Your message dated Mon, 03 Jun 2019 10:02:18 +0000
with message-id <e1hxjng-000abl...@fasolo.debian.org>
and subject line Bug#929067: fixed in qemu 1:2.8+dfsg-6+deb9u6
has caused the Debian Bug report #929067,
regarding Support for MDS
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
929067: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929067
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: qemu-system-x86
Severity: grave
Tags: security
These are not upstreamed due to the embargo period, but I'm attaching
the 3.1 patches from Ubuntu 19.04.
Cheers,
Moritz
>From a57fa50701c6a0fbe5ac7dbcc314c3c970bff899 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonz...@redhat.com>
Date: Fri, 1 Mar 2019 21:40:52 +0100
Subject: [qemu PATCH] target/i386: define md-clear bit
md-clear is a new CPUID bit which is set when microcode provides the
mechanism to invoke a flush of various exploitable CPU buffers by invoking
the VERW instruction. Add the new feature, and pass it down to
Hypervisor.framework guests.
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
[Backported to qemu 3.1 - sbeattie]
---
The last hunk is only needed for OS X, but anyway this is going
to be the patch that will be committed upstream.
CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
target/i386/cpu.c | 2 +-
target/i386/cpu.h | 1 +
target/i386/hvf/x86_cpuid.c | 3 ++-
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index d990070c59..16da90562c 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -1075,7 +1075,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] =
{
.feat_names = {
NULL, NULL, "avx512-4vnniw", "avx512-4fmaps",
NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL,
+ NULL, NULL, "md-clear", NULL,
NULL, NULL, NULL, NULL,
NULL, NULL, "pconfig", NULL,
NULL, NULL, NULL, NULL,
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 26412f15eb..cbfab1a421 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -692,6 +692,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
#define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network
Instructions */
#define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation
Single Precision */
+#define CPUID_7_0_EDX_MD_CLEAR (1U << 10) /* Microarchitectural Data
Clear */
#define CPUID_7_0_EDX_PCONFIG (1U << 18) /* Platform Configuration */
#define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */
#define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29) /*Arch Capabilities*/
diff --git a/target/i386/hvf/x86_cpuid.c b/target/i386/hvf/x86_cpuid.c
index 9874a46e92..f76ba50424 100644
--- a/target/i386/hvf/x86_cpuid.c
+++ b/target/i386/hvf/x86_cpuid.c
@@ -103,7 +103,8 @@ uint32_t hvf_get_supported_cpuid(uint32_t func, uint32_t
idx,
}
ecx &= CPUID_7_0_ECX_AVX512BMI | CPUID_7_0_ECX_AVX512_VPOPCNTDQ;
- edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS;
+ edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS |
\
+ CPUID_7_0_EDX_MD_CLEAR;
} else {
ebx = 0;
ecx = 0;
--
2.20.1
From: Paolo Bonzini <pbonz...@redhat.com>
Subject: [PATCH] target/i386: add MDS-NO feature
Microarchitectural Data Sampling is a hardware vulnerability which allows
unprivileged speculative access to data which is available in various CPU
internal buffers.
Some Intel processors use the ARCH_CAP_MDS_NO bit in the IA32_ARCH_CAPABILITIES
MSR to report that they are not vulnerable, make it available to guests.
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
--
CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 722c5514d4..558347e6c3 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -1184,7 +1184,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] =
{
.type = MSR_FEATURE_WORD,
.feat_names = {
"rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry",
- "ssb-no", NULL, NULL, NULL,
+ "ssb-no", "mds-no", NULL, NULL,
NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL,
--- End Message ---
--- Begin Message ---
Source: qemu
Source-Version: 1:2.8+dfsg-6+deb9u6
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 929...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <m...@tls.msk.ru> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 29 May 2019 14:39:09 +0300
Source: qemu
Binary: qemu qemu-system qemu-block-extra qemu-system-common qemu-system-misc
qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc
qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils
qemu-guest-agent qemu-kvm
Architecture: source
Version: 1:2.8+dfsg-6+deb9u6
Distribution: stretch-security
Urgency: medium
Maintainer: Debian QEMU Team <pkg-qemu-de...@lists.alioth.debian.org>
Changed-By: Michael Tokarev <m...@tls.msk.ru>
Description:
qemu - fast processor emulator
qemu-block-extra - extra block backend modules for qemu-system and qemu-utils
qemu-guest-agent - Guest-side qemu-system agent
qemu-kvm - QEMU Full virtualization on x86 hardware
qemu-system - QEMU full system emulation binaries
qemu-system-arm - QEMU full system emulation binaries (arm)
qemu-system-common - QEMU full system emulation binaries (common files)
qemu-system-mips - QEMU full system emulation binaries (mips)
qemu-system-misc - QEMU full system emulation binaries (miscellaneous)
qemu-system-ppc - QEMU full system emulation binaries (ppc)
qemu-system-sparc - QEMU full system emulation binaries (sparc)
qemu-system-x86 - QEMU full system emulation binaries (x86)
qemu-user - QEMU user mode emulation binaries
qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
qemu-user-static - QEMU user mode emulation binaries (static version)
qemu-utils - QEMU utilities
Closes: 901017 902725 911499 912535 914599 914604 914727 916397 921525 922635
929067 929353
Changes:
qemu (1:2.8+dfsg-6+deb9u6) stretch-security; urgency=medium
.
[ Moritz Mühlenhoff <j...@debian.org> ]
* slirp-correct-size-computation-concatenating-mbuf-CVE-2018-11806.patch
(Closes: #901017, CVE-2018-11806)
* qga-check-bytes-count-read-by-guest-file-read-CVE-2018-12617.patch
(Closes: #902725, CVE-2018-12617)
* usb-mtp-use-O_NOFOLLOW-and-O_CLOEXEC-CVE-2018-16872.patch
(Closes: #916397, CVE-2018-16872)
* rtl8139-fix-possible-out-of-bound-access-CVE-2018-17958.patch
(Closes: #911499, CVE-2018-17958)
* lsi53c895a-check-message-length-value-is-valid-CVE-2018-18849.patch
(Closes: #912535, CVE-2018-18849)
* ppc-pnv-check-size-before-data-buffer-access-CVE-2018-18954.patch
(Closes: #914604, CVE-2018-18954)
* 9p-write-lock-path-in-v9fs-co_open2.patch
9p-take-write-lock-on-fid-path-updates-CVE-2018-19364.patch
(Closes: #914599, CVE-2018-19364)
* 9p-fix-QEMU-crash-when-renaming-files-CVE-2018-19489.patch
(Closes: #914727, CVE-2018-19489)
* i2c-ddc-fix-oob-read-CVE-2019-3812.patch
(Closes: #922635, CVE-2019-3812)
* slirp-check-data-length-while-emulating-ident-function-CVE-2019-6778.patch
(Closes: #921525, CVE-2019-6778)
* slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
(Closes: CVE-2019-9824)
.
[ Michael Tokarev ]
* enable-md-clear.patch
define new CPUID for MDS
(Closes: #929067)
(Closes: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091)
* qxl-check-release-info-object-CVE-2019-12155.patch
fixes null-pointer deref in qxl cleanup code
(Closes: #929353, CVE-2019-12155)
Checksums-Sha1:
77f1affa75e189d4d4fd18afabecb85029f95ad2 5579 qemu_2.8+dfsg-6+deb9u6.dsc
a95daacb4ec953c972e6f06fc20b8b2311e13c99 160688
qemu_2.8+dfsg-6+deb9u6.debian.tar.xz
5ab201d41676fc348109796dab1b77e7ace9a6d6 10688
qemu_2.8+dfsg-6+deb9u6_source.buildinfo
Checksums-Sha256:
3c478c5b3cf794795c042bfaab007c4c938850461bb675b7bd3935ac4f896857 5579
qemu_2.8+dfsg-6+deb9u6.dsc
0bf185c3a72d400e82785a82ce91fd7128f87676e7ffa07eeec0c813deb54a19 160688
qemu_2.8+dfsg-6+deb9u6.debian.tar.xz
faa2372a78580657b43f9f223af24feec00f4f5d7ab0fc9ab6a31bc070d007d5 10688
qemu_2.8+dfsg-6+deb9u6_source.buildinfo
Files:
f13b237940ede0bf4c7945642471bcbc 5579 otherosfs optional
qemu_2.8+dfsg-6+deb9u6.dsc
6a4872d066b015bdf56e33abdb8de50d 160688 otherosfs optional
qemu_2.8+dfsg-6+deb9u6.debian.tar.xz
a9009de8c777f4dc0e21ba5e2486a0cd 10688 otherosfs optional
qemu_2.8+dfsg-6+deb9u6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAlzudGgPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5Zt4AIAMZySkKhcHSGSv5vncIrNwXFB9kz8+cnpQnl
BSEclrxy9FskwVuakN7tyHHB9GrhPfnascHbd0+mJIJffWeIr6RxNrcdAEJxspos
xcEVx/0PDe6agrziFMjdciQAbbp/LCsS3p2FLvsIs5q4bD2xjYIKamxBXj48npd5
H1Q+fe/cm4MPiGwhYMhKD4M3nZ6FLafCats1KSMPIJqCAOZDke8PxtEu9Zs23n+q
dQZT3et0ufLFtUCvQJCt/kObetJyKEemBtWmHt0mg27tAmPD8DaU8rC8jMo0WZ8w
v+nAsGPGtqEJsHyFHuK+/b89eCUZTaigbQNVcaRG3mOvpSqX+Zs=
=PcmR
-----END PGP SIGNATURE-----
--- End Message ---
