Summary: | <app-emulation/qemu-2.11.0: Backport SPEC-CTRL MSR / CPU models | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | major | CC: | alexander, andrew.bugs, arthur, bug, bugzilla, can.ecodo.nu.n.o+bugs.gentoo, ct, engler, gentoo, github, iivanich, jasmin+gentoo, joakim.tjernlund, keaneyw, kfm, le.petit.fou, luke-jr+gentoobugs, luke, maracay, mark, mentalstring, prometheanfire, qemu+disabled, ronny+bugsgentoo, tb, vivo75, xaviermiller | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | https://www.qemu.org/2018/01/04/spectre/ | ||||||
Whiteboard: | A2 [glsa+] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | |||||||
Bug Blocks: | 643342 | ||||||
Attachments: |
|
Description
GLSAMaker/CVETool Bot
2018-01-04 16:37:54 UTC
As the fixes for CVE-2017-5715 will also need adjustments in the QEMU virtualization host to pass through CPUID flags and MSRs from host to guest system, an update will be required. Does current qemu work at all with a mitigated host? Does the mitigated host secure the host from the VMs? (It sounds like this update is needed only for guests to be mitigated?) (In reply to Luke-Jr from comment #2) > Does current qemu work at all with a mitigated host? Does the mitigated host > secure the host from the VMs? > > (It sounds like this update is needed only for guests to be mitigated?) Both works for me with current stable kvm/qemu and kernel 4.14.13 (i.e. page table isolation) in the host and guest system. Page table isolation mitigates CVE-20175-5754, though, not CVE-2017-5715. Stefan Pribe has posted a patch for qemu that allows "passing passing through new MSR and CPUID flags from the host VM to the CPU, to allow enabling/disabling branch prediction features in the Intel CPU." Source: https://lists.nongnu.org/archive/html/qemu-devel/2018-01/msg00811.html Patch: https://lists.nongnu.org/archive/html/qemu-devel/2018-01/txtfadLGhMEF6.txt This is probably going to be needed for CONFIG_RETPOLINE to behave as expected in a guest kernel. The patch applies successfully to qemu-2.10.1-r1, albeit with some fuzz. Created attachment 515520 [details, diff]
0065-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch
(In reply to Kerin Millar from comment #4) This is an old patch that have been already rejected. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=725631c3eee62d147ea634c969ab90d1c70f5612 commit 725631c3eee62d147ea634c969ab90d1c70f5612 Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2018-02-11 20:16:02 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2018-02-11 20:27:01 +0000 app-emulation/qemu: version bump to 2.11.0, important security fixes - Added slot operator for libnfs - Added patch for glibc-2.27 compatibility - Added patch for CVE-2017-16845 - Backported upstream msr / spec ctrl patches: 6cfbc54e89 i386: Add EPYC-IBPB CPU model ac96c41354 i386: Add new -IBRS versions of Intel CPU models 1b3420e1c4 i386: Add FEAT_8000_0008_EBX CPUID feature word a2381f0934 i386: Add spec-ctrl CPUID bit a33a2cfe2f i386: Add support for SPEC_CTRL MSR - CVEs addressed by bump: CVE-2017-17381 CVE-2017-18030 CVE-2017-18043 - CVEs addressed by patchset: CVE-2017-15124 CVE-2017-16845 CVE-2018-5683 - CVE-2018-5748 is a libvirt vulnerability, not a qemu issue... Bug: https://bugs.gentoo.org/638506 Bug: https://bugs.gentoo.org/643432 Bug: https://bugs.gentoo.org/646814 Closes: https://bugs.gentoo.org/641100 Closes: https://bugs.gentoo.org/646568 Closes: https://bugs.gentoo.org/646710 Package-Manager: Portage-2.3.24, Repoman-2.3.6 app-emulation/qemu/Manifest | 2 + .../qemu/files/qemu-2.11.0-glibc-2.27.patch | 54 ++ app-emulation/qemu/qemu-2.11.0.ebuild | 803 +++++++++++++++++++++ 3 files changed, 859 insertions(+)} This issue was resolved and addressed in GLSA 201804-08 at https://security.gentoo.org/glsa/201804-08 by GLSA coordinator Aaron Bauman (b-man). |