Mailinglist Archive: opensuse-kernel (75 mails)

< Previous Next >
Re: [opensuse-kernel] SUSE-SU-2014:0459-1: important: Security update for Linux Kernel
Hi Linda,

Le Saturday 29 March 2014 à 05:07 -0700, Linda Walsh a écrit :
opensuse-security@xxxxxxxxxxxx wrote:
An update that solves 6 vulnerabilities and has 28 fixes is
now available. It includes one version update.

Description:


The SUSE Linux Enterprise 11 Service Pack 3 kernel was
updated to fix various bugs and security issues.

First of all: you are discussing a SLES kernel update on an opensuse
mailing list. This is off-topic. I suppose I shouldn't even reply, but
the shell code quoted below is mine so...

If you have any problem with SLES maintenance updates then reporting
them here is not the right way to get your problem sorted out. Please
use the proper support channel.


------------------------------------------------------------
------------ WARNING: If you are running KVM with PCI
pass-through on a system with one of the following Intel
chipsets: 5500 (revision 0x13), 5520 (revision 0x13) or
X58 (revisions 0x12, 0x13, 0x22), please make sure to read
the following support document before installing this
update:
https://www.suse.com/support/kb/doc.php?id=7014344
<https://www.suse.com/support/kb/doc.php?id=7014344> . You
will have to update your KVM setup to no longer make use
of PCI pass-through before rebooting to the updated
kernel.
------------------------------------------------------------

The above doesn't seem to be a security update as a rare hw problem.


No claim was made that the change described above is a security update.

The listed test on the linked page doesn't seem to work correctly.

It doesn't echo that my system is 'affected', (even though it is).

It seems the "-q" option is at fault.
w/-q:
# /sbin/lspci -nn | grep -qE '8086:(340[36].*rev 13|3405.*rev (12|13|22))' &&
echo "Interrupt remapping is broken"
#

w/o -q:
# /sbin/lspci -nn | grep -E '8086:(340[36].*rev 13|3405.*rev (12|13|22))' &&
echo "Interrupt remapping is broken"
00:00.0 Host bridge [0600]: Intel Corporation 5520 I/O Hub to ESI Port
[8086:3406] (rev 13)
Interrupt remapping is broken

looks like it has something to do with the pipefail section in bash, as
this works:

# grep -qE '8086:(340[36].*rev 13|3405.*rev (12|13|22))' < <(lspci -nn) &&
echo
"Interrupt remapping is broken"
Interrupt remapping is broken

This is very odd. The original command works just fine for me on both
openSUSE 13.1 (which is what my personal affected machine appears to be
running) and SLES 11 SP3.

I have pipefail set to off everywhere, which I think is the default. I'm
not even sure how it would matter though, as grep option -q should only
affect the output, not the exit status.

FWIW, having run this HW for 4+ years, I've never seen any of the warning
messages that they indicate are symptoms of this problem, I did
see the warning in the kernel about the problem and that my kernel
was then marked tainted -- EVEN THOUGH, interrupt remapping had
been turned off! ...

Why implement a workaround that taints your kernel? I.e. isn't the workaround
supposed to protect your kernel from becoming tainted?

The workaround is only implemented at some point in time while the
system is booted. I suppose that the problem could happen before that?
It is also possible that the fact that the BIOS did initialize the
system with interrupt remapping enabled, makes it vulnerable even if the
OS doesn't make use of the feature, I'm not sure. The preferred fix is
to have the feature disabled as soon as possible, that is, at the BIOS
level.

Anyway, the tainting is not a decision by SUSE. This is what the
upstream kernel does. We merely backported a decision made by the
upstream developers, assuming they knew what they were doing.

If the tainting bothers you, I believe you can boot with parameter
intremap=off to get rid of it.

--
Jean Delvare
SUSE L3 Support

--
To unsubscribe, e-mail: opensuse-kernel+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-kernel+owner@xxxxxxxxxxxx

< Previous Next >
References