature word in target/i386/cpu.c, target/i386/cpu.h.
    - debian/patches/CVE-2017-5715-5.patch: Add new -IBRS versions of Intel
      CPU models in target/i386/cpu.c.
    - debian/patches/CVE-2017-5715-s390x-1.patch: add linux-header content
      for bpbc in linux-headers/asm-s390/kvm.h, linux-headers/linux/kvm.h.
    - debian/patches/CVE-2017-5715-s390x-2.patch: handle bpb feature in
      target/s390x/cpu.c, target/s390x/cpu.h, target/s390x/cpu_features.c,
      target/s390x/cpu_features_def.h, target/s390x/gen-features.c,
      target/s390x/kvm.c, target/s390x/machine.c.
    - debian/patches/CVE-2017-5715-s390x-3.patch: provide stfle.81 in
      target/s390x/cpu_features.c, target/s390x/cpu_features_def.h,
      target/s390x/gen-features.c.
    - CVE-2017-5715

 -- Marc Deslauriers <email address hidden> Thu, 01 Feb 2018 13:28:07 -0500

Changed in qemu (Ubuntu Artful):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu - 1:2.5+dfsg-5ubuntu10.20

---------------
qemu (1:2.5+dfsg-5ubuntu10.20) xenial-security; urgency=medium

  * SECURITY UPDATE: Add support for Spectre mitigations (LP: #1744882)
    - debian/patches/CVE-2017-5715-1.patch: Lengthen X86CPUDefinition::
      model_id in target-i386/cpu.c.
    - debian/patches/CVE-2017-5715-2.patch: Add support for SPEC_CTRL MSR
      in target-i386/cpu.h, target-i386/kvm.c, target-i386/machine.c.
    - debian/patches/CVE-2017-5715-3pre1.patch: add FEAT_7_0_ECX and
      FEAT_7_0_EDX in target-i386/cpu.c, target-i386/cpu.h.
    - debian/patches/CVE-2017-5715-3.patch: Add spec-ctrl CPUID bit in
      target-i386/cpu.c, target-i386/cpu.h.
    - debian/patches/CVE-2017-5715-4.patch: Add FEAT_8000_0008_EBX CPUID
      feature word in target-i386/cpu.c, target-i386/cpu.h.
    - debian/patches/CVE-2017-5715-5.patch: Add new -IBRS versions of Intel
      CPU models in target-i386/cpu.c.
    - debian/patches/CVE-2017-5715-s390x-1.patch: add linux-header content
      for bpbc in linux-headers/asm-s390/kvm.h, linux-headers/linux/kvm.h.
    - debian/patches/CVE-2017-5715-s390x-2.patch: handle bpb feature in
      target-s390x/cpu.c, target-s390x/cpu.h, target-s390x/kvm.c.
    - CVE-2017-5715

 -- Marc Deslauriers <email address hidden> Thu, 01 Feb 2018 13:27:34 -0500

Changed in qemu (Ubuntu Xenial):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu - 2.0.0+dfsg-2ubuntu1.38

---------------
qemu (2.0.0+dfsg-2ubuntu1.38) trusty-security; urgency=medium

  * SECURITY UPDATE: Add support for Spectre mitigations (LP: #1744882)
    - debian/patches/CVE-2017-5715-1.patch: Lengthen X86CPUDefinition::
      model_id in target-i386/cpu.c.
    - debian/patches/CVE-2017-5715-2.patch: Add support for SPEC_CTRL MSR
      in target-i386/cpu.h, target-i386/kvm.c, target-i386/machine.c.
    - debian/patches/CVE-2017-5715-3pre1.patch: add FEAT_7_0_ECX and
      FEAT_7_0_EDX in target-i386/cpu.c, target-i386/cpu.h.
    - debian/patches/CVE-2017-5715-3.patch: Add spec-ctrl CPUID bit in
      target-i386/cpu.c, target-i386/cpu.h.
    - debian/patches/CVE-2017-5715-4.patch: Add FEAT_8000_0008_EBX CPUID
      feature word in target-i386/cpu.c, target-i386/cpu.h.
    - debian/patches/CVE-2017-5715-5.patch: Add new -IBRS versions of Intel
      CPU models in target-i386/cpu.c.
    - CVE-2017-5715

 -- Marc Deslauriers <email address hidden> Thu, 01 Feb 2018 13:27:00 -0500

Changed in qemu (Ubuntu Trusty):
status: In Progress → Fix Released
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

qemu 2.11 is in proposed

Changed in qemu (Ubuntu Bionic):
status: Triaged → Fix Committed
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Actually this particular change will be in 2.11.1 which should be released next week and then follow 2.11 into bionic.

Changed in qemu (Ubuntu Bionic):
status: Fix Committed → Triaged
Revision history for this message
Corey Bryant (corey.bryant) wrote : Please test proposed package

Hello ChristianEhrhardt, or anyone else affected,

Accepted qemu into kilo-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:kilo-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-kilo-needed to verification-kilo-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-kilo-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-kilo-needed
Revision history for this message
Corey Bryant (corey.bryant) wrote :

Hello ChristianEhrhardt, or anyone else affected,

Accepted qemu into ocata-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:ocata-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-ocata-needed to verification-ocata-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-ocata-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-ocata-needed
Revision history for this message
Corey Bryant (corey.bryant) wrote :

Regression testing with tempest successful on ocata-proposed:

======
Totals
======
Ran: 102 tests in 1543.5582 sec.
 - Passed: 94
 - Skipped: 8
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 908.5919 sec.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

Regression testing with tempest successful on pike-proposed:

======
Totals
======
Ran: 102 tests in 1330.1886 sec.
 - Passed: 94
 - Skipped: 8
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 644.0600 sec.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

Hello ChristianEhrhardt, or anyone else affected,

Accepted qemu into mitaka-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:mitaka-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-mitaka-needed to verification-mitaka-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-mitaka-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-mitaka-needed
Revision history for this message
James Page (james-page) wrote : Update Released

The verification of the Stable Release Update for qemu has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
James Page (james-page) wrote :

This bug was fixed in the package qemu - 1:2.10+dfsg-0ubuntu3.4~cloud0
---------------

 qemu (1:2.10+dfsg-0ubuntu3.4~cloud0) xenial-pike; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 qemu (1:2.10+dfsg-0ubuntu3.4) artful-security; urgency=medium
 .
   * SECURITY UPDATE: Add support for Spectre mitigations (LP: #1744882)
     - debian/patches/CVE-2017-5715-1.patch: Change X86CPUDefinition::
       model_id to const char* in target/i386/cpu.c.
     - debian/patches/CVE-2017-5715-2.patch: Add support for SPEC_CTRL MSR
       in target/i386/cpu.h, target/i386/kvm.c, target/i386/machine.c.
     - debian/patches/CVE-2017-5715-3.patch: Add spec-ctrl CPUID bit in
       target/i386/cpu.c, target/i386/cpu.h.
     - debian/patches/CVE-2017-5715-4.patch: Add FEAT_8000_0008_EBX CPUID
       feature word in target/i386/cpu.c, target/i386/cpu.h.
     - debian/patches/CVE-2017-5715-5.patch: Add new -IBRS versions of Intel
       CPU models in target/i386/cpu.c.
     - debian/patches/CVE-2017-5715-s390x-1.patch: add linux-header content
       for bpbc in linux-headers/asm-s390/kvm.h, linux-headers/linux/kvm.h.
     - debian/patches/CVE-2017-5715-s390x-2.patch: handle bpb feature in
       target/s390x/cpu.c, target/s390x/cpu.h, target/s390x/cpu_features.c,
       target/s390x/cpu_features_def.h, target/s390x/gen-features.c,
       target/s390x/kvm.c, target/s390x/machine.c.
     - debian/patches/CVE-2017-5715-s390x-3.patch: provide stfle.81 in
       target/s390x/cpu_features.c, target/s390x/cpu_features_def.h,
       target/s390x/gen-features.c.
     - CVE-2017-5715

Corey Bryant (corey.bryant)
tags: added: verification-pike-done
Corey Bryant (corey.bryant)
no longer affects: cloud-archive/icehouse
Changed in cloud-archive:
status: New → Triaged
Revision history for this message
Corey Bryant (corey.bryant) wrote :

Testing has completed successfully for ocata-proposed between regression testing successfully and the following results testing qemu/libvirt with microcode updates: https://paste.ubuntu.com/p/X45Gghqvkk/

tags: added: verification-ocata-done
removed: verification-ocata-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu - 1:2.11+dfsg-1ubuntu2

---------------
qemu (1:2.11+dfsg-1ubuntu2) bionic; urgency=medium

  * d/p/ubuntu/qemu-stable-2.11.1.patch: add stable release
    - among other fixes this adds code to:
      - mitigate the Spectre/Meltdown attacks (LP: #1744882) (CVE-2017-5715)
        However, enabling this functionality requires additional configuration
        beyond just updating QEMU. Also migrations need special consideration.
        Details about that can be found at:
        https://www.qemu.org/2018/02/14/qemu-2-11-1-and-spectre-update/
      - Power9 allocation of max 8 threads per core (LP: #1750526)
  * Drop changes that are part of the upstream stable release
    - d/p/ubuntu/linux-headers-update-to-4.15-rc1.patch
    - d/p/ubuntu/linux-headers-update-4.15-rc9.patch
    - d/p/ubuntu/lp1743560-s390x-kvm-Handle-bpb-feature.patch
    - d/p/ubuntu/lp1743560-s390x-kvm-provide-stfle.81.patch
  * d/p/ubuntu/define-ubuntu-machine-types.patch: refresh to match stable update
  * d/p/ubuntu/pre-bionic-256k-ipxe-efi-roms.patch: unify to only change the
    common compat.h header and add some extra info in the patch header.

 -- Christian Ehrhardt <email address hidden> Mon, 19 Feb 2018 11:03:11 +0100

Changed in qemu (Ubuntu Bionic):
status: Triaged → Fix Released
Revision history for this message
Corey Bryant (corey.bryant) wrote :

Regression testing for trusty-mitaka has successfully passed:

======
Totals
======
Ran: 102 tests in 1037.8303 sec.
 - Passed: 94
 - Skipped: 8
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 622.6697 sec.

tags: added: verification-mitaka-done
removed: verification-mitaka-needed
Revision history for this message
Chris MacNaughton (chris.macnaughton) wrote :

Marking the Kilo task wontfix as it has been EOL for a long time.

Changed in cloud-archive:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.