Bug#929067: marked as done (Support for MDS)
Your message dated Fri, 07 Jun 2019 10:02:53 + with message-id and subject line Bug#929067: fixed in qemu 1:2.8+dfsg-6+deb9u7 has caused the Debian Bug report #929067, regarding Support for MDS to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 929067: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929067 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: qemu-system-x86 Severity: grave Tags: security These are not upstreamed due to the embargo period, but I'm attaching the 3.1 patches from Ubuntu 19.04. Cheers, Moritz >From a57fa50701c6a0fbe5ac7dbcc314c3c970bff899 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Fri, 1 Mar 2019 21:40:52 +0100 Subject: [qemu PATCH] target/i386: define md-clear bit md-clear is a new CPUID bit which is set when microcode provides the mechanism to invoke a flush of various exploitable CPU buffers by invoking the VERW instruction. Add the new feature, and pass it down to Hypervisor.framework guests. Signed-off-by: Paolo Bonzini [Backported to qemu 3.1 - sbeattie] --- The last hunk is only needed for OS X, but anyway this is going to be the patch that will be committed upstream. CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 target/i386/cpu.c | 2 +- target/i386/cpu.h | 1 + target/i386/hvf/x86_cpuid.c | 3 ++- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index d990070c59..16da90562c 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -1075,7 +1075,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { .feat_names = { NULL, NULL, "avx512-4vnniw", "avx512-4fmaps", NULL, NULL, NULL, NULL, -NULL, NULL, NULL, NULL, +NULL, NULL, "md-clear", NULL, NULL, NULL, NULL, NULL, NULL, NULL, "pconfig", NULL, NULL, NULL, NULL, NULL, diff --git a/target/i386/cpu.h b/target/i386/cpu.h index 26412f15eb..cbfab1a421 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h @@ -692,6 +692,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS]; #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */ #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */ +#define CPUID_7_0_EDX_MD_CLEAR (1U << 10) /* Microarchitectural Data Clear */ #define CPUID_7_0_EDX_PCONFIG (1U << 18) /* Platform Configuration */ #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */ #define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29) /*Arch Capabilities*/ diff --git a/target/i386/hvf/x86_cpuid.c b/target/i386/hvf/x86_cpuid.c index 9874a46e92..f76ba50424 100644 --- a/target/i386/hvf/x86_cpuid.c +++ b/target/i386/hvf/x86_cpuid.c @@ -103,7 +103,8 @@ uint32_t hvf_get_supported_cpuid(uint32_t func, uint32_t idx, } ecx &= CPUID_7_0_ECX_AVX512BMI | CPUID_7_0_ECX_AVX512_VPOPCNTDQ; -edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS; +edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS | \ + CPUID_7_0_EDX_MD_CLEAR; } else { ebx = 0; ecx = 0; -- 2.20.1 From: Paolo Bonzini Subject: [PATCH] target/i386: add MDS-NO feature Microarchitectural Data Sampling is a hardware vulnerability which allows unprivileged speculative access to data which is available in various CPU internal buffers. Some Intel processors use the ARCH_CAP_MDS_NO bit in the IA32_ARCH_CAPABILITIES MSR to report that they are not vulnerable, make it available to guests. Signed-off-by: Paolo Bonzini -- CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 722c5514d4..558347e6c3 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -1184,7 +1184,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { .type = MSR_FEATURE_WORD, .feat_names = { "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry", -"ssb-no", NULL, NULL, NULL, +"ssb-no", "mds-no", NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, --- End Message --- --- Begin Message --- Source: qemu Source-Version: 1:2.8+dfsg-6+deb9u7 We believe that the bug you reported is fixed in the latest version of qemu, which is due to be installed in the Debian FTP archive. A summary of the changes between this
Bug#929067: marked as done (Support for MDS)
Your message dated Mon, 03 Jun 2019 10:02:18 + with message-id and subject line Bug#929067: fixed in qemu 1:2.8+dfsg-6+deb9u6 has caused the Debian Bug report #929067, regarding Support for MDS to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 929067: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929067 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: qemu-system-x86 Severity: grave Tags: security These are not upstreamed due to the embargo period, but I'm attaching the 3.1 patches from Ubuntu 19.04. Cheers, Moritz >From a57fa50701c6a0fbe5ac7dbcc314c3c970bff899 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Fri, 1 Mar 2019 21:40:52 +0100 Subject: [qemu PATCH] target/i386: define md-clear bit md-clear is a new CPUID bit which is set when microcode provides the mechanism to invoke a flush of various exploitable CPU buffers by invoking the VERW instruction. Add the new feature, and pass it down to Hypervisor.framework guests. Signed-off-by: Paolo Bonzini [Backported to qemu 3.1 - sbeattie] --- The last hunk is only needed for OS X, but anyway this is going to be the patch that will be committed upstream. CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 target/i386/cpu.c | 2 +- target/i386/cpu.h | 1 + target/i386/hvf/x86_cpuid.c | 3 ++- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index d990070c59..16da90562c 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -1075,7 +1075,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { .feat_names = { NULL, NULL, "avx512-4vnniw", "avx512-4fmaps", NULL, NULL, NULL, NULL, -NULL, NULL, NULL, NULL, +NULL, NULL, "md-clear", NULL, NULL, NULL, NULL, NULL, NULL, NULL, "pconfig", NULL, NULL, NULL, NULL, NULL, diff --git a/target/i386/cpu.h b/target/i386/cpu.h index 26412f15eb..cbfab1a421 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h @@ -692,6 +692,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS]; #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */ #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */ +#define CPUID_7_0_EDX_MD_CLEAR (1U << 10) /* Microarchitectural Data Clear */ #define CPUID_7_0_EDX_PCONFIG (1U << 18) /* Platform Configuration */ #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */ #define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29) /*Arch Capabilities*/ diff --git a/target/i386/hvf/x86_cpuid.c b/target/i386/hvf/x86_cpuid.c index 9874a46e92..f76ba50424 100644 --- a/target/i386/hvf/x86_cpuid.c +++ b/target/i386/hvf/x86_cpuid.c @@ -103,7 +103,8 @@ uint32_t hvf_get_supported_cpuid(uint32_t func, uint32_t idx, } ecx &= CPUID_7_0_ECX_AVX512BMI | CPUID_7_0_ECX_AVX512_VPOPCNTDQ; -edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS; +edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS | \ + CPUID_7_0_EDX_MD_CLEAR; } else { ebx = 0; ecx = 0; -- 2.20.1 From: Paolo Bonzini Subject: [PATCH] target/i386: add MDS-NO feature Microarchitectural Data Sampling is a hardware vulnerability which allows unprivileged speculative access to data which is available in various CPU internal buffers. Some Intel processors use the ARCH_CAP_MDS_NO bit in the IA32_ARCH_CAPABILITIES MSR to report that they are not vulnerable, make it available to guests. Signed-off-by: Paolo Bonzini -- CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 722c5514d4..558347e6c3 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -1184,7 +1184,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { .type = MSR_FEATURE_WORD, .feat_names = { "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry", -"ssb-no", NULL, NULL, NULL, +"ssb-no", "mds-no", NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, --- End Message --- --- Begin Message --- Source: qemu Source-Version: 1:2.8+dfsg-6+deb9u6 We believe that the bug you reported is fixed in the latest version of qemu, which is due to be installed in the Debian FTP archive. A summary of the changes between this
Bug#929067: marked as done (Support for MDS)
Your message dated Tue, 28 May 2019 07:18:46 + with message-id and subject line Bug#929067: fixed in qemu 1:3.1+dfsg-8 has caused the Debian Bug report #929067, regarding Support for MDS to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 929067: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929067 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: qemu-system-x86 Severity: grave Tags: security These are not upstreamed due to the embargo period, but I'm attaching the 3.1 patches from Ubuntu 19.04. Cheers, Moritz >From a57fa50701c6a0fbe5ac7dbcc314c3c970bff899 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Fri, 1 Mar 2019 21:40:52 +0100 Subject: [qemu PATCH] target/i386: define md-clear bit md-clear is a new CPUID bit which is set when microcode provides the mechanism to invoke a flush of various exploitable CPU buffers by invoking the VERW instruction. Add the new feature, and pass it down to Hypervisor.framework guests. Signed-off-by: Paolo Bonzini [Backported to qemu 3.1 - sbeattie] --- The last hunk is only needed for OS X, but anyway this is going to be the patch that will be committed upstream. CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 target/i386/cpu.c | 2 +- target/i386/cpu.h | 1 + target/i386/hvf/x86_cpuid.c | 3 ++- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index d990070c59..16da90562c 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -1075,7 +1075,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { .feat_names = { NULL, NULL, "avx512-4vnniw", "avx512-4fmaps", NULL, NULL, NULL, NULL, -NULL, NULL, NULL, NULL, +NULL, NULL, "md-clear", NULL, NULL, NULL, NULL, NULL, NULL, NULL, "pconfig", NULL, NULL, NULL, NULL, NULL, diff --git a/target/i386/cpu.h b/target/i386/cpu.h index 26412f15eb..cbfab1a421 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h @@ -692,6 +692,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS]; #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */ #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */ +#define CPUID_7_0_EDX_MD_CLEAR (1U << 10) /* Microarchitectural Data Clear */ #define CPUID_7_0_EDX_PCONFIG (1U << 18) /* Platform Configuration */ #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */ #define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29) /*Arch Capabilities*/ diff --git a/target/i386/hvf/x86_cpuid.c b/target/i386/hvf/x86_cpuid.c index 9874a46e92..f76ba50424 100644 --- a/target/i386/hvf/x86_cpuid.c +++ b/target/i386/hvf/x86_cpuid.c @@ -103,7 +103,8 @@ uint32_t hvf_get_supported_cpuid(uint32_t func, uint32_t idx, } ecx &= CPUID_7_0_ECX_AVX512BMI | CPUID_7_0_ECX_AVX512_VPOPCNTDQ; -edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS; +edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS | \ + CPUID_7_0_EDX_MD_CLEAR; } else { ebx = 0; ecx = 0; -- 2.20.1 From: Paolo Bonzini Subject: [PATCH] target/i386: add MDS-NO feature Microarchitectural Data Sampling is a hardware vulnerability which allows unprivileged speculative access to data which is available in various CPU internal buffers. Some Intel processors use the ARCH_CAP_MDS_NO bit in the IA32_ARCH_CAPABILITIES MSR to report that they are not vulnerable, make it available to guests. Signed-off-by: Paolo Bonzini -- CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 722c5514d4..558347e6c3 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -1184,7 +1184,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { .type = MSR_FEATURE_WORD, .feat_names = { "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry", -"ssb-no", NULL, NULL, NULL, +"ssb-no", "mds-no", NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, --- End Message --- --- Begin Message --- Source: qemu Source-Version: 1:3.1+dfsg-8 We believe that the bug you reported is fixed in the latest version of qemu, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the