This bug was fixed in the package linux - 4.13.0-25.29 --------------- linux (4.13.0-25.29) artful; urgency=low
* linux: 4.13.0-25.29 -proposed tracker (LP: #1741955) * CVE-2017-5754 - Revert "UBUNTU: [Config] updateconfigs to enable PTI" - [Config] Enable PTI with UNWINDER_FRAME_POINTER linux (4.13.0-24.28) artful; urgency=low * linux: 4.13.0-24.28 -proposed tracker (LP: #1741745) * CVE-2017-5754 - x86/cpu, x86/pti: Do not enable PTI on AMD processors linux (4.13.0-23.27) artful; urgency=low * linux: 4.13.0-23.27 -proposed tracker (LP: #1741556) [ Kleber Sacilotto de Souza ] * CVE-2017-5754 - x86/mm: Add the 'nopcid' boot option to turn off PCID - x86/mm: Enable CR4.PCIDE on supported systems - x86/mm: Document how CR4.PCIDE restore works - x86/entry/64: Refactor IRQ stacks and make them NMI-safe - x86/entry/64: Initialize the top of the IRQ stack before switching stacks - x86/entry/64: Add unwind hint annotations - xen/x86: Remove SME feature in PV guests - x86/xen/64: Rearrange the SYSCALL entries - irq: Make the irqentry text section unconditional - x86/xen/64: Fix the reported SS and CS in SYSCALL - x86/paravirt/xen: Remove xen_patch() - x86/traps: Simplify pagefault tracing logic - x86/idt: Unify gate_struct handling for 32/64-bit kernels - x86/asm: Replace access to desc_struct:a/b fields - x86/xen: Get rid of paravirt op adjust_exception_frame - x86/paravirt: Remove no longer used paravirt functions - x86/entry: Fix idtentry unwind hint - x86/mm/64: Initialize CR4.PCIDE early - objtool: Add ORC unwind table generation - objtool, x86: Add facility for asm code to provide unwind hints - x86/unwind: Add the ORC unwinder - x86/kconfig: Consolidate unwinders into multiple choice selection - objtool: Upgrade libelf-devel warning to error for CONFIG_ORC_UNWINDER - x86/ldt/64: Refresh DS and ES when modify_ldt changes an entry - x86/mm: Give each mm TLB flush generation a unique ID - x86/mm: Track the TLB's tlb_gen and update the flushing algorithm - x86/mm: Rework lazy TLB mode and TLB freshness tracking - x86/mm: Implement PCID based optimization: try to preserve old TLB entries using PCID - x86/mm: Factor out CR3-building code - x86/mm/64: Stop using CR3.PCID == 0 in ASID-aware code - x86/mm: Flush more aggressively in lazy TLB mode - Revert "x86/mm: Stop calling leave_mm() in idle code" - kprobes/x86: Set up frame pointer in kprobe trampoline - x86/tracing: Introduce a static key for exception tracing - x86/boot: Add early cmdline parsing for options with arguments - mm, x86/mm: Fix performance regression in get_user_pages_fast() - x86/asm: Remove unnecessary \n\t in front of CC_SET() from asm templates - objtool: Don't report end of section error after an empty unwind hint - x86/head: Remove confusing comment - x86/head: Remove unused 'bad_address' code - x86/head: Fix head ELF function annotations - x86/boot: Annotate verify_cpu() as a callable function - x86/xen: Fix xen head ELF annotations - x86/xen: Add unwind hint annotations - x86/head: Add unwind hint annotations - ACPI / APEI: adjust a local variable type in ghes_ioremap_pfn_irq() - x86/unwinder: Make CONFIG_UNWINDER_ORC=y the default in the 64-bit defconfig - x86/fpu/debug: Remove unused 'x86_fpu_state' and 'x86_fpu_deactivate_state' tracepoints - x86/unwind: Rename unwinder config options to 'CONFIG_UNWINDER_*' - x86/unwind: Make CONFIG_UNWINDER_ORC=y the default in kconfig for 64-bit - bitops: Add clear/set_bit32() to linux/bitops.h - x86/cpuid: Add generic table for CPUID dependencies - x86/fpu: Parse clearcpuid= as early XSAVE argument - x86/fpu: Make XSAVE check the base CPUID features before enabling - x86/fpu: Remove the explicit clearing of XSAVE dependent features - x86/platform/UV: Convert timers to use timer_setup() - objtool: Print top level commands on incorrect usage - x86/cpuid: Prevent out of bound access in do_clear_cpu_cap() - x86/entry: Use SYSCALL_DEFINE() macros for sys_modify_ldt() - mm/sparsemem: Allocate mem_section at runtime for CONFIG_SPARSEMEM_EXTREME=y - x86/kasan: Use the same shadow offset for 4- and 5-level paging - x86/xen: Provide pre-built page tables only for CONFIG_XEN_PV=y and CONFIG_XEN_PVH=y - x86/xen: Drop 5-level paging support code from the XEN_PV code - ACPI / APEI: remove the unused dead-code for SEA/NMI notification type - x86/asm: Don't use the confusing '.ifeq' directive - x86/build: Beautify build log of syscall headers - x86/mm/64: Rename the register_page_bootmem_memmap() 'size' parameter to 'nr_pages' - x86/cpufeatures: Enable new SSE/AVX/AVX512 CPU features - x86/mm: Relocate page fault error codes to traps.h - x86/boot: Relocate definition of the initial state of CR0 - ptrace,x86: Make user_64bit_mode() available to 32-bit builds - x86/entry/64: Remove the restore_c_regs_and_iret label - x86/entry/64: Split the IRET-to-user and IRET-to-kernel paths - x86/entry/64: Move SWAPGS into the common IRET-to-usermode path - x86/entry/64: Simplify reg restore code in the standard IRET paths - x86/entry/64: Shrink paranoid_exit_restore and make labels local - x86/entry/64: Use pop instead of movq in syscall_return_via_sysret - x86/entry/64: Merge the fast and slow SYSRET paths - x86/entry/64: Use POP instead of MOV to restore regs on NMI return - x86/entry/64: Remove the RESTORE_..._REGS infrastructure - xen, x86/entry/64: Add xen NMI trap entry - x86/entry/64: De-Xen-ify our NMI code - x86/entry/32: Pull the MSR_IA32_SYSENTER_CS update code out of native_load_sp0() - x86/entry/64: Pass SP0 directly to load_sp0() - x86/entry: Add task_top_of_stack() to find the top of a task's stack - x86/xen/64, x86/entry/64: Clean up SP code in cpu_initialize_context() - x86/entry/64: Stop initializing TSS.sp0 at boot - x86/entry/64: Remove all remaining direct thread_struct::sp0 reads - x86/entry/32: Fix cpu_current_top_of_stack initialization at boot - x86/entry/64: Remove thread_struct::sp0 - x86/traps: Use a new on_thread_stack() helper to clean up an assertion - x86/entry/64: Shorten TEST instructions - x86/cpuid: Replace set/clear_bit32() - bitops: Revert cbe96375025e ("bitops: Add clear/set_bit32() to linux/bitops.h") - x86/mm: Define _PAGE_TABLE using _KERNPG_TABLE - x86/cpufeatures: Re-tabulate the X86_FEATURE definitions - x86/cpufeatures: Fix various details in the feature definitions - selftests/x86/protection_keys: Fix syscall NR redefinition warnings - selftests/x86/ldt_gdt: Robustify against set_thread_area() and LAR oddities - selftests/x86/ldt_gdt: Add infrastructure to test set_thread_area() - selftests/x86/ldt_gdt: Run most existing LDT test cases against the GDT as well - selftests/x86/ldt_get: Add a few additional tests for limits - ACPI / APEI: Replace ioremap_page_range() with fixmap - x86/virt, x86/platform: Merge 'struct x86_hyper' into 'struct x86_platform' and 'struct x86_init' - x86/virt: Add enum for hypervisors to replace x86_hyper - drivers/misc/intel/pti: Rename the header file to free up the namespace - x86/cpufeature: Add User-Mode Instruction Prevention definitions - x86: Make X86_BUG_FXSAVE_LEAK detectable in CPUID on AMD - perf/x86: Enable free running PEBS for REGS_USER/INTR - bpf: fix build issues on um due to mising bpf_perf_event.h - locking/barriers: Add implicit smp_read_barrier_depends() to READ_ONCE() - locking/barriers: Convert users of lockless_dereference() to READ_ONCE() - x86/mm/kasan: Don't use vmemmap_populate() to initialize shadow - mm/sparsemem: Fix ARM64 boot crash when CONFIG_SPARSEMEM_EXTREME=y - objtool: Move synced files to their original relative locations - objtool: Move kernel headers/code sync check to a script - objtool: Fix cross-build - tools/headers: Sync objtool UAPI header - objtool: Fix 64-bit build on 32-bit host - x86/decoder: Fix and update the opcodes map - x86/decoder: Add new TEST instruction pattern - x86/insn-eval: Add utility functions to get segment selector - x86/entry/64/paravirt: Use paravirt-safe macro to access eflags - x86/unwinder/orc: Dont bail on stack overflow - x86/unwinder: Handle stack overflows more gracefully - x86/irq: Remove an old outdated comment about context tracking races - x86/irq/64: Print the offending IP in the stack overflow warning - x86/entry/64: Allocate and enable the SYSENTER stack - x86/dumpstack: Add get_stack_info() support for the SYSENTER stack - x86/entry/gdt: Put per-CPU GDT remaps in ascending order - x86/mm/fixmap: Generalize the GDT fixmap mechanism, introduce struct cpu_entry_area - x86/kasan/64: Teach KASAN about the cpu_entry_area - x86/entry: Fix assumptions that the HW TSS is at the beginning of cpu_tss - x86/dumpstack: Handle stack overflow on all stacks - x86/entry: Move SYSENTER_stack to the beginning of struct tss_struct - x86/entry: Remap the TSS into the CPU entry area - x86/entry/64: Separate cpu_current_top_of_stack from TSS.sp0 - x86/espfix/64: Stop assuming that pt_regs is on the entry stack - x86/entry/64: Use a per-CPU trampoline stack for IDT entries - x86/entry/64: Return to userspace from the trampoline stack - x86/entry/64: Create a per-CPU SYSCALL entry trampoline - x86/entry/64: Move the IST stacks into struct cpu_entry_area - x86/entry/64: Remove the SYSENTER stack canary - x86/entry: Clean up the SYSENTER_stack code - x86/entry/64: Make cpu_entry_area.tss read-only - x86/paravirt: Dont patch flush_tlb_single - x86/paravirt: Provide a way to check for hypervisors - x86/cpufeatures: Make CPU bugs sticky - x86/Kconfig: Limit NR_CPUS on 32-bit to a sane amount - x86/mm/dump_pagetables: Check PAGE_PRESENT for real - x86/mm/dump_pagetables: Make the address hints correct and readable - x86/vsyscall/64: Explicitly set _PAGE_USER in the pagetable hierarchy - x86/vsyscall/64: Warn and fail vsyscall emulation in NATIVE mode - arch, mm: Allow arch_dup_mmap() to fail - x86/ldt: Rework locking - x86/ldt: Prevent LDT inheritance on exec - x86/mm/64: Improve the memory map documentation - x86/doc: Remove obvious weirdnesses from the x86 MM layout documentation - x86/entry: Rename SYSENTER_stack to CPU_ENTRY_AREA_entry_stack - x86/uv: Use the right TLB-flush API - x86/microcode: Dont abuse the TLB-flush interface - x86/mm: Use __flush_tlb_one() for kernel memory - x86/mm: Remove superfluous barriers - x86/mm: Add comments to clarify which TLB-flush functions are supposed to flush what - x86/mm: Move the CR3 construction functions to tlbflush.h - x86/mm: Remove hard-coded ASID limit checks - x86/mm: Put MMU to hardware ASID translation in one place - x86/mm: Create asm/invpcid.h - x86/cpu_entry_area: Move it to a separate unit - x86/cpu_entry_area: Move it out of the fixmap - init: Invoke init_espfix_bsp() from mm_init() - x86/cpu_entry_area: Prevent wraparound in setup_cpu_entry_area_ptes() on 32bit - x86/cpufeatures: Add X86_BUG_CPU_INSECURE - x86/mm/pti: Disable global pages if PAGE_TABLE_ISOLATION=y - x86/mm/pti: Prepare the x86/entry assembly code for entry/exit CR3 switching - x86/mm/pti: Add infrastructure for page table isolation - x86/pti: Add the pti= cmdline option and documentation - x86/mm/pti: Add mapping helper functions - x86/mm/pti: Allow NX poison to be set in p4d/pgd - x86/mm/pti: Allocate a separate user PGD - x86/mm/pti: Populate user PGD - x86/mm/pti: Add functions to clone kernel PMDs - x86/mm/pti: Force entry through trampoline when PTI active - x86/mm/pti: Share cpu_entry_area with user space page tables - x86/entry: Align entry text section to PMD boundary - x86/mm/pti: Share entry text PMD - x86/mm/pti: Map ESPFIX into user space - x86/cpu_entry_area: Add debugstore entries to cpu_entry_area - x86/events/intel/ds: Map debug buffers in cpu_entry_area - x86/mm/64: Make a full PGD-entry size hole in the memory map - x86/pti: Put the LDT in its own PGD if PTI is on - x86/pti: Map the vsyscall page if needed - x86/mm: Allow flushing for future ASID switches - x86/mm: Abstract switching CR3 - x86/mm: Use/Fix PCID to optimize user/kernel switches - x86/mm: Optimize RESTORE_CR3 - x86/mm: Use INVPCID for __native_flush_tlb_single() - x86/mm: Clarify the whole ASID/kernel PCID/user PCID naming - x86/dumpstack: Indicate in Oops whether PTI is configured and enabled - x86/mm/pti: Add Kconfig - x86/mm/dump_pagetables: Add page table directory to the debugfs VFS hierarchy - x86/mm/dump_pagetables: Check user space page table for WX pages - x86/mm/dump_pagetables: Allow dumping current pagetables - x86/ldt: Make the LDT mapping RO - x86/smpboot: Remove stale TLB flush invocations - x86/mm: Remove preempt_disable/enable() from __native_flush_tlb() - x86/ldt: Plug memory leak in error path - x86/ldt: Make LDT pgtable free conditional - [Config] updateconfigs to enable PTI - kvm: x86: fix RSM when PCID is non-zero - x86/pti: Switch to kernel CR3 at early in entry_SYSCALL_compat() - SAUCE: only attempt to use PCID in 64 bit builds - SAUCE: BODGE: temporarily disable some kprobe trace points which are cratering - s390/mm: use generic mm_hooks - objtool: use sh to invoke sync-check.sh in the Makefile * CVE-2017-17862 - bpf: fix branch pruning logic * CVE-2017-17864 - SAUCE: bpf/verifier: Fix states_equal() comparison of pointer and UNKNOWN * CVE-2017-16995 - bpf: fix incorrect sign extension in check_alu_op() * CVE-2017-17863 - SAUCE: bpf: reject out-of-bounds stack pointer calculation -- Marcelo Henrique Cerri <marcelo.ce...@canonical.com> Mon, 08 Jan 2018 17:13:57 -0200 ** Changed in: linux (Ubuntu) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16995 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17862 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17863 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17864 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5754 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1734147 Title: corrupted BIOS due to Intel SPI bug in kernel Status in Linux: Unknown Status in linux package in Ubuntu: Fix Released Status in linux-hwe-edge source package in Xenial: Fix Released Status in linux-oem source package in Xenial: Fix Released Status in linux source package in Artful: Fix Released Bug description: An update to linux kernel on Ubuntu 17.10 that enabled the Intel SPI drivers results in a serial flash that is read only in Intel Broadwell and Haswell machines with serial flashes with SPI_NOR_HAS_LOCK set. Symptoms: * BIOS settings cannot be saved * USB Boot impossible * EFI entries read-only. --- Fix: The issue was fixed in kernel version 4.13.0-21 by configuring the kernel so it is not compiled with Intel SPI support. But previous affected machines still suffered from a broken BIOS. Repair: If you still can boot into Ubuntu, you can recover your BIOS with the following steps: 1. Boot into Ubuntu 2. Download http://people.canonical.com/~ypwong/lp1734147/linux-image-4.15.0-041500rc6-generic_4.15.0-041500rc6.201712312330+20170103+1_amd64.deb 3. Install the downloaded package: $ sudo dpkg -i linux-image-4.15.0-041500rc6-generic_4.15.0-041500rc6.201712312330+20170103+1_amd64.deb 4. Make sure the kernel is installed without any error. Once installed, reboot. 5. At grub, choose the newly installed kernel. You can choose the "recovery" mode. 6. Reboot and go to BIOS settings to confirm your BIOS has been recovered. 7. In case your BIOS is not recovered, reboot to the new kernel, then reboot *once again* to the new kernel, do not enter BIOS settings before the reboot. After the second reboot, check BIOS. 8. If your BIOS issue remains, download another kernel from http://people.canonical.com/~ypwong/lp1734147/linux-image-4.15.0-041500rc6-generic_4.15.0-041500rc6.201712312330+clear+debug_amd64.deb, and use dpkg to install it, then repeat steps 4 to 6. After your BIOS is fixed, the kernel packages you just installed are no longer needed, you can remove it by running 'sudo dpkg -r linux- image-4.15.0-041500rc6-generic'. The patch used to build the linux v4.15 kernel in step 8 can be found at https://goo.gl/xUKJFR. --- Test Case: Fix has been verified by our HWE team on affected hardware. Regression Potential: Minimal, it's unlikely anyone is actually doing anything which requires this driver. --- Affected Machines: Lenovo B40-70 Lenovo B50-70 Lenovo B50-80 Lenovo Flex-3 Lenovo Flex-10 Lenovo G40-30 Lenovo G50-30 Lenovo G50-70 Lenovo G50-80 Lenovo S20-30 Lenovo U31-70 Lenovo Y50-70 Lenovo Y70-70 Lenovo Yoga Thinkpad (20C0) Lenovo Yoga 2 11" - 20332 Lenovo Yoga 3 11" Lenovo Z50-70 Lenovo Z51-70 Lenovo ideapad 100-15IBY Acer Aspire E5-771G Acer Aspire ES1-111M-C1LE (fixed following your new instruction (thank you)) Acer TravelMate B113 Acer Swift SF314-52 (Fixed by 4.14.9) Toshiba Satellite S55T-B5233 Toshiba Satellite L50-B-1R7 Toshiba Satellite S50-B-13G Dell Inspiron 15-3531 Mediacom Smartbook 14 Ultra M-SB14UC Acer Aspire E3-111-C0UM HP 14-r012la --- Affected serial flash devices by manufacturer part number, JEDEC ID (SPI_NOR_HAS_LOCK set in drivers/mtd/spi-nor/spi-nor.c) /* ESMT */ f25l32pa, 0x8c2016 f25l32qa, 0x8c4116 f25l64qa, 0x8c4117 /* GigaDevice */ gd25q16, 0xc84015 gd25q32, 0xc84016 gd25lq32, 0xc86016 gd25q64, 0xc84017 gd25lq64c, 0xc86017 gd25q128, 0xc84018 gd25q256, 0xc84019 /* Winbond */ w25q16dw, 0xef6015 w25q32dw, 0xef6016 w25q64dw, 0xef6017 w25q128fw, 0xef6018 --- Original Description: Basically on Lenovo Y50-70 after installing Ubuntu 17.10, many users reported a corrupted BIOS. It's not possible to save new settings in BIOS anymore and after rebooting, the system starts with the old settings. Moreover (and most important) USB booting is not possible anymore since USB is not recognized. It's very serious, since our machines do not have a CDROM. Lenovo forums at the moment are full of topics regading this issue. Thank you!! To manage notifications about this bug go to: https://bugs.launchpad.net/linux/+bug/1734147/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp