| Summary: | Update request: kernel-4.14.119-1.mga6 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Thomas Backlund <tmb> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | High | CC: | andrewsfarm, brtians1, davidwhodgins, fri, jim, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK, MGA6-32-OK | ||
| Source RPM: | kernel | CVE: | |
| Status comment: | |||
| Bug Depends on: | 24800 | ||
| Bug Blocks: | |||
|
Description
Thomas Backlund
2019-05-15 00:48:11 CEST
Advisory, also added to svn:
type: security
subject: Updated kernel packages fix security vulnerability
CVE:
- CVE-2018-12126
- CVE-2018-12127
- CVE-2018-12130
- CVE-2019-11091
src:
6:
core:
- kernel-4.14.119-1.mga6
- kernel-userspace-headers-4.14.119-1.mga6
- kmod-vboxadditions-6.0.6-3.mga6
- kmod-virtualbox-6.0.6-3.mga6
- kmod-xtables-addons-2.13-85.mga6
description: |
This kernel update provides the upstream 4.14.119 that adds the kernel side
mitigations for the Microarchitectural Data Sampling (MDS, also called
ZombieLoad attack) vulnerabilities in Intel processors that can allow
attackers to retrieve data being processed inside a CPU. To complete the
mitigations new microcode is also needed, either by installing the
microcode-0.20190514-1.mga6 package, or get an updated bios / uefi
firmware from the motherboard vendor.
The fixed / mitigated issues are:
Modern Intel microprocessors implement hardware-level micro-optimizations
to improve the performance of writing data back to CPU caches. The write
operation is split into STA (STore Address) and STD (STore Data)
sub-operations. These sub-operations allow the processor to hand-off
address generation logic into these sub-operations for optimized writes.
Both of these sub-operations write to a shared distributed processor
structure called the 'processor store buffer'. As a result, an
unprivileged attacker could use this flaw to read private data resident
within the CPU's processor store buffer. (CVE-2018-12126)
Microprocessors use a ‘load port’ subcomponent to perform load operations
from memory or IO. During a load operation, the load port receives data
from the memory or IO subsystem and then provides the data to the CPU
registers and operations in the CPU’s pipelines. Stale load operations
results are stored in the 'load port' table until overwritten by newer
operations. Certain load-port operations triggered by an attacker can be
used to reveal data about previous stale requests leaking data back to the
attacker via a timing side-channel. (CVE-2018-12127)
A flaw was found in the implementation of the "fill buffer", a mechanism
used by modern CPUs when a cache-miss is made on L1 CPU cache. If an
attacker can generate a load operation that would create a page fault,
the execution will continue speculatively with incorrect data from the
fill buffer while the data is fetched from higher level caches. This
response time can be measured to infer data in the fill buffer.
(CVE-2018-12130)
Uncacheable memory on some microprocessors utilizing speculative execution
may allow an authenticated user to potentially enable information disclosure
via a side channel with local access. (CVE-2019-11091)
references:
- https://bugs.mageia.org/show_bug.cgi?id=24820
- https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.117
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.118
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.119Keywords:
(none) =>
advisory
Thomas Backlund
2019-05-15 01:01:26 CEST
Depends on:
(none) =>
24800 Ok on my x86_64 Mageia 6 system with an amd cpu and vb guests on that system, both i586 and x86_64 Mageia 6 guests. CC:
(none) =>
davidwhodgins Physical hardware amd x2-3800, nvidia, uses nouveau (mate) The following 5 packages are going to be installed: - cpupower-4.14.119-1.mga6.i586 - cpupower-devel-4.14.119-1.mga6.i586 - kernel-desktop-4.14.119-1.mga6-1-1.mga6.i586 - kernel-desktop-latest-4.14.119-1.mga6.i586 - microcode-0.20190514-1.mga6.nonfree.noarch 58MB of additional disk space will be used. -- rebooted $ uname -a Linux localhost 4.14.119-desktop-1.mga6 #1 SMP Tue May 14 21:13:26 UTC 2019 i686 i686 i686 GNU/Linux browser works, pluma works, this machine runs as a samba and web server Samba working Apache working CC:
(none) =>
brtians1 Physical hardware: laptop toshiba 640, Intel i3-2100 (running gnome). The following 4 packages are going to be installed: - cpupower-4.14.119-1.mga6.x86_64 - kernel-desktop-4.14.119-1.mga6-1-1.mga6.x86_64 - kernel-desktop-latest-4.14.119-1.mga6.x86_64 - microcode-0.20190514-1.mga6.nonfree.noarch Rebooted $ uname -a Linux localhost.localdomain 4.14.119-desktop-1.mga6 #1 SMP Tue May 14 19:26:16 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux samba client working, browser working, wifi working, rhythmbox working, closing lid for sleep mod e works working as designed. Athlon X2 7750, 8GB RAM, Geforce 210 (nvidia340) graphics, Atheros wifi, 64-bit Plasma system. The following 8 packages are going to be installed: - cpupower-4.14.119-1.mga6.x86_64 - kernel-desktop-4.14.119-1.mga6-1-1.mga6.x86_64 - kernel-desktop-devel-4.14.119-1.mga6-1-1.mga6.x86_64 - kernel-desktop-devel-latest-4.14.119-1.mga6.x86_64 - kernel-desktop-latest-4.14.119-1.mga6.x86_64 - microcode-0.20190312-1.mga6.nonfree.noarch - virtualbox-kernel-4.14.119-desktop-1.mga6-6.0.6-3.mga6.x86_64 - virtualbox-kernel-desktop-latest-6.0.6-3.mga6.x86_64 Packages installed cleanly, nvidia module apparently built. Rebooted to a working desktop. Tried a few apps. Quick-and-dirty assessment: It's OK here. CC:
(none) =>
andrewsfarm x86_64 UEFI, Intel Core i7-4790 (-HT-MCP-) NVIDIA GM204 [GeForce GTX 970] - nvidia 590.87 Desktop kernel installed cleanly and rebooted to Mate OK. Bluetooth connection working without any congiguration. Free-to-air TV working. NFS shares established. stress tests passed. 32-bit mga5 GNOME classic launched in virtualbox. CC:
(none) =>
tarazed25 mga6-64, i7, Nvidia GPU and driver, Plasma Have been using it about five hours work, no issues seen; Thunderbird, LibreOffice6, video incl audio in Firefox, VirtualBox running MSW7 incl USB2 flash stick and windowsupdate, all mentionned activities open while concurrently all cores used by BOINC. Smooth installation and reboot. This system also updates all installed to testing. $ uname -a Linux svarten 4.14.119-desktop-1.mga6 #1 SMP Tue May 14 19:26:16 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux Hardware: i7-2600K, Nvidia GTX760 (GK104) using proprietary driver GeForce 420 and later, with CUDA & OpenCL detected OK in BOINC (bot not used), / & /home & swap in LVM on LUKS on SSD CC:
(none) =>
fri Installed the desktop kernel on a Skylake machine. Deca core Intel Core i9-7900X (-HT-MCP-) NVIDIA GP102 [GeForce GTX 1080 Ti] - nvidia 390.87 Probably redundant: # drakboot --boot Rebooted to Mate, NFS shares mounted. TV working via an antenna and USB DVB-T2 adapter. Stress tests ran to completion. Tried several applications - no regressions noted. on mga6-64 kernel-desktop plasma
packages installed cleanly:
- cpupower-4.14.119-1.mga6.x86_64
- kernel-desktop-4.14.119-1.mga6-1-1.mga6.x86_64
- kernel-desktop-devel-4.14.119-1.mga6-1-1.mga6.x86_64
- kernel-desktop-devel-latest-4.14.119-1.mga6.x86_64
- kernel-desktop-latest-4.14.119-1.mga6.x86_64
- kernel-userspace-headers-4.14.119-1.mga6.x86_64
- microcode-0.20190514-1.mga6.nonfree.noarch
- virtualbox-kernel-4.14.119-desktop-1.mga6-6.0.6-3.mga6.x86_64
- virtualbox-kernel-desktop-latest-6.0.6-3.mga6.x86_64
system rebooted normally:
$ uname -r
4.14.119-desktop-1.mga6
$ dmesg | grep microcode
[ 0.000000] microcode: microcode updated early to revision 0xcc, date = 2019-04-01
[ 0.543372] microcode: sig=0x506e3, pf=0x2, revision=0xcc
[ 0.543640] microcode: Microcode Update Driver: v2.2.
# dkms status
virtualbox, 6.0.6-1.mga6, 4.14.119-desktop-1.mga6, x86_64: installed
virtualbox, 6.0.6-1.mga6, 4.14.119-desktop-1.mga6, x86_64: installed-binary from 4.14.119-desktop-1.mga6
(also updated to kernel-desktop-4.14.119-1 in 32 bit and 64 bit vbox clients)
no regressions noted
looks OK for mga6-64 on this system:
Machine: Device: desktop System: Dell product: Precision Tower 3620
Mobo: Dell model: 09WH54 v: A00 UEFI [Legacy]: Dell v: 2.12.0 date: 02/15/2019
CPU: Quad core Intel Core i7-6700 (-HT-MCP-)
Graphics: Card: Intel HD Graphics 530CC:
(none) =>
jim Enough tests, flushing it out Whiteboard:
(none) =>
MGA6-64-OK, MGA6-32-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0174.html Resolution:
(none) =>
FIXED |