Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 643432 - <app-emulation/qemu-2.11.0: Backport SPEC-CTRL MSR / CPU models
Summary: <app-emulation/qemu-2.11.0: Backport SPEC-CTRL MSR / CPU models
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://www.qemu.org/2018/01/04/spectre/
Whiteboard: A2 [glsa+]
Keywords:
Depends on:
Blocks: CVE-2017-5715
  Show dependency tree
 
Reported: 2018-01-04 16:37 UTC by GLSAMaker/CVETool Bot
Modified: 2018-04-08 23:32 UTC (History)
27 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
0065-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch (0065-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch,5.56 KB, patch)
2018-01-20 20:22 UTC, Kerin Millar
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-01-04 16:37:54 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-01-04 16:39:55 UTC
As the fixes for CVE-2017-5715 will also need adjustments in the QEMU virtualization host to pass through CPUID flags and MSRs from host to guest system, an update will be required.
Comment 2 Luke-Jr 2018-01-11 00:45:29 UTC
Does current qemu work at all with a mitigated host? Does the mitigated host secure the host from the VMs?

(It sounds like this update is needed only for guests to be mitigated?)
Comment 3 Matthias Maier gentoo-dev 2018-01-13 17:23:24 UTC
(In reply to Luke-Jr from comment #2)
> Does current qemu work at all with a mitigated host? Does the mitigated host
> secure the host from the VMs?
> 
> (It sounds like this update is needed only for guests to be mitigated?)

Both works for me with current stable kvm/qemu and kernel 4.14.13 (i.e. page table isolation) in the host and guest system.
Comment 4 Kerin Millar 2018-01-20 20:20:27 UTC
Page table isolation mitigates CVE-20175-5754, though, not CVE-2017-5715.

Stefan Pribe has posted a patch for qemu that allows "passing passing through new MSR and CPUID flags from the host VM to the CPU, to allow enabling/disabling branch prediction features in the Intel CPU."

Source: https://lists.nongnu.org/archive/html/qemu-devel/2018-01/msg00811.html
Patch: https://lists.nongnu.org/archive/html/qemu-devel/2018-01/txtfadLGhMEF6.txt

This is probably going to be needed for CONFIG_RETPOLINE to behave as expected in a guest kernel. The patch applies successfully to qemu-2.10.1-r1, albeit with some fuzz.
Comment 5 Kerin Millar 2018-01-20 20:22:28 UTC
Created attachment 515520 [details, diff]
0065-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch
Comment 6 Alexander Tsoy 2018-01-20 20:33:25 UTC
(In reply to Kerin Millar from comment #4)
This is an old patch that have been already rejected.
Comment 7 Larry the Git Cow gentoo-dev 2018-02-11 20:27:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=725631c3eee62d147ea634c969ab90d1c70f5612

commit 725631c3eee62d147ea634c969ab90d1c70f5612
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2018-02-11 20:16:02 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2018-02-11 20:27:01 +0000

    app-emulation/qemu: version bump to 2.11.0, important security fixes
    
     - Added slot operator for libnfs
    
     - Added patch for glibc-2.27 compatibility
    
     - Added patch for CVE-2017-16845
    
     - Backported upstream msr / spec ctrl patches:
    
       6cfbc54e89  i386: Add EPYC-IBPB CPU model
       ac96c41354  i386: Add new -IBRS versions of Intel CPU models
       1b3420e1c4  i386: Add FEAT_8000_0008_EBX CPUID feature word
       a2381f0934  i386: Add spec-ctrl CPUID bit
       a33a2cfe2f  i386: Add support for SPEC_CTRL MSR
    
     - CVEs addressed by bump:
    
       CVE-2017-17381
       CVE-2017-18030
       CVE-2017-18043
    
     - CVEs addressed by patchset:
    
       CVE-2017-15124
       CVE-2017-16845
       CVE-2018-5683
    
     - CVE-2018-5748 is a libvirt vulnerability, not a qemu issue...
    
    Bug:    https://bugs.gentoo.org/638506
    Bug:    https://bugs.gentoo.org/643432
    Bug:    https://bugs.gentoo.org/646814
    Closes: https://bugs.gentoo.org/641100
    Closes: https://bugs.gentoo.org/646568
    Closes: https://bugs.gentoo.org/646710
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 app-emulation/qemu/Manifest                        |   2 +
 .../qemu/files/qemu-2.11.0-glibc-2.27.patch        |  54 ++
 app-emulation/qemu/qemu-2.11.0.ebuild              | 803 +++++++++++++++++++++
 3 files changed, 859 insertions(+)}
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2018-04-08 23:32:16 UTC
This issue was resolved and addressed in
 GLSA 201804-08 at https://security.gentoo.org/glsa/201804-08
by GLSA coordinator Aaron Bauman (b-man).