Bug 12518 - Update request: kernel-linus-3.10.28-1.mga3
Summary: Update request: kernel-linus-3.10.28-1.mga3
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA3-64-OK MGA3-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-02-02 14:42 CET by Thomas Backlund
Modified: 2014-02-10 21:26 CET (History)
3 users (show)

See Also:
Source RPM: kernel-linus-3.10.28-1.mga3
CVE:
Status comment:


Attachments

Description Thomas Backlund 2014-02-02 14:42:01 CET
Now this is mostly for squashing the recently announced critical:

x86, x32: Correct invalid use of user timespec in the kernel (CVE-2014-0038)

but it also updates to 3.10.28 to squash a few more less critical secururity issues and other bugfixes like some laptop overheating reported by some with the 3.10.24 kernel.

I will write a better advisory tomorrow, but so you can start testing:

SRPMS:
kernel-linus-3.10.28-1.mga3.src.rpm


i586:
kernel-linus-3.10.28-1.mga3-1-1.mga3.i586.rpm
kernel-linus-devel-3.10.28-1.mga3-1-1.mga3.i586.rpm
kernel-linus-devel-latest-3.10.28-1.mga3.i586.rpm
kernel-linus-doc-3.10.28-1.mga3.noarch.rpm
kernel-linus-latest-3.10.28-1.mga3.i586.rpm
kernel-linus-source-3.10.28-1.mga3-1-1.mga3.noarch.rpm
kernel-linus-source-latest-3.10.28-1.mga3.noarch.rpm


x86_64:
kernel-linus-3.10.28-1.mga3-1-1.mga3.x86_64.rpm
kernel-linus-devel-3.10.28-1.mga3-1-1.mga3.x86_64.rpm
kernel-linus-devel-latest-3.10.28-1.mga3.x86_64.rpm
kernel-linus-doc-3.10.28-1.mga3.noarch.rpm
kernel-linus-latest-3.10.28-1.mga3.x86_64.rpm
kernel-linus-source-3.10.28-1.mga3-1-1.mga3.noarch.rpm
kernel-linus-source-latest-3.10.28-1.mga3.noarch.rpm


Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2014-02-06 13:56:55 CET
When testing these alternative kernels (-linus, -rt, -tmb) it is necessary to use the dkms driver packages, dkms-nvidia* and dkms-fglrx etc. rather than the pre-built kmod packages such as nvidia-current-kernel-desktop-latest.

Pre-built kmod packages only support the specific kernel they are built for, which forms part of the package name.

Dkms packages actually build the driver on the next boot for whichever kernel you are using. It means the first boot after installing the new kernel will take longer than expected. Allow it to complete, normally a minute or couple of minutes, depending on your hardware. You can see it building if you remove "splash quiet" options from the kernel command line or press escape as it boots so you can see the text. It shows and a series of dots ". . . . ."
Comment 2 claire robinson 2014-02-06 18:59:52 CET
This one isn't booting to X for me currently. I'll investigate later.

P4 nvidia-current ivtv
Comment 3 Thomas Backlund 2014-02-06 19:23:24 CET
Note that the advisory for this kernel-linus update is longer than others as we usually wait for CVE fixes to land in upstream released -stable.

Advisory:
  This kernel update provides an update to the 3.10 longterm branch,
  currently 3.10.28 and fixes the following security issues:

  The ath9k_htc_set_bssid_mask function in 
  drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through
  3.12 uses a BSSID masking approach to determine the set of MAC addresses
  on which a Wi-Fi device is listening, which allows remote attackers to
  discover the original MAC address after spoofing by sending a series of
  packets to MAC addresses with certain bit manipulations. (CVE-2013-4579)

  Array index error in the kvm_vm_ioctl_create_vcpu function in 
  virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through
  3.12.5 allows local users to gain privileges via a large id value
  (CVE-2013-4587)

  The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem
  in the Linux kernel through 3.12.5 allows guest OS users to cause a denial
  of service (divide-by-zero error and host OS crash) via crafted
  modifications of the TMICT value. (CVE-2013-6367)

  The KVM subsystem in the Linux kernel through 3.12.5 allows local users to
  gain privileges or cause a denial of service (system crash) via a VAPIC
  synchronization operation involving a page-end address.  (CVE-2013-6368)

  The recalculate_apic_map function in arch/x86/kvm/lapic.c in the KVM
  subsystem  in the Linux kernel through 3.12.5 allows guest OS users to
  cause a denial of service (host OS crash) via a crafted ICR write
  operation in x2apic mode. (CVE-2013-6376)

  Multiple buffer underflows in the XFS implementation in the Linux kernel
  through 3.12.1 allow local users to cause a denial of service (memory
  corruption) or possibly have unspecified other impact by leveraging the
  CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2)
  XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value,
  related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c
  and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c.
  (CVE-2013-6382)

  Pageexec reported a bug in the Linux kernel's recvmmsg syscall when called
  from code using the x32 ABI. An unprivileged local user could exploit this
  flaw to cause a denial of service (system crash) or gain administrator
  privileges (CVE-2014-0038)

  Faults during task-switch due to unhandled FPU-exceptions allow to
  kill processes at random on all affected kernels, resulting in local
  DOS in the end. One some architectures, privilege escalation under
  non-common circumstances is possible. (CVE-2014-1438)

  The hamradio yam_ioctl() code fails to initialise the cmd field of the
  struct yamdrv_ioctl_cfg leading to a 4-byte info leak. (CVE-2014-1446)

  Linux kernel built with the NetFilter Connection Tracking(NF_CONNTRACK)
  support for IRC protocol(NF_NAT_IRC), is vulnerable to an information
  leakage flaw. It could occur when communicating over direct
  client-to-client IRC connection(/dcc) via a NAT-ed network. Kernel
  attempts to mangle IRC TCP packet's content, wherein an uninitialised
  'buffer' object is copied to a socket buffer and sent over to the other
  end of a connection. (CVE-2014-1690)

  For other changes, see the referenced changelogs:


References:
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.25
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.26
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.27
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.28
Comment 4 claire robinson 2014-02-07 14:06:06 CET
Confirmed the issue with this one.

I booted back into kernel-desktop586 and removed this kernel, leaving linus 3.24 installed from updates.

I then removed dkms-nvidia-current to work around some leftovers from other kernels ( bug 10771 ) and rebooted, then reinstalled it again and rebooted into the current linus, 3.24.

So it was a clean environment to test again.

After installing the update candidate with it's devel from their respective -latest packages, nvidia was built so rebooted finally into the new kernel.

It reaches multi-user target and 'graphical interface' with no X and hasn't loaded either nvidia or nouveau modules.

Xorg.0.log shows failed to load nvidia driver and unloaded it. It ends with No screens found.

The journal shows..

kernel: nvidia: no symbol version for module_layout

Whiteboard: (none) => feedback

Comment 5 claire robinson 2014-02-07 14:06:48 CET
3.10.24 rather than 3.24. Forgot the 10.
Comment 6 Thomas Backlund 2014-02-07 14:31:10 CET
Hm, that should not happend.

do you have kernel-linus-source installed ?

what is the output of:

ls -l /lib/modules/3.10.28-1.mga3/
Comment 7 claire robinson 2014-02-07 14:59:54 CET
Ahh that might explain it. I have kernel-source but not kernel-linus-source.

I'll try it again.
Comment 8 Mageia Robot 2014-02-07 18:41:02 CET
commit a14f5e346a90094db1a2ceb4043b1a18fec8e90a
Author: Thomas Backlund <tmb@...>
Date:   Fri Feb 7 19:37:59 2014 +0200

    - nuke create_link_source(), as we haven't supported building against
      an unprepared source for ages, and currently can also create wrong
      symlinks when kernel-source is installed before for example
      kernel-linus as found out during QA for mga#12518 and debugging
      the issue on irc
---
 Commit Link:
   http://gitweb.mageia.org/software/drakx/commit/?id=a14f5e346a90094db1a2ceb4043b1a18fec8e90a
Comment 9 Thomas Backlund 2014-02-07 20:09:40 CET
I reproduced the kernel-linus thing, and it only happends if kernel-source is installed before kernel-linus and they both have exactly the same version & release

I dont want to delay the kernels for it as they carry the fix for CVE-2014-0038, and almost no enduser will hit it, considering how old the drakx code is

next kernel update (whenever it happends) will have a fixed kernel-source to avoid it and drakx is fixed too in cauldron as seeen is comment 8

I guess I'll queue the same drakx fix for mga3 & mga4
Samuel Verschelde 2014-02-09 02:32:47 CET

CC: (none) => stormi
Whiteboard: feedback => (none)

Comment 10 Bill Wilkinson 2014-02-09 15:48:54 CET
mga3-64 boots normally and builds nvidia modules.

Will OK by evening (US East coast) if no other testers.

CC: (none) => wrw105

Comment 11 Samuel Verschelde 2014-02-10 14:30:05 CET
oking, still needs advisory upload.

Whiteboard: (none) => MGA3-64-OK MGA3-32-OK

Comment 12 claire robinson 2014-02-10 15:30:05 CET
Advisory uploaded. Validating.

Could sysadmin please push to 3 updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

claire robinson 2014-02-10 15:43:16 CET

Whiteboard: MGA3-64-OK MGA3-32-OK => advisory MGA3-64-OK MGA3-32-OK

Comment 13 Thomas Backlund 2014-02-10 21:26:28 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0043.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Source RPM: kernel-linus-3.10.28-1.mga3.src.rpm => kernel-linus-3.10.28-1.mga3


Note You need to log in before you can comment on or make changes to this bug.