Xenial update to 4.4.144 stable release

Bug #1791080 reported by Stefan Bader on 2018-09-06
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned
Xenial
Medium
Stefan Bader

Bug Description

    SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The 4.4.144 upstream stable
       patch set is now available. It should be included in the Ubuntu
       kernel as well.

       git://git.kernel.org/

    TEST CASE: TBD

       The following patches from the 4.4.144 stable release shall be applied:

Stefan Bader (smb) on 2018-09-06
tags: added: kernel-stable-tracking-bug
Changed in linux (Ubuntu Xenial):
assignee: nobody → Stefan Bader (smb)
importance: Undecided → Medium
status: New → In Progress
Changed in linux (Ubuntu):
status: New → Invalid
Stefan Bader (smb) wrote :

This upstream stable update contains the backport for CVE-2018-3639 (x86) aka Spectre v4/SSB.
* x86/cpufeatures: Add CPUID_7_EDX CPUID leaf
  The upstream stable patch adds two previously unknown
  feature bits for word 18 which I added with a SAUCE
  patch.
* x86/cpufeatures: Add Intel feature bits for Speculation
  Control
  -> skip, no change
* x86/cpufeatures: Add AMD feature bits for Speculation
  Control
  -> skip, no change
* x86/msr: Add definitions for new speculation control
  MSRs
  -> skip, no change
* x86/pti: Do not enable PTI on CPUs which are not
  vulnerable to Meltdown
  -> skip, no change
* x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early
  Spectre v2 microcodes
  -> skip, we have actually reverted this at some point
* x86/speculation: Add basic IBPB (Indirect Branch
  Prediction Barrier) support
  -> Picked in reduced form (only adding definition for
     indirect_branch_prediction_barrier(). Not sure this
     will be needed in the end.
* x86/cpufeatures: Clean up Spectre v2 related CPUID
  flags
  -> Mostly can be skipped. Only picking up a small change
     to indirect_branch_prediction_barrier() which is still
     not used.
  Not picking up the firmware blacklist code.
* x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature
  bits on Intel
  -> skipped, no change

Stefan Bader (smb) wrote :

Continue Spectre v4 review:
* x86/speculation: Update Speculation Control microcode
  blacklist
  -> skip, we do not carry the blacklist
* x86/speculation: Correct Speculation Control
  microcode blacklist again
  -> skip, again firmware blacklist
* x86/speculation: Clean up various Spectre related
  details
  -> pick, adjusted to match intended goals (low risk
     as this is only removing line breaks or updating
     printks).
* x86/speculation: Add <asm/msr-index.h> dependency
  -> skip, no change
* x86/spectre_v2: Don't check microcode versions when
  running under hypervisors
  -> skip, we do not check for bad microcode versions
* x86/speculation: Use IBRS if available before calling
  into firmware
  -> pick, adapted to current environment. We already
     had alternative_msr_write() ported.

Stefan Bader (smb) wrote :

Continue Spectre v4 review:
* x86/speculation: Remove Skylake C2 from Speculation
  Control microcode blacklist
  -> skip, ignore blacklist
* selftest/seccomp: Fix the flag name
  SECCOMP_FILTER_FLAG_TSYNC
  -> skip, no change
* x86/amd: don't set X86_BUG_SYSRET_SS_ATTRS when
  running under Xen
  -> pick, context
* x86/nospec: Simplify alternative_msr_write()
  -> skip, no change
* x86/bugs: Concentrate bug detection into a separate
  function
  -> skip, no change
* x86/bugs: Concentrate bug reporting into a separate
  function
  -> skip, no change (silly patches with near identical
     summary lines)
* x86/bugs: Read SPEC_CTRL MSR during boot and re-use
  reserved bits
  -> skip, but added SAUCE patch to adjust the following
     inline functions to their final upstream stable form
     (as in 4.4.154)
     - indirect_branch_prediction_barrier(),
     - firmware_restrict_branch_speculation_start(),
     - firmware_restrict_branch_speculation_end()
* x86/bugs, KVM: Support the combination of guest and
  host IBRS
  -> skip, no change
* x86/cpu: Rename Merrifield2 to Moorefield
  -> skip, no change
* x86/cpu/intel: Add Knights Mill to Intel family
  -> skip, no change
* x86/bugs: Expose /sys/../spec_store_bypass
  -> skip, add sauce (Initially dropped Knights Mill
     because it was undefined but later added definition
     but not not updated the no ssb array.
* x86/cpufeatures: Add X86_FEATURE_RDS
  -> skip, no change

Stefan Bader (smb) wrote :
Download full text (3.5 KiB)

Continue Spectre v4 review:
* x86/bugs: Provide boot parameters for the
  spec_store_bypass_disable mitigation
  -> skip, no change
* x86/bugs/intel: Set proper CPU features and setup RDS
  -> skip, no change but note that we keep using
     ibrs_inuse() instead of the feature bit.
* x86/bugs: Whitelist allowed SPEC_CTRL MSR values
  -> skip, no change
* x86/bugs/AMD: Add support to disable RDS on Fam[15,
  16, 17]h if requested
  -> skip, no change
* x86/speculation: Create spec-ctrl.h to avoid include
  hell
  -> skip, no change
* prctl: Add speculation control prctls
  -> skip, no change
* x86/process: Optimize TIF checks in __switch_to_xtra()
  -> skip, no change
* x86/process: Correct and optimize TIF_BLOCKSTEP switch
  -> pick, no change
* x86/process: Optimize TIF_NOTSC switch
  -> pick, context
* x86/process: Allow runtime control of Speculative
  Store Bypass
  -> skip, no change
* x86/speculation: Add prctl for Speculative Store
  Bypass mitigation
  -> skip, no change
* nospec: Allow getting/setting on non-current task
  -> skip, no change
* proc: Provide details on speculation flaw mitigations
  -> skip, no change
* seccomp: Enable speculation flaw mitigations
  -> skip, no change
* prctl: Add force disable speculation
  -> skip, no change
* seccomp: Use PR_SPEC_FORCE_DISABLE
  -> skip, no change
* seccomp: Add filter flag to opt-out of SSB mitigation
  -> skip, no change
* seccomp: Move speculation migitation control to arch
  code
  -> skip, no change
* x86/speculation: Make "seccomp" the default mode for
  Speculative Store Bypass
  -> skip, no change
* x86/bugs: Rename _RDS to _SSBD
  -> skip, no change
* proc: Use underscores for SSBD in 'status'
  -> skip, no change
* Documentation/spec_ctrl: Do some minor cleanups
  -> skip, no change
* x86/bugs: Fix __ssb_select_mitigation() return type
  -> skip, no change
* x86/bugs: Make cpu_show_common() static
  -> skip, no change
* x86/bugs: Fix the parameters alignment and missing
  void
  -> skip, no change
* x86/cpu: Make alternative_msr_write work for 32-bit
  code
  -> skip, no change
* x86/speculation: Use synthetic bits for
  IBRS/IBPB/STIBP
  -> skip, no change
* x86/cpufeatures: Disentangle MSR_SPEC_CTRL
  enumeration from IBRS
  -> skip, no change
* x86/cpufeatures: Disentangle SSBD enumeration
  -> skip, no change
* x86/cpu/AMD: Fix erratum 1076 (CPB bit)
  -> pick and revert previous version
  The upstream commit does this by adding the
  Zen specific init function.
* x86/cpufeatures: Add FEATURE_ZEN
  -> pick, partial
  The bit is already define in a previous patch.
  Likely needs proper revert sequence later.
* x86/speculation: Handle HT correctly on AMD
  -> skip, no change
* x86/bugs, KVM: Extend speculation control for
  VIRT_SPEC_CTRL
  -> skip, no change
* x86/speculation: Add virtualized speculative store
  bypass disable support
  -> skip, no change
* x86/speculation: Rework
  speculative_store_bypass_update()
  -> skip, no change
* x86/bugs: Unify x86_spec_ctrl_{set_guest,
  restore_host}
  -> skip, no change
* Expose x86_spec_ctrl_base directly
  -> skip, no change
* x86/bugs: Remove x86_spec_ctrl_set()
  -> skip, no change
* x86/bugs: Rework spec_ctrl base and...

Read more...

Stefan Bader (smb) wrote :

Remaining non Spectre v4 import:
* block: do not use interruptible wait anywhere
  -> pick, context

Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (9.6 KiB)

This bug was fixed in the package linux - 4.4.0-137.163

---------------
linux (4.4.0-137.163) xenial; urgency=medium

  * CVE-2018-14633
    - iscsi target: Use hex2bin instead of a re-implementation

  * CVE-2018-17182
    - mm: get rid of vmacache_flush_all() entirely

linux (4.4.0-136.162) xenial; urgency=medium

  * linux: 4.4.0-136.162 -proposed tracker (LP: #1791745)

  * CVE-2017-5753
    - bpf: properly enforce index mask to prevent out-of-bounds speculation
    - Revert "UBUNTU: SAUCE: bpf: Use barrier_nospec() instead of osb()"
    - Revert "bpf: prevent speculative execution in eBPF interpreter"

  * L1TF mitigation not effective in some CPU and RAM combinations
    (LP: #1788563) // CVE-2018-3620 // CVE-2018-3646
    - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit
    - x86/speculation/l1tf: Fix off-by-one error when warning that system has too
      much RAM
    - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+

  * CVE-2018-15594
    - x86/paravirt: Fix spectre-v2 mitigations for paravirt guests

  * Xenial update to 4.4.144 stable release (LP: #1791080)
    - KVM/Eventfd: Avoid crash when assign and deassign specific eventfd in
      parallel.
    - x86/MCE: Remove min interval polling limitation
    - fat: fix memory allocation failure handling of match_strdup()
    - ALSA: rawmidi: Change resized buffers atomically
    - ARC: Fix CONFIG_SWAP
    - ARC: mm: allow mprotect to make stack mappings executable
    - mm: memcg: fix use after free in mem_cgroup_iter()
    - ipv4: Return EINVAL when ping_group_range sysctl doesn't map to user ns
    - ipv6: fix useless rol32 call on hash
    - lib/rhashtable: consider param->min_size when setting initial table size
    - net/ipv4: Set oif in fib_compute_spec_dst
    - net: phy: fix flag masking in __set_phy_supported
    - ptp: fix missing break in switch
    - tg3: Add higher cpu clock for 5762.
    - net: Don't copy pfmemalloc flag in __copy_skb_header()
    - skbuff: Unconditionally copy pfmemalloc in __skb_clone()
    - xhci: Fix perceived dead host due to runtime suspend race with event handler
    - x86/paravirt: Make native_save_fl() extern inline
    - SAUCE: Add missing CPUID_7_EDX defines
    - SAUCE: x86/speculation: Expose indirect_branch_prediction_barrier()
    - x86/pti: Mark constant arrays as __initconst
    - x86/asm/entry/32: Simplify pushes of zeroed pt_regs->REGs
    - x86/entry/64/compat: Clear registers for compat syscalls, to reduce
      speculation attack surface
    - x86/speculation: Clean up various Spectre related details
    - x86/speculation: Fix up array_index_nospec_mask() asm constraint
    - x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend
    - x86/mm: Factor out LDT init from context init
    - x86/mm: Give each mm TLB flush generation a unique ID
    - SAUCE: x86/speculation: Use Indirect Branch Prediction Barrier in context
      switch
    - x86/speculation: Use IBRS if available before calling into firmware
    - x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP
    - selftest/seccomp: Fix the seccomp(2) signature
    - xen: set cpu capabilities from xen_start_kernel()
    - x86/amd: d...

Read more...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers