Bug#929067: marked as done (Support for MDS)

Tue, 28 May 2019 00:21:43 -0700 

Your message dated Tue, 28 May 2019 07:18:46 +0000
with message-id <e1hvwni-0006d5...@fasolo.debian.org>
and subject line Bug#929067: fixed in qemu 1:3.1+dfsg-8
has caused the Debian Bug report #929067,
regarding Support for MDS
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
929067: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929067
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: qemu-system-x86
Severity: grave
Tags: security

These are not upstreamed due to the embargo period, but I'm attaching
the 3.1 patches from Ubuntu 19.04.

Cheers,
        Moritz

>From a57fa50701c6a0fbe5ac7dbcc314c3c970bff899 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonz...@redhat.com>
Date: Fri, 1 Mar 2019 21:40:52 +0100
Subject: [qemu PATCH] target/i386: define md-clear bit

md-clear is a new CPUID bit which is set when microcode provides the
mechanism to invoke a flush of various exploitable CPU buffers by invoking
the VERW instruction.  Add the new feature, and pass it down to
Hypervisor.framework guests.

Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>

[Backported to qemu 3.1 - sbeattie]

---
        The last hunk is only needed for OS X, but anyway this is going
        to be the patch that will be committed upstream.

CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091

 target/i386/cpu.c           | 2 +-
 target/i386/cpu.h           | 1 +
 target/i386/hvf/x86_cpuid.c | 3 ++-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index d990070c59..16da90562c 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -1075,7 +1075,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = 
{
         .feat_names = {
             NULL, NULL, "avx512-4vnniw", "avx512-4fmaps",
             NULL, NULL, NULL, NULL,
-            NULL, NULL, NULL, NULL,
+            NULL, NULL, "md-clear", NULL,
             NULL, NULL, NULL, NULL,
             NULL, NULL, "pconfig", NULL,
             NULL, NULL, NULL, NULL,
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 26412f15eb..cbfab1a421 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -692,6 +692,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
 
 #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network 
Instructions */
 #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation 
Single Precision */
+#define CPUID_7_0_EDX_MD_CLEAR      (1U << 10) /* Microarchitectural Data 
Clear */
 #define CPUID_7_0_EDX_PCONFIG (1U << 18)       /* Platform Configuration */
 #define CPUID_7_0_EDX_SPEC_CTRL     (1U << 26) /* Speculation Control */
 #define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29)  /*Arch Capabilities*/
diff --git a/target/i386/hvf/x86_cpuid.c b/target/i386/hvf/x86_cpuid.c
index 9874a46e92..f76ba50424 100644
--- a/target/i386/hvf/x86_cpuid.c
+++ b/target/i386/hvf/x86_cpuid.c
@@ -103,7 +103,8 @@ uint32_t hvf_get_supported_cpuid(uint32_t func, uint32_t 
idx,
             }
 
             ecx &= CPUID_7_0_ECX_AVX512BMI | CPUID_7_0_ECX_AVX512_VPOPCNTDQ;
-            edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS;
+            edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS | 
\
+                   CPUID_7_0_EDX_MD_CLEAR;
         } else {
             ebx = 0;
             ecx = 0;
-- 
2.20.1


From: Paolo Bonzini <pbonz...@redhat.com>
Subject: [PATCH] target/i386: add MDS-NO feature

Microarchitectural Data Sampling is a hardware vulnerability which allows
unprivileged speculative access to data which is available in various CPU
internal buffers.

Some Intel processors use the ARCH_CAP_MDS_NO bit in the IA32_ARCH_CAPABILITIES
MSR to report that they are not vulnerable, make it available to guests.

Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
--
CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 722c5514d4..558347e6c3 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -1184,7 +1184,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = 
{
         .type = MSR_FEATURE_WORD,
         .feat_names = {
             "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry",
-            "ssb-no", NULL, NULL, NULL,
+            "ssb-no", "mds-no", NULL, NULL,
             NULL, NULL, NULL, NULL,
             NULL, NULL, NULL, NULL,
             NULL, NULL, NULL, NULL,

--- End Message ---
--- Begin Message --- 
Source: qemu
Source-Version: 1:3.1+dfsg-8

We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 929...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <m...@tls.msk.ru> (supplier of updated qemu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 27 May 2019 07:49:25 +0300
Source: qemu
Binary: qemu qemu-system qemu-block-extra qemu-system-data qemu-system-common 
qemu-system-gui qemu-system-misc qemu-system-arm qemu-system-mips 
qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static 
qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm
Architecture: source
Version: 1:3.1+dfsg-8
Distribution: unstable
Urgency: high
Maintainer: Debian QEMU Team <pkg-qemu-de...@lists.alioth.debian.org>
Changed-By: Michael Tokarev <m...@tls.msk.ru>
Description:
 qemu       - fast processor emulator, dummy package
 qemu-block-extra - extra block backend modules for qemu-system and qemu-utils
 qemu-guest-agent - Guest-side qemu-system agent
 qemu-kvm   - QEMU Full virtualization on x86 hardware
 qemu-system - QEMU full system emulation binaries
 qemu-system-arm - QEMU full system emulation binaries (arm)
 qemu-system-common - QEMU full system emulation binaries (common files)
 qemu-system-data - QEMU full system emulation (data files)
 qemu-system-gui - QEMU full system emulation binaries (user interface and 
audio sup
 qemu-system-mips - QEMU full system emulation binaries (mips)
 qemu-system-misc - QEMU full system emulation binaries (miscellaneous)
 qemu-system-ppc - QEMU full system emulation binaries (ppc)
 qemu-system-sparc - QEMU full system emulation binaries (sparc)
 qemu-system-x86 - QEMU full system emulation binaries (x86)
 qemu-user  - QEMU user mode emulation binaries
 qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
 qemu-user-static - QEMU user mode emulation binaries (static version)
 qemu-utils - QEMU utilities
Closes: 927439 927763 929067 929261 929353
Changes:
 qemu (1:3.1+dfsg-8) unstable; urgency=high
 .
   * sun4u-add-power_mem_read-routine-CVE-2019-5008.patch
     fixes a null-pointer dereference in sparc/sun4u emulated hw
     Closes: #927439, CVE-2019-5008
   * enable-md-no.patch & enable-md-clear.patch
     mitigation for MDS (Microarchitectural Data Sampling) issues
     Closes: #929067,
     CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
   * qxl-check-release-info-object-CVE-2019-12155.patch
     fixes null-pointer deref in qxl cleanup code
     Closes: #929353, CVE-2019-12155
   * aarch32-exception-return-to-switch-from-hyp-mon.patch
     fixes booting U-Boot in UEFI mode on aarch32
     Closes: #927763
   * stop qemu-system-common pre-depending on adduser
     Closes: #929261
Checksums-Sha1:
 6d93e2ebaaa5a4ae25d8029970ec552cbd48b803 6120 qemu_3.1+dfsg-8.dsc
 36a8b215dccf1466557e6d61e26da222ed892efd 87704 qemu_3.1+dfsg-8.debian.tar.xz
 5e5b48914604bf01806ac6ae8af17e5934922bd9 16386 qemu_3.1+dfsg-8_source.buildinfo
Checksums-Sha256:
 75c62145aefd0a2fd3da3531063a5537aa067ec3295c8118e213e28b8b7d8d1b 6120 
qemu_3.1+dfsg-8.dsc
 da5b20a6f91c7309b41c809374572282c6addc828838c487158aa46ef8350607 87704 
qemu_3.1+dfsg-8.debian.tar.xz
 80739736ddbab9aaa611484e8e90bdb0aa07a9e11b772d6065e630388350ccd1 16386 
qemu_3.1+dfsg-8_source.buildinfo
Files:
 8f6cf6785bcd3343cb45f267d0b54adf 6120 otherosfs optional qemu_3.1+dfsg-8.dsc
 9f48a84ab4f55d8dc81b380dfb9e395d 87704 otherosfs optional 
qemu_3.1+dfsg-8.debian.tar.xz
 3f3475a16a609e4809d8ca91b37100ca 16386 otherosfs optional 
qemu_3.1+dfsg-8_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAlzrbwAPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5Z960IAKe0Mwf1xMZRqGGN96lx2cjsiT6fkORjbZsz
VRGpbXVRYU+S6iVZCsN2RkIsKz3gY2q1J6msQLIhBx7iypiAIcJ+/AyJTKngklPd
PNITaSM0W0c23XCzV2+dxKO+Sxsk/X7R+99cfDHcZuivrBFN2wILpLLEd7rdjx0t
QMj9/1lxtRG8gZxkKpHuha1u39DxWCRDd0mMnFk2wqetsijZ64RIDmkJXSjJEDIz
1xLn/b0TzzCPqqbt50Ykq91A96ybobka6SVM5D1nvtsyf6jYitjHriTj4L/4uImC
UnZ6TVnzG/Hr9O5xRqc5TZJvutq/lI/HezUUcYAUkTTcFlqT1D0=
=mC66
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to