FS#57330 - [linux] [Security] access restriction bypass (CVE-2017-5753 CVE-2017-5715)
Attached to Project:
Arch Linux
Opened by loqs (loqs) - Thursday, 01 February 2018, 21:42 GMT
Last edited by Levente Polyak (anthraxx) - Tuesday, 10 September 2019, 20:43 GMT
Opened by loqs (loqs) - Thursday, 01 February 2018, 21:42 GMT
Last edited by Levente Polyak (anthraxx) - Tuesday, 10 September 2019, 20:43 GMT
|
Details
Summary
======= The package linux is vulnerable to access restriction bypass via CVE-2017-5753 and CVE-2017-5715. Mitigations ======== #Needed for 4.14.16 1df37383a8aeabb9b418698f0bcdffea01f4b1b2 x86/retpoline: Remove the esp/rsp thunk #Needed for 4.15.y from mainline Merge commit 6304672b7f0a5c010002e63a075160856dc4f88d which expands to git log --no-abbrev-commit --pretty=oneline 6304672b7f0a5c010002e63a075160856dc4f88d^..6304672b7f0a5c010002e63a075160856dc4f88d 6304672b7f0a5c010002e63a075160856dc4f88d Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 64e16720ea0879f8ab4547e3b9758936d483909b (tip/x86-pti-for-linus) x86/speculation: Simplify indirect_branch_prediction_barrier() 1dde7415e99933bb7293d6b2843752cbdb43ec11 x86/retpoline: Simplify vmexit_fill_RSB() 2961298efe1ea1b6fc0d7ee8b76018fa6c0bcef2 x86/cpufeatures: Clean up Spectre v2 related CPUID flags e383095c7fe8d218e00ec0f83e4b95ed4e627b02 x86/cpu/bugs: Make retpoline module warning conditional 55fa19d3e51f33d9cd4056d25836d93abf9438db x86/bugs: Drop one "mitigation" from dmesg 7a32fc51ca938e67974cbb9db31e1a43f98345a9 x86/nospec: Fix header guards names 0e6c16c652cadaffd25a6bb326ec10da5bcec6b4 x86/alternative: Print unadorned pointers 20ffa1caecca4db8f79fe665acdeaa5af815a24d x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support a5b2966364538a0e68c9fa29bc0a3a1651799035 x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes fec9434a12f38d3aeafeb75711b71d8a1fdef621 x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown 1e340c60d0dd3ae07b5bedc16a0469c14b9f3410 x86/msr: Add definitions for new speculation control MSRs 5d10cbc91d9eb5537998b65608441b592eec65e7 x86/cpufeatures: Add AMD feature bits for Speculation Control fc67dd70adb711a45d2ef34e12d1a8be75edde61 x86/cpufeatures: Add Intel feature bits for Speculation Control 95ca0ee8636059ea2800dfbac9ecac6212d6b38f x86/cpufeatures: Add CPUID_7_EDX CPUID leaf caf7501a1b4ec964190f31f9c3f163de252273b8 module/retpoline: Warn about missing retpoline in module c940a3fb1e2e9b7d03228ab28f375fb5a47ff699 KVM: VMX: Make indirect call speculation safe 1a29b5b7f347a1a9230c1e0af5b37e3e571588ab KVM: x86: Make indirect calls in emulator speculation safe #From tip/x86/pti $ git log --no-abbrev-commit --pretty=oneline 7e86548e2cc8d308cb75439480f428137151b0de..085331dfc6bbe3501fb936e657331ca943827600 085331dfc6bbe3501fb936e657331ca943827600 (tip/x86/pti) x86/kvm: Update spectre-v1 mitigation 12c69f1e94c89d40696e83804dd2f0965b5250cd x86/paravirt: Remove 'noreplace-paravirt' cmdline option 18bf3c3ea8ece8f03b6fc58508f2dfd23c7711c7 x86/speculation: Use Indirect Branch Prediction Barrier in context switch 7fcae1118f5fd44a862aa5c3525248e35ee67c3b x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel e698dcdfcda41efd0984de539767b4cddd235f1e x86/spectre: Fix spelling mistake: "vunerable"-> "vulnerable" edfbae53dab8348fca778531be9f4855d2ca0360 x86/spectre: Report get_user mitigation for spectre_v1 259d8c1e984318497c84eef547bbb6b1d9f4eb05 nl80211: Sanitize array index in parse_txq_params 56c30ba7b348b90484969054d561f711ba196507 vfs, fdtable: Prevent bounds-check bypass via speculative execution 2fbd7af5af8665d18bcefae3e9700be07e22b681 x86/syscall: Sanitize syscall table de-references under speculation c7f631cb07e7da06ac1d231ca178452339e32a94 x86/get_user: Use pointer masking to limit speculation 304ec1b050310548db33063e567123fae8fd0301 x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec b5c4ae4f35325d520b230bab6eb3310613b72ac1 x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end} b3bbfb3fb5d25776b8e3f361d2eedaabb0b496cd x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec b3d7ad85b80bbc404635dca80f5b129f6242bc7a x86: Introduce barrier_nospec babdde2698d482b6c0de1eab4f697cf5856c5859 x86: Implement array_index_mask_nospec f3804203306e098dae9ca51540fcd5eb700d7f40 array_index_nospec: Sanitize speculative array de-references f84a56f73dddaeac1dba8045b007f742f61cd2da Documentation: Document array_index_nospec 37a8f7c38339b22b69876d6f5a0ab851565284e3 x86/asm: Move 'status' from thread_struct to thread_info d1f7732009e0549eedf8ea1db948dc37be77fd46 x86/entry/64: Push extra regs right away 21d375b6b34ff511a507de27bf316b3dde6938d9 x86/entry/64: Remove the SYSCALL64 fast path 9471eee9186a46893726e22ebb54cade3f9bc043 x86/spectre: Check CONFIG_RETPOLINE in command line parser 55f49fcb879fbeebf2a8c1ac7c9e6d90df55f798 x86/mm: Fix overlap of i386 CPU_ENTRY_AREA with FIX_BTMAP 830c1e3d16b2c1733cd1ec9c8f4d47a398ae31bc objtool: Warn on stripped section symbol 17bc33914bcc98ba3c6b426fd1c49587a25c0597 objtool: Add support for alternatives at the end of a section a845c7cf4b4cb5e9e3b2823867892b27646f3a98 objtool: Improve retpoline alternative handling This provides initial Spectre V1 mitigation improved Spectre V2 mitigation and should address This should be applicable to linux, linux-zen on 4.15 as well as linux-hardened on 4.14 and linux-lts when it switches to 4.14 References ========== https://security.archlinux.org/AVG-553 https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html https://spectreattack.com https://www.kb.cert.org/vuls/id/584653 https://xenbits.xen.org/xsa/advisory-254.html https://01.org/security/advisories/intel-oss-10002 https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr |
This task depends upon
Edit:
4.14.18 not 4.14.8