Bug 22332

Summary: Update request: kernel-tmb 4.4.11
Product: Mageia Reporter: Thomas Backlund <tmb>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tarazed25, westel
Version: 5Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-64-OK, MGA5-32-OK
Source RPM: kernel-tmb CVE:
Status comment:
Bug Depends on: 22337    
Bug Blocks:    
Attachments: make log of failed fglrx build for 4.4.110-tmb-desktop-1.mga5

Description Thomas Backlund 2018-01-06 23:13:21 CET 
Meltdown fixed kernel...

Advisory will follow

There might be need for a rebuild for additional fixes... but please start testing so we can catch regressions...


SRPMS:
kernel-tmb-4.4.110-1.mga5.src.rpm


i586:
kernel-tmb-desktop-4.4.110-1.mga5-1-1.mga5.i586.rpm
kernel-tmb-desktop-devel-4.4.110-1.mga5-1-1.mga5.i586.rpm
kernel-tmb-desktop-devel-latest-4.4.110-1.mga5.i586.rpm
kernel-tmb-desktop-latest-4.4.110-1.mga5.i586.rpm
kernel-tmb-source-4.4.110-1.mga5-1-1.mga5.noarch.rpm
kernel-tmb-source-latest-4.4.110-1.mga5.noarch.rpm


x86_64:
kernel-tmb-desktop-4.4.110-1.mga5-1-1.mga5.x86_64.rpm
kernel-tmb-desktop-devel-4.4.110-1.mga5-1-1.mga5.x86_64.rpm
kernel-tmb-desktop-devel-latest-4.4.110-1.mga5.x86_64.rpm
kernel-tmb-desktop-latest-4.4.110-1.mga5.x86_64.rpm
kernel-tmb-source-4.4.110-1.mga5-1-1.mga5.noarch.rpm
kernel-tmb-source-latest-4.4.110-1.mga5.noarch.rpm
kernel-userspace-headers-4.4.110-1.mga5.x86_64.rpm
Thomas Backlund 2018-01-06 23:38:37 CET

Depends on: (none) => 22337

Comment 1 Ben McMonagle 2018-01-07 07:25:45 CET 
Mga5-x86_64 (Celeron M 530)

To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Updates Testing (distrib5)")
  kernel-tmb-desktop-4.4.110-1.mga5  1            1.mga5        x86_64  
  kernel-tmb-desktop-devel-4.4.110-> 1            1.mga5        x86_64  
  kernel-tmb-desktop-devel-latest    4.4.110      1.mga5        x86_64  
  kernel-tmb-desktop-latest          4.4.110      1.mga5        x86_64 
 
88MB of additional disk space will be used.
59MB of packages will be retrieved.
Proceed with the installation of the 4 packages? (Y/n) y

installing kernel-tmb-desktop-4.4.110-1.mga5-1-1.mga5.x86_64.rpm kernel-tmb-desktop-devel-latest-4.4.110-1.mga5.x86_64.rpm kernel-tmb-desktop-devel-4.4.110-1.mga5-1-1.mga5.x86_64.rpm kernel-tmb-desktop-latest-4.4.110-1.mga5.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...  

      1/4: kernel-desktop-tmb-devel-4.4.110-1.mga5
      2/4: kernel-tmb-desktop-4.4.110-1.mga5
      3/4: kernel-tmb-desktop-latest
      4/4: kernel-tmb-desktop-devel-latest
      
broadcom-wl (6.30.223.271-5.mga5.nonfree): Installing module.
......................
..........
Cannot find a boot loader installed. Only taking care of initrd
Creating: target|kernel|dracut args|basicmodules 
You should restart your computer for kernel-tmb-desktop-4.4.110-1.mga5

reboot to working desktop and Broadcom Wifi - ok

Whiteboard: (none) => MGA5-64-OK
CC: (none) => westel

Comment 2 Dave Hodgins 2018-01-07 14:43:23 CET 
Created attachment 9882 [details]
make log of failed fglrx build for 4.4.110-tmb-desktop-1.mga5

As attached, the fglrx dkms build is failing for the tmb-desktop kernel.
This is on Mageia 5 i686

CC: (none) => davidwhodgins

Comment 3 Thomas Backlund 2018-01-07 15:00:22 CET 
(In reply to Dave Hodgins from comment #2)
> Created attachment 9882 [details]
> make log of failed fglrx build for 4.4.110-tmb-desktop-1.mga5
> 
> As attached, the fglrx dkms build is failing for the tmb-desktop kernel.
> This is on Mageia 5 i686

Good catch...

seems the patch to drop the _GPL part only landed in 4.14... 
I notified upstream about it and will backport it to the 4.4 branch unless  upstream does it.
Comment 4 Dave Hodgins 2018-01-07 15:15:13 CET 
Just fyi. Also affects 4.4.110-tmb-desktop-1.mga5 on x86_64. On all of
the other Mageia 5 kernels, dkms-fglrx is ok.
Comment 5 Dave Hodgins 2018-01-07 15:32:54 CET 
Removing the MGA5-64-OK due to the above.

Whiteboard: MGA5-64-OK => (none)

Comment 6 Len Lawrence 2018-01-07 18:22:32 CET 
Upated the linus kernel.
$ uname -r
4.14.12-2.mga6

System:    Host: juza Kernel: 4.14.12-2.mga6 x86_64
           Desktop: MATE 1.18.0  Distro: Mageia 6 mga6
CPU:       Quad core Intel Core i7-3630QM (-HT-MCP-)
Machine:   Device: laptop System: LENOVO product: 9541 v: Lenovo IdeaPad Y500
Graphics:  Card: NVIDIA GK107M [GeForce GT 650M]
           GLX Version: 4.5.0 NVIDIA 384.111
RAM:       8 GB

Stress tests OK.  glmark2.
NFS share mounted.  LAN wifi networking OK.  Login to a local machine to run a graphical application remotely.
Paired with TV soundbar using bluetooth and played an ogg file with sox.  Youtube videos played fine.  Looks like a working desktop.

CC: (none) => tarazed25

Comment 7 Thomas Backlund 2018-01-09 01:05:37 CET 
Unfortunately there is still some regressions that will be fixed in 4.4.111, so  a new kernel will be coming...

Keywords: (none) => feedback

Comment 8 Thomas Backlund 2018-01-10 16:44:36 CET 
fixed kernels:

SRPMS:
kernel-tmb-4.4.111-1.mga5.src.rpm


i586:
kernel-tmb-desktop-4.4.111-1.mga5-1-1.mga5.i586.rpm
kernel-tmb-desktop-devel-4.4.111-1.mga5-1-1.mga5.i586.rpm
kernel-tmb-desktop-devel-latest-4.4.111-1.mga5.i586.rpm
kernel-tmb-desktop-latest-4.4.111-1.mga5.i586.rpm
kernel-tmb-source-4.4.111-1.mga5-1-1.mga5.noarch.rpm
kernel-tmb-source-latest-4.4.111-1.mga5.noarch.rpm


x86_64:
kernel-tmb-desktop-4.4.111-1.mga5-1-1.mga5.x86_64.rpm
kernel-tmb-desktop-devel-4.4.111-1.mga5-1-1.mga5.x86_64.rpm
kernel-tmb-desktop-devel-latest-4.4.111-1.mga5.x86_64.rpm
kernel-tmb-desktop-latest-4.4.111-1.mga5.x86_64.rpm
kernel-tmb-source-4.4.111-1.mga5-1-1.mga5.noarch.rpm
kernel-tmb-source-latest-4.4.111-1.mga5.noarch.rpm
kernel-userspace-headers-4.4.111-1.mga5.x86_64.rpm

Keywords: feedback => (none)
Summary: Update request: kernel-tmb 4.4.110 => Update request: kernel-tmb 4.4.11

Comment 9 Thomas Backlund 2018-01-12 21:03:47 CET 
Advisory, added to svn:

type: security
subject: Updated kernel-tmb packages fix security vulnerabilities
CVE:
 - CVE 2017-5715
 - CVE 2017-5753
 - CVE-2017-5754
 - CVE-2017-15129
 - CVE-2017-17741
 - CVE-2017-1000407
src:
  5:
   core:
     - kernel-tmb-4.4.111-1.mga5
description: |
  This kernel-tmb update is based on the upstream 4.4.111 and and fixes
  several security issues.

  The most important fix in this update is for the security issue named
  "Meltdown" that is fixed in theese kernels by enabling kernel Page
  Table Isolation (KTPI). Note that according to AMD, this issue does
  not effect Amd processors, so it is not enabled by default on systems
  using Amd CPU.

  The list of known security fixes and mitigations in this kernel:

  kvm: vmx: Scrub hardware GPRs at VM-exit. This enables partial mitigation
  in kvm for the security issue named "Spectre" (CVE 2017-5715, CVE 2017-5753).

  Systems with microprocessors utilizing speculative execution and indirect
  branch prediction may allow unauthorized disclosure of information to an
  attacker with local user access via a side-channel analysis of the data
  cache (CVE-2017-5754, "MeltDown").

  A use-after-free vulnerability was found in network namespaces code
  affecting the Linux kernel before 4.14.11. The function get_net_ns_by_id()
  in net/core/net_namespace.c does not check for the net::count value after
  it has found a peer network in netns_ids idr, which could lead to double
  free and memory corruption. This vulnerability could allow an unprivileged
  local user to induce kernel memory corruption on the system, leading to a
  crash. Due to the nature of the flaw, privilege escalation cannot be fully
  ruled out, although it is thought to be unlikely (CVE-2017-15129).

  The KVM implementation in the Linux kernel through 4.14.7 allows attackers
  to obtain potentially sensitive information from kernel memory, aka a
  write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c
  and include/trace/events/kvm.h (CVE-2017-17741).

  The Linux Kernel 2.6.32 and later are affected by a denial of service, by
  flooding the diagnostic port 0x80 an exception can be triggered leading
  to a kernel panic (CVE-2017-1000407).

  The kernels are also fixed to allow loading cpu microcode for Amd
  family 17 (Zen) processors.

  For more info about Meltdown, Spectre and other fixes in this update,
  see the refences.
  references:
 - https://bugs.mageia.org/show_bug.cgi?id=22332
 - https://meltdownattack.com/
 - https://googleprojectzero.blogspot.fi/2018/01/reading-privileged-memory-with-side.html
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.106
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.107
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.108
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.109
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.110
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.111

Keywords: (none) => advisory

Thomas Backlund 2018-01-13 14:54:47 CET

Whiteboard: (none) => MGA5-64-OK, MGA5-32-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2018-01-13 15:29:31 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0074.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED