FS#57330 - [linux] [Security] access restriction bypass (CVE-2017-5753 CVE-2017-5715)

Attached to Project: Arch Linux
Opened by loqs (loqs) - Thursday, 01 February 2018, 21:42 GMT
Last edited by Levente Polyak (anthraxx) - Tuesday, 10 September 2019, 20:43 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Tobias Powalowski (tpowa)
Jan Alexander Steffens (heftig)
Levente Polyak (anthraxx)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Summary
=======

The package linux is vulnerable to access restriction bypass via CVE-2017-5753 and CVE-2017-5715.

Mitigations
========

#Needed for 4.14.16
1df37383a8aeabb9b418698f0bcdffea01f4b1b2 x86/retpoline: Remove the esp/rsp thunk

#Needed for 4.15.y from mainline
Merge commit 6304672b7f0a5c010002e63a075160856dc4f88d which expands to

git log --no-abbrev-commit --pretty=oneline 6304672b7f0a5c010002e63a075160856dc4f88d^..6304672b7f0a5c010002e63a075160856dc4f88d
6304672b7f0a5c010002e63a075160856dc4f88d Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
64e16720ea0879f8ab4547e3b9758936d483909b (tip/x86-pti-for-linus) x86/speculation: Simplify indirect_branch_prediction_barrier()
1dde7415e99933bb7293d6b2843752cbdb43ec11 x86/retpoline: Simplify vmexit_fill_RSB()
2961298efe1ea1b6fc0d7ee8b76018fa6c0bcef2 x86/cpufeatures: Clean up Spectre v2 related CPUID flags
e383095c7fe8d218e00ec0f83e4b95ed4e627b02 x86/cpu/bugs: Make retpoline module warning conditional
55fa19d3e51f33d9cd4056d25836d93abf9438db x86/bugs: Drop one "mitigation" from dmesg
7a32fc51ca938e67974cbb9db31e1a43f98345a9 x86/nospec: Fix header guards names
0e6c16c652cadaffd25a6bb326ec10da5bcec6b4 x86/alternative: Print unadorned pointers
20ffa1caecca4db8f79fe665acdeaa5af815a24d x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support
a5b2966364538a0e68c9fa29bc0a3a1651799035 x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes
fec9434a12f38d3aeafeb75711b71d8a1fdef621 x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown
1e340c60d0dd3ae07b5bedc16a0469c14b9f3410 x86/msr: Add definitions for new speculation control MSRs
5d10cbc91d9eb5537998b65608441b592eec65e7 x86/cpufeatures: Add AMD feature bits for Speculation Control
fc67dd70adb711a45d2ef34e12d1a8be75edde61 x86/cpufeatures: Add Intel feature bits for Speculation Control
95ca0ee8636059ea2800dfbac9ecac6212d6b38f x86/cpufeatures: Add CPUID_7_EDX CPUID leaf
caf7501a1b4ec964190f31f9c3f163de252273b8 module/retpoline: Warn about missing retpoline in module
c940a3fb1e2e9b7d03228ab28f375fb5a47ff699 KVM: VMX: Make indirect call speculation safe
1a29b5b7f347a1a9230c1e0af5b37e3e571588ab KVM: x86: Make indirect calls in emulator speculation safe

#From tip/x86/pti
$ git log --no-abbrev-commit --pretty=oneline 7e86548e2cc8d308cb75439480f428137151b0de..085331dfc6bbe3501fb936e657331ca943827600
085331dfc6bbe3501fb936e657331ca943827600 (tip/x86/pti) x86/kvm: Update spectre-v1 mitigation
12c69f1e94c89d40696e83804dd2f0965b5250cd x86/paravirt: Remove 'noreplace-paravirt' cmdline option
18bf3c3ea8ece8f03b6fc58508f2dfd23c7711c7 x86/speculation: Use Indirect Branch Prediction Barrier in context switch
7fcae1118f5fd44a862aa5c3525248e35ee67c3b x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel
e698dcdfcda41efd0984de539767b4cddd235f1e x86/spectre: Fix spelling mistake: "vunerable"-> "vulnerable"
edfbae53dab8348fca778531be9f4855d2ca0360 x86/spectre: Report get_user mitigation for spectre_v1
259d8c1e984318497c84eef547bbb6b1d9f4eb05 nl80211: Sanitize array index in parse_txq_params
56c30ba7b348b90484969054d561f711ba196507 vfs, fdtable: Prevent bounds-check bypass via speculative execution
2fbd7af5af8665d18bcefae3e9700be07e22b681 x86/syscall: Sanitize syscall table de-references under speculation
c7f631cb07e7da06ac1d231ca178452339e32a94 x86/get_user: Use pointer masking to limit speculation
304ec1b050310548db33063e567123fae8fd0301 x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
b5c4ae4f35325d520b230bab6eb3310613b72ac1 x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
b3bbfb3fb5d25776b8e3f361d2eedaabb0b496cd x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
b3d7ad85b80bbc404635dca80f5b129f6242bc7a x86: Introduce barrier_nospec
babdde2698d482b6c0de1eab4f697cf5856c5859 x86: Implement array_index_mask_nospec
f3804203306e098dae9ca51540fcd5eb700d7f40 array_index_nospec: Sanitize speculative array de-references
f84a56f73dddaeac1dba8045b007f742f61cd2da Documentation: Document array_index_nospec
37a8f7c38339b22b69876d6f5a0ab851565284e3 x86/asm: Move 'status' from thread_struct to thread_info
d1f7732009e0549eedf8ea1db948dc37be77fd46 x86/entry/64: Push extra regs right away
21d375b6b34ff511a507de27bf316b3dde6938d9 x86/entry/64: Remove the SYSCALL64 fast path
9471eee9186a46893726e22ebb54cade3f9bc043 x86/spectre: Check CONFIG_RETPOLINE in command line parser
55f49fcb879fbeebf2a8c1ac7c9e6d90df55f798 x86/mm: Fix overlap of i386 CPU_ENTRY_AREA with FIX_BTMAP
830c1e3d16b2c1733cd1ec9c8f4d47a398ae31bc objtool: Warn on stripped section symbol
17bc33914bcc98ba3c6b426fd1c49587a25c0597 objtool: Add support for alternatives at the end of a section
a845c7cf4b4cb5e9e3b2823867892b27646f3a98 objtool: Improve retpoline alternative handling

This provides initial Spectre V1 mitigation improved Spectre V2 mitigation and should address  FS#57067 
This should be applicable to linux, linux-zen on 4.15 as well as linux-hardened on 4.14 and linux-lts when it switches to 4.14

References
==========

https://security.archlinux.org/AVG-553
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
https://spectreattack.com
https://www.kb.cert.org/vuls/id/584653
https://xenbits.xen.org/xsa/advisory-254.html
https://01.org/security/advisories/intel-oss-10002
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
This task depends upon

Closed by  Levente Polyak (anthraxx)
Tuesday, 10 September 2019, 20:43 GMT
Reason for closing:  Fixed
Comment by loqs (loqs) - Monday, 05 February 2018, 20:05 GMT
All the above commits should be in 4.15.2 and 4.14.8
Edit:
4.14.18 not 4.14.8

Loading...