[opensuse-kernel] SUSE-SU-2014:0459-1: important: Security update for Linux Kernel
opensuse-security@opensuse.org wrote:
An update that solves 6 vulnerabilities and has 28 fixes is now available. It includes one version update.
Description:
The SUSE Linux Enterprise 11 Service Pack 3 kernel was updated to fix various bugs and security issues.
------------------------------------------------------------ ------------ WARNING: If you are running KVM with PCI pass-through on a system with one of the following Intel chipsets: 5500 (revision 0x13), 5520 (revision 0x13) or X58 (revisions 0x12, 0x13, 0x22), please make sure to read the following support document before installing this update: https://www.suse.com/support/kb/doc.php?id=7014344 <https://www.suse.com/support/kb/doc.php?id=7014344> . You will have to update your KVM setup to no longer make use of PCI pass-through before rebooting to the updated kernel. ------------------------------------------------------------
The above doesn't seem to be a security update as a rare hw problem. The listed test on the linked page doesn't seem to work correctly. It doesn't echo that my system is 'affected', (even though it is). It seems the "-q" option is at fault. w/-q: # /sbin/lspci -nn | grep -qE '8086:(340[36].*rev 13|3405.*rev (12|13|22))' && echo "Interrupt remapping is broken" # w/o -q: # /sbin/lspci -nn | grep -E '8086:(340[36].*rev 13|3405.*rev (12|13|22))' && echo "Interrupt remapping is broken" 00:00.0 Host bridge [0600]: Intel Corporation 5520 I/O Hub to ESI Port [8086:3406] (rev 13) Interrupt remapping is broken looks like it has something to do with the pipefail section in bash, as this works: # grep -qE '8086:(340[36].*rev 13|3405.*rev (12|13|22))' < <(lspci -nn) && echo "Interrupt remapping is broken" Interrupt remapping is broken FWIW, having run this HW for 4+ years, I've never seen any of the warning messages that they indicate are symptoms of this problem, I did see the warning in the kernel about the problem and that my kernel was then marked tainted -- EVEN THOUGH, interrupt remapping had been turned off! ... Why implement a workaround that taints your kernel? I.e. isn't the workaround supposed to protect your kernel from becoming tainted? -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
Hi Linda, Le Saturday 29 March 2014 à 05:07 -0700, Linda Walsh a écrit :
opensuse-security@opensuse.org wrote:
An update that solves 6 vulnerabilities and has 28 fixes is now available. It includes one version update.
Description:
The SUSE Linux Enterprise 11 Service Pack 3 kernel was updated to fix various bugs and security issues.
First of all: you are discussing a SLES kernel update on an opensuse mailing list. This is off-topic. I suppose I shouldn't even reply, but the shell code quoted below is mine so... If you have any problem with SLES maintenance updates then reporting them here is not the right way to get your problem sorted out. Please use the proper support channel.
------------------------------------------------------------ ------------ WARNING: If you are running KVM with PCI pass-through on a system with one of the following Intel chipsets: 5500 (revision 0x13), 5520 (revision 0x13) or X58 (revisions 0x12, 0x13, 0x22), please make sure to read the following support document before installing this update: https://www.suse.com/support/kb/doc.php?id=7014344 <https://www.suse.com/support/kb/doc.php?id=7014344> . You will have to update your KVM setup to no longer make use of PCI pass-through before rebooting to the updated kernel. ------------------------------------------------------------
The above doesn't seem to be a security update as a rare hw problem.
No claim was made that the change described above is a security update.
The listed test on the linked page doesn't seem to work correctly.
It doesn't echo that my system is 'affected', (even though it is).
It seems the "-q" option is at fault. w/-q: # /sbin/lspci -nn | grep -qE '8086:(340[36].*rev 13|3405.*rev (12|13|22))' && echo "Interrupt remapping is broken" #
w/o -q: # /sbin/lspci -nn | grep -E '8086:(340[36].*rev 13|3405.*rev (12|13|22))' && echo "Interrupt remapping is broken" 00:00.0 Host bridge [0600]: Intel Corporation 5520 I/O Hub to ESI Port [8086:3406] (rev 13) Interrupt remapping is broken
looks like it has something to do with the pipefail section in bash, as this works:
# grep -qE '8086:(340[36].*rev 13|3405.*rev (12|13|22))' < <(lspci -nn) && echo "Interrupt remapping is broken" Interrupt remapping is broken
This is very odd. The original command works just fine for me on both openSUSE 13.1 (which is what my personal affected machine appears to be running) and SLES 11 SP3. I have pipefail set to off everywhere, which I think is the default. I'm not even sure how it would matter though, as grep option -q should only affect the output, not the exit status.
FWIW, having run this HW for 4+ years, I've never seen any of the warning messages that they indicate are symptoms of this problem, I did see the warning in the kernel about the problem and that my kernel was then marked tainted -- EVEN THOUGH, interrupt remapping had been turned off! ...
Why implement a workaround that taints your kernel? I.e. isn't the workaround supposed to protect your kernel from becoming tainted?
The workaround is only implemented at some point in time while the system is booted. I suppose that the problem could happen before that? It is also possible that the fact that the BIOS did initialize the system with interrupt remapping enabled, makes it vulnerable even if the OS doesn't make use of the feature, I'm not sure. The preferred fix is to have the feature disabled as soon as possible, that is, at the BIOS level. Anyway, the tainting is not a decision by SUSE. This is what the upstream kernel does. We merely backported a decision made by the upstream developers, assuming they knew what they were doing. If the tainting bothers you, I believe you can boot with parameter intremap=off to get rid of it. -- Jean Delvare SUSE L3 Support -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
participants (2)
-
Jean Delvare
-
Linda Walsh