34149 – microcode new security issue CVE-2024-56161

Bug 34149 - microcode new security issue CVE-2024-56161

Summary: microcode new security issue CVE-2024-56161

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-32-OK MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-03-31 17:16 CEST by Nicolas Salguero
Modified:	2025-04-04 00:52 CEST (History)
CC List:	6 users (show)

See Also:
Source RPM:	microcode-0.20250211-1.mga9.nonfree.src.rpm
CVE:	CVE-2024-56161
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-03-31 17:16:21 CEST

Debian has issued an advisory on March 31:
https://lists.debian.org/debian-lts-announce/2025/03/msg00024.html

The problem concerns AMD CPUs, not Intel ones.

Nicolas Salguero 2025-03-31 17:17:22 CEST

Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-56161
Source RPM: (none) => microcode-0.20250211-1.mga10.nonfree.src.rpm, microcode-0.20250211-1.mga9.nonfree.src.rpm

Comment 1 Nicolas Salguero 2025-03-31 17:23:03 CEST

Suggested advisory:
========================

The updated package fixes a security vulnerability:

Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious CPU microcode resulting in loss of confidentiality and integrity of a confidential guest running under AMD SEV-SNP. (CVE-2024-56161)

References:
https://lists.debian.org/debian-lts-announce/2025/03/msg00024.html
========================

Updated package in nonfree/updates_testing:
========================
microcode-0.20250211-2.mga9.nonfree

from SRPM:
microcode-0.20250211-2.mga9.nonfree.src.rpm

Assignee: bugsquad => qa-bugs
Source RPM: microcode-0.20250211-1.mga10.nonfree.src.rpm, microcode-0.20250211-1.mga9.nonfree.src.rpm => microcode-0.20250211-1.mga9.nonfree.src.rpm
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED

Comment 2 Herman Viaene 2025-04-01 15:39:44 CEST

MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues.
Did a warm reboot after installation. No obvious problems seen with wifi, internet, NFS-access , some filetypes tested.
All seems OK.

CC: (none) => herman.viaene

katnatek 2025-04-01 21:12:14 CEST

Keywords: (none) => advisory

Comment 3 Len Lawrence 2025-04-01 21:16:52 CEST

Kernel: 6.6.83-server-1.mga9 arch: x86_64
8-core AMD Ryzen 7 5700U with Radeon Graphics

Installed the update and rebooted.
$ journalctl -xb | grep microcode
Apr 01 19:04:59 rutilicus kernel: microcode: Current revision: 0x08608108
Apr 01 19:04:59 rutilicus kernel: microcode: Updated early from: 0x08608103
Apr 01 19:04:59 rutilicus kernel: microcode: Microcode Update Driver: v2.2.
Apr 01 19:04:59 rutilicus kernel: em28xx 3-1.2:1.0:         microcode start address = 0x0004, boot configuration = 0x01

Looks like that took alright.  The Mate desktop is fully functional.
Ran some kernel and graphics tests OK.

CC: (none) => tarazed25

Comment 4 katnatek 2025-04-01 22:12:21 CEST

RH x86_64

installing microcode-0.20250211-2.mga9.nonfree.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: microcode             ##################################################################################################
dracut: dracut module 'systemd-initrd' depends on 'systemd', which can't be installed
dracut: dracut module 'ifcfg' depends on 'network', which can't be installed
dracut: dracut module 'systemd-initrd' depends on 'systemd', which can't be installed
dracut: dracut module 'dracut-systemd' depends on 'systemd-initrd', which can't be installed
dracut: dracut module 'ifcfg' depends on 'network', which can't be installed
      1/1: removing microcode-0.20250211-1.mga9.nonfree.noarch
                                 ##################################################################################################

Reboot

journalctl -xb | grep microcode
abr 01 14:01:16 jgrey.phoenix kernel: MDS: Vulnerable: Clear CPU buffers attempted, no microcode
abr 01 14:01:16 jgrey.phoenix kernel: microcode: Current revision: 0x00000007
abr 01 14:01:16 jgrey.phoenix kernel: microcode: Updated early from: 0x00000002
abr 01 14:01:16 jgrey.phoenix kernel: microcode: Microcode Update Driver: v2.2.

Looks similar to previous with other format in the information
OK for me

Comment 5 Thomas Andrews 2025-04-01 23:44:14 CEST

HP Pavilion 15, MGA9-64 Plasma:

inxi -CG
CPU:
  Info: quad core model: AMD A8-4555M APU with Radeon HD Graphics bits: 64
    type: MT MCP cache: L2: 4 MiB
  Speed (MHz): avg: 1100 min/max: 1100/1600 cores: 1: 1100 2: 1100 3: 1100
    4: 1100
Graphics:
  Device-1: Advanced Micro Devices [AMD/ATI] Trinity [Radeon HD 7600G]
    driver: radeon v: kernel
  Device-2: Realtek HP Truevision HD laptop camera driver: uvcvideo
    type: USB
  Display: server: X.org v: 1.21.1.8 with: Xwayland v: 22.1.9 driver: X:
    loaded: radeon,v4l dri: r600 gpu: radeon resolution: 1366x768~60Hz
  API: EGL v: 1.5 drivers: r600,swrast platforms: gbm,x11,surfaceless,device
  API: OpenGL v: 4.5 vendor: mesa v: 24.2.8 renderer: AMD ARUBA (DRM 2.50.0
    / 6.6.83-desktop-1.mga9 LLVM 15.0.6)
  API: Vulkan v: 1.3.231 drivers: llvmpipe surfaces: xcb,xlib

No installation issues. Rebooted:

journalctl -xb | grep microcode
Apr 01 19:37:26 localhost.localdomain kernel: microcode: Current revision: 0x06001119
Apr 01 19:37:26 localhost.localdomain kernel: microcode: Updated early from: 0x06001119
Apr 01 19:37:26 localhost.localdomain kernel: microcode: Microcode Update Driver: v2.2.

Looks like this hardware was not affected by this update.

CC: (none) => andrewsfarm

Comment 6 Brian Rockwell 2025-04-02 04:00:47 CEST

MGA9-64, Xfce, Celeron N2840, Chromebook

installed

rebooted

--- 
used for a couple of hours without issue

CC: (none) => brtians1

Comment 7 Thomas Andrews 2025-04-02 23:57:03 CEST

MGA9-64 Plasma.

$ inxi -CG
CPU:
  Info: quad core model: Intel Core i5-7500 bits: 64 type: MCP cache:
    L2: 1024 KiB
  Speed (MHz): avg: 800 min/max: 800/3800 cores: 1: 800 2: 800 3: 800 4: 800
Graphics:
  Device-1: NVIDIA GM107GL [Quadro K620] driver: nvidia v: 550.144.03
  Display: x11 server: X.org v: 1.21.1.8 with: Xwayland v: 22.1.9 driver: X:
    loaded: nvidia,v4l gpu: nvidia,nvidia-nvswitch resolution: 1920x1080~60Hz
  API: EGL v: 1.5 drivers: nvidia,swrast
    platforms: gbm,x11,surfaceless,device
  API: OpenGL v: 4.6.0 vendor: nvidia v: 550.144.03
    renderer: Quadro K620/PCIe/SSE2
  API: Vulkan v: 1.3.231 drivers: nvidia,llvmpipe surfaces: xcb,xlib

No installation issues.

journalctl -xb | grep microcode
Apr 02 09:11:34 localhost.localdomain kernel: microcode: Current revision: 0x000000f8
Apr 02 09:11:34 localhost.localdomain kernel: microcode: Updated early from: 0x000000b4
Apr 02 09:11:34 localhost.localdomain kernel: microcode: Microcode Update Driver: v2.2.

Used this all afternoon. Everything is working normally.

Comment 8 katnatek 2025-04-03 00:57:30 CEST

RH i586

installing microcode-0.20250211-2.mga9.nonfree.noarch.rpm from //home/katnatek/qa-testing/i586
Preparing...                     #######################################################################################
      1/1: microcode             #######################################################################################
dracut: dracut module 'systemd-initrd' depends on 'systemd', which can't be installed
dracut: dracut module 'ifcfg' depends on 'network', which can't be installed
dracut: dracut module 'systemd-initrd' depends on 'systemd', which can't be installed
dracut: dracut module 'dracut-systemd' depends on 'systemd-initrd', which can't be installed
dracut: dracut module 'ifcfg' depends on 'network', which can't be installed
      1/1: removing microcode-0.20250211-1.mga9.nonfree.noarch
                                 #######################################################################################

Reboot

journalctl -xb | grep microcode
abr 02 16:43:48 cefiro kernel: MDS: Vulnerable: Clear CPU buffers attempted, no microcode
abr 02 16:43:48 cefiro kernel: microcode: Current revision: 0x000000a4
abr 02 16:43:48 cefiro kernel: microcode: Updated early from: 0x000000a3
abr 02 16:43:48 cefiro kernel: microcode: Microcode Update Driver: v2.2.

Same information as other updates

Comment 9 Brian Rockwell 2025-04-03 15:43:43 CEST

MGA9-32, AMD A6-3420M APU with Radeon(tm) HD Graphics, old Laptop

applied

---rebooted

spending time using firefox, youtube, etc.  - working

Comment 10 Morgan Leijström 2025-04-03 21:50:00 CEST

mga9-64 OK here on my workstation
In use for some days , no regression noted

[morgan@svarten ~]$ inxi -CG
CPU:
  Info: quad core model: Intel Core i7 870 bits: 64 type: MT MCP cache:
    L2: 1024 KiB
  Speed (MHz): avg: 1205 min/max: 1200/2934 cores: 1: 1205 2: 1205 3: 1205
    4: 1205 5: 1205 6: 1205 7: 1205 8: 1205
Graphics:
  Device-1: Advanced Micro Devices [AMD/ATI] Navi 24 [Radeon RX 6400/6500
    XT/6500M] driver: amdgpu v: kernel
  Display: x11 server: X.org v: 1.21.1.8 with: Xwayland v: 22.1.9 driver: X:
    loaded: amdgpu,v4l dri: radeonsi gpu: amdgpu resolution: 3840x2160~60Hz
  API: EGL v: 1.5 drivers: kms_swrast,radeonsi,swrast
    platforms: gbm,x11,surfaceless,device
  API: OpenGL v: 4.6 vendor: amd mesa v: 24.2.8 renderer: AMD Radeon RX
    6400 (radeonsi navi24 LLVM 15.0.6 DRM 3.54 6.6.79-desktop-1.mga9)

CC: (none) => fri

Comment 11 Thomas Andrews 2025-04-03 22:46:28 CEST

I don't see any reason to hold this back. Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-32-OK MGA9-64-OK

Comment 12 Mageia Robot 2025-04-04 00:52:56 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0124.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.