Bug 50487 - linux: Multiple issues (4.3)
linux: Multiple issues (4.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
All Linux
: P3 normal (vote)
: UCS 4.3-5-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-11-13 09:42 CET by Quality Assurance
Modified: 2019-11-13 17:01 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 8.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2019-11-13 09:42:05 CET
New Debian linux 4.9.189-3+deb9u2 fixes:
This update addresses the following issues:
* Machine Check Error on Page Size Change (IPU) (CVE-2018-12207)
* Intel GPU Denial Of Service while accessing MMIO in lower power state  (CVE-2019-0154)
* Intel GPU blitter manipulation can allow for arbitrary kernel memory write  (CVE-2019-0155)
* TSX Transaction Asynchronous Abort (TAA) (CVE-2019-11135)
Comment 1 Quality Assurance univentionstaff 2019-11-13 10:01:06 CET
--- mirror/ftp/4.3/unmaintained/4.3-5/source/linux_4.9.189-3+deb9u1.dsc
+++ apt/ucs_4.3-0-errata4.3-5/source/linux_4.9.189-3+deb9u2.dsc
@@ -1,3 +1,70 @@
+4.9.189-3+deb9u2 [Mon, 11 Nov 2019 12:18:59 +0000] Ben Hutchings <ben@decadent.org.uk>:
+
+  * [x86] Add mitigation for TSX Asynchronous Abort (CVE-2019-11135):
+    - KVM: x86: use Intel speculation bugs and features as derived in generic
+      x86 code
+    - x86/msr: Add the IA32_TSX_CTRL MSR
+    - x86/cpu: Add a helper function x86_read_arch_cap_msr()
+    - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
+    - x86/speculation/taa: Add mitigation for TSX Async Abort
+    - x86/speculation/taa: Add sysfs reporting for TSX Async Abort
+    - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
+    - x86/tsx: Add "auto" option to the tsx= cmdline parameter
+    - x86/speculation/taa: Add documentation for TSX Async Abort
+    - x86/tsx: Add config options to set tsx=on|off|auto
+    - x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs
+    TSX is now disabled by default; see
+    Documentation/hw-vuln/tsx_async_abort.rst
+  * [x86] KVM: Add mitigation for Machine Check Error on Page Size Change
+    (aka iTLB multi-hit, CVE-2018-12207):
+    - KVM: x86: simplify ept_misconfig
+    - KVM: x86: extend usage of RET_MMIO_PF_* constants
+    - KVM: MMU: drop vcpu param in gpte_access
+    - kvm: Convert kvm_lock to a mutex
+    - kvm: x86: Do not release the page inside mmu_set_spte()
+    - KVM: x86: make FNAME(fetch) and __direct_map more similar
+    - KVM: x86: remove now unneeded hugepage gfn adjustment
+    - KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON
+    - KVM: x86: Add is_executable_pte()
+    - KVM: x86: add tracepoints around __direct_map and FNAME(fetch)
+    - KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active
+    - x86/bugs: Add ITLB_MULTIHIT bug infrastructure
+    - cpu/speculation: Uninline and export CPU mitigations helpers
+    - kvm: mmu: ITLB_MULTIHIT mitigation
+    - kvm: Add helper function for creating VM worker threads
+    - kvm: x86: mmu: Recovery of shattered NX large pages
+    - Documentation: Add ITLB_MULTIHIT documentation
+  * [x86] i915: Mitigate local privilege escalation on gen9 (CVE-2019-0155):
+    - drm/i915: kick out cmd_parser specific structs from i915_drv.h
+    - drm/i915: cleanup use of INSTR_CLIENT_MASK
+    - drm/i915: return EACCES for check_cmd() failures
+    - drm/i915: don't whitelist oacontrol in cmd parser
+    - drm/i915: Use the precomputed value for whether to enable command parsing
+    - drm/i915/cmdparser: Limit clflush to active cachelines
+    - drm/i915/gtt: Add read only pages to gen8_pte_encode
+    - drm/i915/gtt: Read-only pages for insert_entries on bdw+
+    - drm/i915/gtt: Disable read-only support under GVT
+    - drm/i915: Prevent writing into a read-only object via a GGTT mmap
+    - drm/i915/cmdparser: Check reg_table_count before derefencing.
+    - drm/i915/cmdparser: Do not check past the cmd length.
+    - drm/i915: Silence smatch for cmdparser
+    - drm/i915: Move engine->needs_cmd_parser to engine->flags
+    - drm/i915: Rename gen7 cmdparser tables
+    - drm/i915: Disable Secure Batches for gen6+
+    - drm/i915: Remove Master tables from cmdparser
+    - drm/i915: Add support for mandatory cmdparsing
+    - drm/i915: Support ro ppgtt mapped cmdparser shadow buffers
+    - drm/i915: Allow parsing of unsized batches
+    - drm/i915: Add gen9 BCS cmdparsing
+    - drm/i915/cmdparser: Use explicit goto for error paths
+    - drm/i915/cmdparser: Add support for backward jumps
+    - drm/i915/cmdparser: Ignore Length operands during command matching
+    - drm/i915/cmdparser: Fix jump whitelist clearing
+  * [x86] i915: Mitigate local denial-of-service on gen8/gen9 (CVE-2019-0154):
+    - drm/i915: Lower RM timeout to avoid DSI hard hangs
+    - drm/i915/gen8+: Add RC6 CTX corruption WA
+  * drm/i915: Avoid ABI change for CVE-2019-0155
+
 4.9.189-3+deb9u1 [Fri, 20 Sep 2019 13:03:45 +0200] Salvatore Bonaccorso <carnil@debian.org>:
 
   * vhost: make sure log_num < in_num (CVE-2019-14835)

<http://10.200.17.11/4.3-5/#7049544851925928609>
Comment 2 Philipp Hahn univentionstaff 2019-11-13 12:35:17 CET
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

OK: dmesg
OK: grep . /sys/devices/system/cpu/vulnerabilities/*
OK: amd64 @ KVM
OK: amd64 @ KVM + OVMF + SB
OK: amd64 @ hdmi3
SKIP: i386

[4.3-5] 6a28316c76 Bug #50487: univention-kernel-image-signed 4.0.0-19A~4.3.0.201911131119
 doc/errata/staging/linux.yaml | 1 +
 1 file changed, 1 insertion(+)

[4.3-5] ef456a4e1e Bug #50487: linux 4.9.189-3+deb9u2
 doc/errata/staging/linux.yaml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
Comment 3 Philipp Hahn univentionstaff 2019-11-13 12:35:40 CET
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

OK: dmesg
OK: grep . /sys/devices/system/cpu/vulnerabilities/*
OK: amd64 @ KVM
OK: amd64 @ KVM + OVMF + SB
OK: amd64 @ hdmi3
SKIP: i386

[4.3-5] 6a28316c76 Bug #50487: univention-kernel-image-signed 4.0.0-19A~4.3.0.201911131119
 .../staging/univention-kernel-image-signed.yaml     | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)