14570 – Update request: kernel-3.14.24-1.mga4

Bug 14570 - Update request: kernel-3.14.24-1.mga4

Summary: Update request: kernel-3.14.24-1.mga4

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA4-32-OK MGA4-64-OK advisory
Keywords:	validated_update

Depends on:
Blocks:	14469
	Show dependency tree / graph

Reported:	2014-11-16 10:54 CET by Thomas Backlund
Modified:	2014-11-21 13:45 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	kernel-3.14.24-1.mga4
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Thomas Backlund 2014-11-16 10:54:42 CET

Advisory:

This kernel update is based on upstream -longterm 3.14.24 and
fixes the following security issues:

The WRMSR processing functionality in the KVM subsystem in the Linux
kernel through 3.17.2 does not properly handle the writing of a non-
canonical address to a model-specific register, which allows guest OS
users to cause a denial of service (host OS crash) by leveraging guest
OS privileges, related to the wrmsr_interception function in
arch/x86/kvm/svm.c and the handle_wrmsr function in arch/x86/kvm/vmx.c
(CVE-2014-3610).

Race condition in the __kvm_migrate_pit_timer function in
arch/x86/kvm/i8254.c in the KVM subsystem in the Linux kernel through
3.17.2 allows guest OS users to cause a denial of service (host OS crash)
by leveraging incorrect PIT emulation (CVE-2014-3611).

arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through 3.17.2
does not have an exit handler for the INVVPID instruction, which allows
guest OS users to cause a denial of service (guest OS crash) via a crafted
application (CVE-2014-3646).

arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through
3.17.2 does not properly perform RIP changes, which allows guest OS users
to cause a denial of service (guest OS crash) via a crafted application
(CVE-2014-3647).

Other changes:
Revert "drivers/net: Disable UFO through virtio" as it breaks VM migration
add ahci support for Intel Sunrise Point / Skylake
make INTEL_MEI modular (mga#14469)

For other upstream changes, read the referenced changelog.

References:
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.24





SRPMS:
kernel-3.14.24-1.mga4.src.rpm
kernel-userspace-headers-3.14.24-1.mga4.src.rpm
kmod-vboxadditions-4.3.18-4.mga4.src.rpm
kmod-virtualbox-4.3.18-4.mga4.src.rpm
kmod-xtables-addons-2.5-7.mga4.src.rpm

kmod-broadcom-wl-6.30.223.141-42.mga4.nonfree.src.rpm
kmod-fglrx-14.010.1006-12.mga4.nonfree.src.rpm
kmod-nvidia173-173.14.39-27.mga4.nonfree.src.rpm
kmod-nvidia304-304.121-7.mga4.nonfree.src.rpm
kmod-nvidia-current-331.79-12.mga4.nonfree.src.rpm



i586:
cpupower-3.14.24-1.mga4.i586.rpm
cpupower-devel-3.14.24-1.mga4.i586.rpm
kernel-desktop-3.14.24-1.mga4-1-1.mga4.i586.rpm
kernel-desktop586-3.14.24-1.mga4-1-1.mga4.i586.rpm
kernel-desktop586-devel-3.14.24-1.mga4-1-1.mga4.i586.rpm
kernel-desktop586-devel-latest-3.14.24-1.mga4.i586.rpm
kernel-desktop586-latest-3.14.24-1.mga4.i586.rpm
kernel-desktop-devel-3.14.24-1.mga4-1-1.mga4.i586.rpm
kernel-desktop-devel-latest-3.14.24-1.mga4.i586.rpm
kernel-desktop-latest-3.14.24-1.mga4.i586.rpm
kernel-doc-3.14.24-1.mga4.noarch.rpm
kernel-server-3.14.24-1.mga4-1-1.mga4.i586.rpm
kernel-server-devel-3.14.24-1.mga4-1-1.mga4.i586.rpm
kernel-server-devel-latest-3.14.24-1.mga4.i586.rpm
kernel-server-latest-3.14.24-1.mga4.i586.rpm
kernel-source-3.14.24-1.mga4-1-1.mga4.noarch.rpm
kernel-source-latest-3.14.24-1.mga4.noarch.rpm
kernel-userspace-headers-3.14.24-1.mga4.i586.rpm
perf-3.14.24-1.mga4.i586.rpm

vboxadditions-kernel-3.14.24-desktop-1.mga4-4.3.18-4.mga4.i586.rpm
vboxadditions-kernel-3.14.24-desktop586-1.mga4-4.3.18-4.mga4.i586.rpm
vboxadditions-kernel-3.14.24-server-1.mga4-4.3.18-4.mga4.i586.rpm
vboxadditions-kernel-desktop586-latest-4.3.18-4.mga4.i586.rpm
vboxadditions-kernel-desktop-latest-4.3.18-4.mga4.i586.rpm
vboxadditions-kernel-server-latest-4.3.18-4.mga4.i586.rpm

virtualbox-kernel-3.14.24-desktop-1.mga4-4.3.18-4.mga4.i586.rpm
virtualbox-kernel-3.14.24-desktop586-1.mga4-4.3.18-4.mga4.i586.rpm
virtualbox-kernel-3.14.24-server-1.mga4-4.3.18-4.mga4.i586.rpm
virtualbox-kernel-desktop586-latest-4.3.18-4.mga4.i586.rpm
virtualbox-kernel-desktop-latest-4.3.18-4.mga4.i586.rpm
virtualbox-kernel-server-latest-4.3.18-4.mga4.i586.rpm

xtables-addons-kernel-3.14.24-desktop-1.mga4-2.5-7.mga4.i586.rpm
xtables-addons-kernel-3.14.24-desktop586-1.mga4-2.5-7.mga4.i586.rpm
xtables-addons-kernel-3.14.24-server-1.mga4-2.5-7.mga4.i586.rpm
xtables-addons-kernel-desktop586-latest-2.5-7.mga4.i586.rpm
xtables-addons-kernel-desktop-latest-2.5-7.mga4.i586.rpm
xtables-addons-kernel-server-latest-2.5-7.mga4.i586.rpm

broadcom-wl-kernel-3.14.24-desktop-1.mga4-6.30.223.141-42.mga4.nonfree.i586.rpm
broadcom-wl-kernel-3.14.24-desktop586-1.mga4-6.30.223.141-42.mga4.nonfree.i586.rpm
broadcom-wl-kernel-3.14.24-server-1.mga4-6.30.223.141-42.mga4.nonfree.i586.rpm
broadcom-wl-kernel-desktop586-latest-6.30.223.141-42.mga4.nonfree.i586.rpm
broadcom-wl-kernel-desktop-latest-6.30.223.141-42.mga4.nonfree.i586.rpm
broadcom-wl-kernel-server-latest-6.30.223.141-42.mga4.nonfree.i586.rpm

fglrx-kernel-3.14.24-desktop-1.mga4-14.010.1006-12.mga4.nonfree.i586.rpm
fglrx-kernel-3.14.24-desktop586-1.mga4-14.010.1006-12.mga4.nonfree.i586.rpm
fglrx-kernel-3.14.24-server-1.mga4-14.010.1006-12.mga4.nonfree.i586.rpm
fglrx-kernel-desktop586-latest-14.010.1006-12.mga4.nonfree.i586.rpm
fglrx-kernel-desktop-latest-14.010.1006-12.mga4.nonfree.i586.rpm
fglrx-kernel-server-latest-14.010.1006-12.mga4.nonfree.i586.rpm

nvidia173-kernel-3.14.24-desktop-1.mga4-173.14.39-27.mga4.nonfree.i586.rpm
nvidia173-kernel-3.14.24-desktop586-1.mga4-173.14.39-27.mga4.nonfree.i586.rpm
nvidia173-kernel-3.14.24-server-1.mga4-173.14.39-27.mga4.nonfree.i586.rpm
nvidia173-kernel-desktop586-latest-173.14.39-27.mga4.nonfree.i586.rpm
nvidia173-kernel-desktop-latest-173.14.39-27.mga4.nonfree.i586.rpm
nvidia173-kernel-server-latest-173.14.39-27.mga4.nonfree.i586.rpm

nvidia304-kernel-3.14.24-desktop-1.mga4-304.121-7.mga4.nonfree.i586.rpm
nvidia304-kernel-3.14.24-desktop586-1.mga4-304.121-7.mga4.nonfree.i586.rpm
nvidia304-kernel-3.14.24-server-1.mga4-304.121-7.mga4.nonfree.i586.rpm
nvidia304-kernel-desktop586-latest-304.121-7.mga4.nonfree.i586.rpm
nvidia304-kernel-desktop-latest-304.121-7.mga4.nonfree.i586.rpm
nvidia304-kernel-server-latest-304.121-7.mga4.nonfree.i586.rpm

nvidia-current-kernel-3.14.24-desktop-1.mga4-331.79-12.mga4.nonfree.i586.rpm
nvidia-current-kernel-3.14.24-desktop586-1.mga4-331.79-12.mga4.nonfree.i586.rpm
nvidia-current-kernel-3.14.24-server-1.mga4-331.79-12.mga4.nonfree.i586.rpm
nvidia-current-kernel-desktop586-latest-331.79-12.mga4.nonfree.i586.rpm
nvidia-current-kernel-desktop-latest-331.79-12.mga4.nonfree.i586.rpm
nvidia-current-kernel-server-latest-331.79-12.mga4.nonfree.i586.rpm



x86_64:
cpupower-3.14.24-1.mga4.x86_64.rpm
cpupower-devel-3.14.24-1.mga4.x86_64.rpm
kernel-desktop-3.14.24-1.mga4-1-1.mga4.x86_64.rpm
kernel-desktop-devel-3.14.24-1.mga4-1-1.mga4.x86_64.rpm
kernel-desktop-devel-latest-3.14.24-1.mga4.x86_64.rpm
kernel-desktop-latest-3.14.24-1.mga4.x86_64.rpm
kernel-doc-3.14.24-1.mga4.noarch.rpm
kernel-server-3.14.24-1.mga4-1-1.mga4.x86_64.rpm
kernel-server-devel-3.14.24-1.mga4-1-1.mga4.x86_64.rpm
kernel-server-devel-latest-3.14.24-1.mga4.x86_64.rpm
kernel-server-latest-3.14.24-1.mga4.x86_64.rpm
kernel-source-3.14.24-1.mga4-1-1.mga4.noarch.rpm
kernel-source-latest-3.14.24-1.mga4.noarch.rpm
kernel-userspace-headers-3.14.24-1.mga4.x86_64.rpm
perf-3.14.24-1.mga4.x86_64.rpm

vboxadditions-kernel-3.14.24-desktop-1.mga4-4.3.18-4.mga4.x86_64.rpm
vboxadditions-kernel-3.14.24-server-1.mga4-4.3.18-4.mga4.x86_64.rpm
vboxadditions-kernel-desktop-latest-4.3.18-4.mga4.x86_64.rpm
vboxadditions-kernel-server-latest-4.3.18-4.mga4.x86_64.rpm

virtualbox-kernel-3.14.24-desktop-1.mga4-4.3.18-4.mga4.x86_64.rpm
virtualbox-kernel-3.14.24-server-1.mga4-4.3.18-4.mga4.x86_64.rpm
virtualbox-kernel-desktop-latest-4.3.18-4.mga4.x86_64.rpm
virtualbox-kernel-server-latest-4.3.18-4.mga4.x86_64.rpm

xtables-addons-kernel-3.14.24-desktop-1.mga4-2.5-7.mga4.x86_64.rpm
xtables-addons-kernel-3.14.24-server-1.mga4-2.5-7.mga4.x86_64.rpm
xtables-addons-kernel-desktop-latest-2.5-7.mga4.x86_64.rpm
xtables-addons-kernel-server-latest-2.5-7.mga4.x86_64.rpm

broadcom-wl-kernel-3.14.24-desktop-1.mga4-6.30.223.141-42.mga4.nonfree.x86_64.rpm
broadcom-wl-kernel-3.14.24-server-1.mga4-6.30.223.141-42.mga4.nonfree.x86_64.rpm
broadcom-wl-kernel-desktop-latest-6.30.223.141-42.mga4.nonfree.x86_64.rpm
broadcom-wl-kernel-server-latest-6.30.223.141-42.mga4.nonfree.x86_64.rpm

fglrx-kernel-3.14.24-desktop-1.mga4-14.010.1006-12.mga4.nonfree.x86_64.rpm
fglrx-kernel-3.14.24-server-1.mga4-14.010.1006-12.mga4.nonfree.x86_64.rpm
fglrx-kernel-desktop-latest-14.010.1006-12.mga4.nonfree.x86_64.rpm
fglrx-kernel-server-latest-14.010.1006-12.mga4.nonfree.x86_64.rpm

nvidia173-kernel-3.14.24-desktop-1.mga4-173.14.39-27.mga4.nonfree.x86_64.rpm
nvidia173-kernel-3.14.24-server-1.mga4-173.14.39-27.mga4.nonfree.x86_64.rpm
nvidia173-kernel-desktop-latest-173.14.39-27.mga4.nonfree.x86_64.rpm
nvidia173-kernel-server-latest-173.14.39-27.mga4.nonfree.x86_64.rpm

nvidia304-kernel-3.14.24-desktop-1.mga4-304.121-7.mga4.nonfree.x86_64.rpm
nvidia304-kernel-3.14.24-server-1.mga4-304.121-7.mga4.nonfree.x86_64.rpm
nvidia304-kernel-desktop-latest-304.121-7.mga4.nonfree.x86_64.rpm
nvidia304-kernel-server-latest-304.121-7.mga4.nonfree.x86_64.rpm

nvidia-current-kernel-3.14.24-desktop-1.mga4-331.79-12.mga4.nonfree.x86_64.rpm
nvidia-current-kernel-3.14.24-server-1.mga4-331.79-12.mga4.nonfree.x86_64.rpm
nvidia-current-kernel-desktop-latest-331.79-12.mga4.nonfree.x86_64.rpm
nvidia-current-kernel-server-latest-331.79-12.mga4.nonfree.x86_64.rpm


Reproducible: 

Steps to Reproduce:

Thomas Backlund 2014-11-16 10:56:10 CET

Blocks: (none) => 14469

Comment 1 Simon Rowe 2014-11-17 21:27:18 CET

Change for mga#14469 tested and confirmed to work.

CC: (none) => srowe

Comment 2 Marja Van Waes 2014-11-17 22:18:05 CET

Tested on https://wiki.mageia.org/en/User:Marja/QA/Hardware#Lenovo_ThinkPad_SL510

Updated the following packages to the mentioned versions

cpupower-3.14.24-1.mga4.x86_64
kernel-desktop-3.14.24-1.mga4-1-1.mga4.x86_64
kernel-desktop-latest-3.14.24-1.mga4.x86_64
kernel-userspace-headers-3.14.24-1.mga4.x86_64

After reboot everything works as expected, including wlan, watching a movie, running some commands, both in konsole and in a text tty.
The only odd thing I noticed (but *not* caused by this upgrade, I see it has never been different since the logs start on June 15th) is that cpupower.service failed.

CC: (none) => marja11

Comment 3 David Walser 2014-11-17 22:25:01 CET

Thanks for the tests Marja.  I thought it had been fixed by tmb in one of the last couple kernel updates, but if cpupower still fails, check /etc/sysconfig/cpupower and make sure the governor it's setting (the last word in each line) is one of the available cpufreq governors you see when you run "cpupower frequency-info"

Comment 4 Marja Van Waes 2014-11-17 22:51:09 CET

(In reply to David Walser from comment #3)
> Thanks for the tests Marja.  I thought it had been fixed by tmb in one of
> the last couple kernel updates, but if cpupower still fails, check
> /etc/sysconfig/cpupower and make sure the governor it's setting (the last
> word in each line) is one of the available cpufreq governors you see when
> you run "cpupower frequency-info"

Well, maybe it is fixed but fails here for a different reason. I just saw I have the same issue on that laptop with cauldron, your command in cauldron gives:

[root@DenkBlok2 marja]# cpupower frequency-info
analyzing CPU 0:                                                                
  no or unknown cpufreq driver is active on this CPU                            
  boost state support:                                                          
    Supported: no                                                               
    Active: no                                                                  
[root@DenkBlok2 marja]#

Comment 5 David Walser 2014-11-17 22:57:48 CET

Oh I see, so you don't even have any of the cpufreq modules loaded.  The installer created a /etc/modprobe.preload.d/cpufreq file for me with this in it:
acpi-cpufreq
cpufreq_powersave
cpufreq_conservative
cpufreq_ondemand

So, having something similar should work for you (or modprobing those modules).

Comment 6 Marja Van Waes 2014-11-17 23:17:20 CET

(In reply to David Walser from comment #5)
> Oh I see, so you don't even have any of the cpufreq modules loaded.  The
> installer created a /etc/modprobe.preload.d/cpufreq file for me with this in
> it:

I don't have any files in /etc/modeprobe.preload.d/ on any of my installs on this laptop (one 5beta1, one cauldron that started a year ago, and one Mageia 4 )

I'll google what modprobing is.

Comment 7 David Walser 2014-11-18 01:06:26 CET

Tested fine with kernel-desktop in Virtualbox, on my older PogoLinux machine at home, and on my Dell Inspiron 600m laptop, and with kernel-server in VMWare, my newer PogoLinux machine at home, a Dell Optiplex 990 workstation and a Dell PowerEdge R610 server at work.  All Mageia 4 i586.

Whiteboard: (none) => MGA4-32-OK

Comment 8 Herman Viaene 2014-11-18 12:19:20 CET

Mageia 4 64-bit on real HW AMD Phenom Quadcore.
Opened a USB stick, a site with video, all OK.
After installing the cpufreqd package, the command 
"cpupower - c all frequency-info" 
returned a bunch of info, looks good.

CC: (none) => herman.viaene

Comment 9 David Walser 2014-11-18 18:43:20 CET

Validating now.

Could someone please upload the advisory?

Sysadmins, you can push this to core/updates on the advisory is uploaded.  Thanks.

Keywords: (none) => validated_update
Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 10 Rémi Verschelde 2014-11-19 13:14:25 CET

Advisory uploaded.

CC: (none) => remi
Whiteboard: MGA4-32-OK MGA4-64-OK => MGA4-32-OK MGA4-64-OK advisory

Comment 11 Mageia Robot 2014-11-21 13:45:52 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0474.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.