Bug 1079869 - VUL-0: libvirt: fixes for speculative side channel attacks aka "SpectreAttack" (var2)
VUL-0: libvirt: fixes for speculative side channel attacks aka "SpectreAttac...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/194957/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-07 15:25 UTC by Marcus Meissner
Modified: 2018-10-18 17:07 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-02-07 15:25:17 UTC
+++ This bug was initially created as a clone of Bug #1068032 +++

This bug tracks SPectre v2 fixes for libvirt.
Comment 1 Cédric Bosdonnat 2018-02-07 15:50:59 UTC
The fixes are ready in Devel:Virt for SLE-11-SP4, SLE-12-SP2 and SLE-12-SP3. The submission will be synchronized with the corresponding qemu submission.

libvirt-4.0.0 in Factory and thus SLE-15 already has the patches.
Comment 6 Swamp Workflow Management 2018-03-29 10:12:27 UTC
SUSE-SU-2018:0838-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1055365,1076500,1079869,1083061,1083625
CVE References: CVE-2017-5715,CVE-2018-1064,CVE-2018-5748
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libvirt-1.2.5-23.6.1
SUSE Linux Enterprise Server 11-SP4 (src):    libvirt-1.2.5-23.6.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libvirt-1.2.5-23.6.1
Comment 7 Swamp Workflow Management 2018-04-03 19:08:37 UTC
SUSE-SU-2018:0861-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1078808,1079869,1080042,1082041,1083625
CVE References: CVE-2017-5715,CVE-2018-1064,CVE-2018-6764
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    libvirt-2.0.0-27.34.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libvirt-2.0.0-27.34.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libvirt-2.0.0-27.34.1
SUSE Linux Enterprise Server 12-SP2 (src):    libvirt-2.0.0-27.34.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    libvirt-2.0.0-27.34.1
Comment 8 Swamp Workflow Management 2018-04-11 10:12:18 UTC
SUSE-SU-2018:0920-1: An update that solves three vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1054986,1067018,1070615,1079869,1080042,1082041,1082161,1083625,1085757,1086038
CVE References: CVE-2017-5715,CVE-2018-1064,CVE-2018-6764
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libvirt-3.3.0-5.19.2
SUSE Linux Enterprise Server 12-SP3 (src):    libvirt-3.3.0-5.19.2, virt-manager-1.4.1-5.8.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    libvirt-3.3.0-5.19.2, virt-manager-1.4.1-5.8.1
Comment 9 Swamp Workflow Management 2018-04-12 22:10:00 UTC
openSUSE-SU-2018:0939-1: An update that solves three vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1054986,1067018,1070615,1079869,1080042,1082041,1082161,1083625,1085757,1086038
CVE References: CVE-2017-5715,CVE-2018-1064,CVE-2018-6764
Sources used:
openSUSE Leap 42.3 (src):    libvirt-3.3.0-15.1, virt-manager-1.4.1-9.1
Comment 11 James Fehlig 2018-05-03 20:55:01 UTC
I've tested Cedric's SP3 backports on the SandyBridge machine used to debug regressions in the SLE11 SP4 backports. I started with a fresh install of SP3, applied all updates, then applied all updates from the Teradata repo, then installed libvirt with the backports. The host CPU model was correctly identified as SandyBridge-IBRS. Starting a VM with <cpu mode='host-model'> results in qemu invoked with

-cpu SandyBridge,+spec-ctrl,+pdpe1gb,+osxsave,+dca,+pcid,+pdcm,+xtpr,+tm2,+est,+smx,+vmx,+ds_cpl,+monitor,+dtes64,+pbe,+tm,+ht,+ss,+acpi,+ds,+vme

spec-ctrl is seen in the VM. I also tested the libvirt backports with Bruce's latest updates to the SLE11 SP3 kvm package and things look a little better from the VM's point of view. It only sees ibrs instead of ibrs and stibp.

I'll submit the libvirt patches to SUSE:SLE-11-SP3:Update shortly. AFAIK, it was agreed that the patches were not needed for SLE11 SP1. So I think we are done here. Passing the bug back to security team...
Comment 13 Bruce Rogers 2018-05-03 22:35:03 UTC
(In reply to James Fehlig from comment #11)
> I've tested Cedric's SP3 backports on the SandyBridge machine used to debug
> regressions in the SLE11 SP4 backports. I started with a fresh install of
> SP3, applied all updates, then applied all updates from the Teradata repo,
> then installed libvirt with the backports. The host CPU model was correctly
> identified as SandyBridge-IBRS. Starting a VM with <cpu mode='host-model'>
> results in qemu invoked with
> 
> -cpu
> SandyBridge,+spec-ctrl,+pdpe1gb,+osxsave,+dca,+pcid,+pdcm,+xtpr,+tm2,+est,
> +smx,+vmx,+ds_cpl,+monitor,+dtes64,+pbe,+tm,+ht,+ss,+acpi,+ds,+vme
> 
> spec-ctrl is seen in the VM. I also tested the libvirt backports with
> Bruce's latest updates to the SLE11 SP3 kvm package and things look a little
> better from the VM's point of view. It only sees ibrs instead of ibrs and
> stibp.
> 
> I'll submit the libvirt patches to SUSE:SLE-11-SP3:Update shortly. AFAIK, it
> was agreed that the patches were not needed for SLE11 SP1. So I think we are
> done here. Passing the bug back to security team...

We've not been asked for it, but I think now would be the right time to also submit the kvm package which corresponds to the libvirt patches here (similar to the last time we coordinated qemu/kvm and libvirt submissions). Our kvm package is ready to go.
Comment 14 James Fehlig 2018-05-03 22:46:44 UTC
(In reply to Bruce Rogers from comment #13)
> We've not been asked for it, but I think now would be the right time to also
> submit the kvm package which corresponds to the libvirt patches here
> (similar to the last time we coordinated qemu/kvm and libvirt submissions).
> Our kvm package is ready to go.

I've tested this latest kvm package and libvirt now creates a more reasonable -cpu option:

-cpu SandyBridge-IBRS,+pdpe1gb,+osxsave,+dca,+pcid,+pdcm,+xtpr,+tm2,+est,+smx,+vmx,+ds_cpl,+monitor,+dtes64,+pbe,+tm,+ht,+ss,+acpi,+ds,+vme
Comment 15 Johannes Segitz 2018-05-04 11:26:23 UTC
(In reply to Bruce Rogers from comment #13)
yes, please submit
Comment 16 Bruce Rogers 2018-05-04 13:52:29 UTC
(In reply to Johannes Segitz from comment #15)
> (In reply to Bruce Rogers from comment #13)
> yes, please submit

MR#164443
Comment 17 Swamp Workflow Management 2018-05-15 16:13:01 UTC
SUSE-SU-2018:1295-1: An update that solves three vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1025340,1076500,1079869,1083625,1087887,1088147,936233,960742
CVE References: CVE-2017-5715,CVE-2018-1064,CVE-2018-5748
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    libvirt-1.0.5.9-21.5.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    libvirt-1.0.5.9-21.5.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    libvirt-1.0.5.9-21.5.1
Comment 19 Swamp Workflow Management 2018-07-30 22:07:57 UTC
SUSE-SU-2018:2141-1: An update that solves 5 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1076500,1079869,1083625,1092885,854343,897352,954872,956298,964465,968483,980558,987527
CVE References: CVE-2016-5008,CVE-2017-5715,CVE-2018-1064,CVE-2018-3639,CVE-2018-5748
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    libvirt-1.2.5-27.13.1
Comment 20 Swamp Workflow Management 2018-09-06 10:12:38 UTC
SUSE-SU-2018:2631-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1079869,1091427,1094325,1094725,1100112,959329
CVE References: CVE-2017-5715
Sources used:
SUSE OpenStack Cloud 7 (src):    libvirt-2.0.0-27.45.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    libvirt-2.0.0-27.45.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    libvirt-2.0.0-27.45.1
SUSE Enterprise Storage 4 (src):    libvirt-2.0.0-27.45.1
Comment 21 Marcus Meissner 2018-09-07 13:03:46 UTC
done
Comment 22 Swamp Workflow Management 2018-10-18 17:07:59 UTC
SUSE-SU-2018:2631-2: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1079869,1091427,1094325,1094725,1100112,959329
CVE References: CVE-2017-5715
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    libvirt-2.0.0-27.45.1