Ubuntu
linux package

Xenial update to 4.4.144 stable release

  1. Xenial (16.04)
  2. Bug #1791080
Bug #1791080 reported by Stefan Bader
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Invalid
Undecided
Unassigned
Xenial
Fix Released
Medium
Stefan Bader

Bug Description

    SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The 4.4.144 upstream stable
       patch set is now available. It should be included in the Ubuntu
       kernel as well.

       git://git.kernel.org/

    TEST CASE: TBD

       The following patches from the 4.4.144 stable release shall be applied:

Stefan Bader (smb)
tags: added: kernel-stable-tracking-bug
Changed in linux (Ubuntu Xenial):
assignee: nobody → Stefan Bader (smb)
importance: Undecided → Medium
status: New → In Progress
Changed in linux (Ubuntu):
status: New → Invalid
Revision history for this message
Stefan Bader (smb) wrote :

This upstream stable update contains the backport for CVE-2018-3639 (x86) aka Spectre v4/SSB.
* x86/cpufeatures: Add CPUID_7_EDX CPUID leaf
  The upstream stable patch adds two previously unknown
  feature bits for word 18 which I added with a SAUCE
  patch.
* x86/cpufeatures: Add Intel feature bits for Speculation
  Control
  -> skip, no change
* x86/cpufeatures: Add AMD feature bits for Speculation
  Control
  -> skip, no change
* x86/msr: Add definitions for new speculation control
  MSRs
  -> skip, no change
* x86/pti: Do not enable PTI on CPUs which are not
  vulnerable to Meltdown
  -> skip, no change
* x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early
  Spectre v2 microcodes
  -> skip, we have actually reverted this at some point
* x86/speculation: Add basic IBPB (Indirect Branch
  Prediction Barrier) support
  -> Picked in reduced form (only adding definition for
     indirect_branch_prediction_barrier(). Not sure this
     will be needed in the end.
* x86/cpufeatures: Clean up Spectre v2 related CPUID
  flags
  -> Mostly can be skipped. Only picking up a small change
     to indirect_branch_prediction_barrier() which is still
     not used.
  Not picking up the firmware blacklist code.
* x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature
  bits on Intel
  -> skipped, no change

Revision history for this message
Stefan Bader (smb) wrote :

Continue Spectre v4 review:
* x86/speculation: Update Speculation Control microcode
  blacklist
  -> skip, we do not carry the blacklist
* x86/speculation: Correct Speculation Control
  microcode blacklist again
  -> skip, again firmware blacklist
* x86/speculation: Clean up various Spectre related
  details
  -> pick, adjusted to match intended goals (low risk
     as this is only removing line breaks or updating
     printks).
* x86/speculation: Add <asm/msr-index.h> dependency
  -> skip, no change
* x86/spectre_v2: Don't check microcode versions when
  running under hypervisors
  -> skip, we do not check for bad microcode versions
* x86/speculation: Use IBRS if available before calling
  into firmware
  -> pick, adapted to current environment. We already
     had alternative_msr_write() ported.

Revision history for this message
Stefan Bader (smb) wrote :

Continue Spectre v4 review:
* x86/speculation: Remove Skylake C2 from Speculation
  Control microcode blacklist
  -> skip, ignore blacklist
* selftest/seccomp: Fix the flag name
  SECCOMP_FILTER_FLAG_TSYNC
  -> skip, no change
* x86/amd: don't set X86_BUG_SYSRET_SS_ATTRS when
  running under Xen
  -> pick, context
* x86/nospec: Simplify alternative_msr_write()
  -> skip, no change
* x86/bugs: Concentrate bug detection into a separate
  function
  -> skip, no change
* x86/bugs: Concentrate bug reporting into a separate
  function
  -> skip, no change (silly patches with near identical
     summary lines)
* x86/bugs: Read SPEC_CTRL MSR during boot and re-use
  reserved bits
  -> skip, but added SAUCE patch to adjust the following
     inline functions to their final upstream stable form
     (as in 4.4.154)
     - indirect_branch_prediction_barrier(),
     - firmware_restrict_branch_speculation_start(),
     - firmware_restrict_branch_speculation_end()
* x86/bugs, KVM: Support the combination of guest and
  host IBRS
  -> skip, no change
* x86/cpu: Rename Merrifield2 to Moorefield
  -> skip, no change
* x86/cpu/intel: Add Knights Mill to Intel family
  -> skip, no change
* x86/bugs: Expose /sys/../spec_store_bypass
  -> skip, add sauce (Initially dropped Knights Mill
     because it was undefined but later added definition
     but not not updated the no ssb array.
* x86/cpufeatures: Add X86_FEATURE_RDS
  -> skip, no change

Revision history for this message
Stefan Bader (smb) wrote :
Download full text (3.5 KiB)

Continue Spectre v4 review:
* x86/bugs: Provide boot parameters for the
  spec_store_bypass_disable mitigation
  -> skip, no change
* x86/bugs/intel: Set proper CPU features and setup RDS
  -> skip, no change but note that we keep using
     ibrs_inuse() instead of the feature bit.
* x86/bugs: Whitelist allowed SPEC_CTRL MSR values
  -> skip, no change
* x86/bugs/AMD: Add support to disable RDS on Fam[15,
  16, 17]h if requested
  -> skip, no change
* x86/speculation: Create spec-ctrl.h to avoid include
  hell
  -> skip, no change
* prctl: Add speculation control prctls
  -> skip, no change
* x86/process: Optimize TIF checks in __switch_to_xtra()
  -> skip, no change
* x86/process: Correct and optimize TIF_BLOCKSTEP switch
  -> pick, no change
* x86/process: Optimize TIF_NOTSC switch
  -> pick, context
* x86/process: Allow runtime control of Speculative
  Store Bypass
  -> skip, no change
* x86/speculation: Add prctl for Speculative Store
  Bypass mitigation
  -> skip, no change
* nospec: Allow getting/setting on non-current task
  -> skip, no change
* proc: Provide details on speculation flaw mitigations
  -> skip, no change
* seccomp: Enable speculation flaw mitigations
  -> skip, no change
* prctl: Add force disable speculation
  -> skip, no change
* seccomp: Use PR_SPEC_FORCE_DISABLE
  -> skip, no change
* seccomp: Add filter flag to opt-out of SSB mitigation
  -> skip, no change
* seccomp: Move speculation migitation control to arch
  code
  -> skip, no change
* x86/speculation: Make "seccomp" the default mode for
  Speculative Store Bypass
  -> skip, no change
* x86/bugs: Rename _RDS to _SSBD
  -> skip, no change
* proc: Use underscores for SSBD in 'status'
  -> skip, no change
* Documentation/spec_ctrl: Do some minor cleanups
  -> skip, no change
* x86/bugs: Fix __ssb_select_mitigation() return type
  -> skip, no change
* x86/bugs: Make cpu_show_common() static
  -> skip, no change
* x86/bugs: Fix the parameters alignment and missing
  void
  -> skip, no change
* x86/cpu: Make alternative_msr_write work for 32-bit
  code
  -> skip, no change
* x86/speculation: Use synthetic bits for
  IBRS/IBPB/STIBP
  -> skip, no change
* x86/cpufeatures: Disentangle MSR_SPEC_CTRL
  enumeration from IBRS
  -> skip, no change
* x86/cpufeatures: Disentangle SSBD enumeration
  -> skip, no change
* x86/cpu/AMD: Fix erratum 1076 (CPB bit)
  -> pick and revert previous version
  The upstream commit does this by adding the
  Zen specific init function.
* x86/cpufeatures: Add FEATURE_ZEN
  -> pick, partial
  The bit is already define in a previous patch.
  Likely needs proper revert sequence later.
* x86/speculation: Handle HT correctly on AMD
  -> skip, no change
* x86/bugs, KVM: Extend speculation control for
  VIRT_SPEC_CTRL
  -> skip, no change
* x86/speculation: Add virtualized speculative store
  bypass disable support
  -> skip, no change
* x86/speculation: Rework
  speculative_store_bypass_update()
  -> skip, no change
* x86/bugs: Unify x86_spec_ctrl_{set_guest,
  restore_host}
  -> skip, no change
* Expose x86_spec_ctrl_base directly
  -> skip, no change
* x86/bugs: Remove x86_spec_ctrl_set()
  -> skip, no change
* x86/bugs: Rework spec_ctrl base and...

Read more...

Revision history for this message
Stefan Bader (smb) wrote :

Remaining non Spectre v4 import:
* block: do not use interruptible wait anywhere
  -> pick, context

Kleber Sacilotto de Souza (kleber-souza)
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (9.6 KiB)

This bug was fixed in the package linux - 4.4.0-137.163

---------------
linux (4.4.0-137.163) xenial; urgency=medium

  * CVE-2018-14633
    - iscsi target: Use hex2bin instead of a re-implementation

  * CVE-2018-17182
    - mm: get rid of vmacache_flush_all() entirely

linux (4.4.0-136.162) xenial; urgency=medium

  * linux: 4.4.0-136.162 -proposed tracker (LP: #1791745)

  * CVE-2017-5753
    - bpf: properly enforce index mask to prevent out-of-bounds speculation
    - Revert "UBUNTU: SAUCE: bpf: Use barrier_nospec() instead of osb()"
    - Revert "bpf: prevent speculative execution in eBPF interpreter"

  * L1TF mitigation not effective in some CPU and RAM combinations
    (LP: #1788563) // CVE-2018-3620 // CVE-2018-3646
    - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit
    - x86/speculation/l1tf: Fix off-by-one error when warning that system has too
      much RAM
    - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+

  * CVE-2018-15594
    - x86/paravirt: Fix spectre-v2 mitigations for paravirt guests

  * Xenial update to 4.4.144 stable release (LP: #1791080)
    - KVM/Eventfd: Avoid crash when assign and deassign specific eventfd in
      parallel.
    - x86/MCE: Remove min interval polling limitation
    - fat: fix memory allocation failure handling of match_strdup()
    - ALSA: rawmidi: Change resized buffers atomically
    - ARC: Fix CONFIG_SWAP
    - ARC: mm: allow mprotect to make stack mappings executable
    - mm: memcg: fix use after free in mem_cgroup_iter()
    - ipv4: Return EINVAL when ping_group_range sysctl doesn't map to user ns
    - ipv6: fix useless rol32 call on hash
    - lib/rhashtable: consider param->min_size when setting initial table size
    - net/ipv4: Set oif in fib_compute_spec_dst
    - net: phy: fix flag masking in __set_phy_supported
    - ptp: fix missing break in switch
    - tg3: Add higher cpu clock for 5762.
    - net: Don't copy pfmemalloc flag in __copy_skb_header()
    - skbuff: Unconditionally copy pfmemalloc in __skb_clone()
    - xhci: Fix perceived dead host due to runtime suspend race with event handler
    - x86/paravirt: Make native_save_fl() extern inline
    - SAUCE: Add missing CPUID_7_EDX defines
    - SAUCE: x86/speculation: Expose indirect_branch_prediction_barrier()
    - x86/pti: Mark constant arrays as __initconst
    - x86/asm/entry/32: Simplify pushes of zeroed pt_regs->REGs
    - x86/entry/64/compat: Clear registers for compat syscalls, to reduce
      speculation attack surface
    - x86/speculation: Clean up various Spectre related details
    - x86/speculation: Fix up array_index_nospec_mask() asm constraint
    - x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend
    - x86/mm: Factor out LDT init from context init
    - x86/mm: Give each mm TLB flush generation a unique ID
    - SAUCE: x86/speculation: Use Indirect Branch Prediction Barrier in context
      switch
    - x86/speculation: Use IBRS if available before calling into firmware
    - x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP
    - selftest/seccomp: Fix the seccomp(2) signature
    - xen: set cpu capabilities from xen_start_kernel()
    - x86/amd: d...

Read more...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.