Re: CVE-2017-5754 - ETA?

2018-01-04 Thread Don Armstrong 
On Thu, 04 Jan 2018, francis picabia wrote:
> Redhat, Ubuntu and others have kernel updates available today for this
> kernel patch that has been worked on since November. Normally Debian
> has been quick out of the gate with security measures.
> 
> Is there an ETA when Debian will update kernel packages?

The DSA has been (will be shortly?) released for stable. Unstable,
testing, and likely oldstable will probably follow soon.
https://security-tracker.debian.org/tracker/DSA-4078-1

-- 
Don Armstrong  https://www.donarmstrong.com

There is no mechanical problem so difficult that it cannot be solved
by brute strength and ignorance.
 -- William's Law

Re: CVE-2017-5754 - ETA?

2018-01-08 Thread francis picabia 
On Thu, Jan 4, 2018 at 4:47 PM, Don Armstrong  wrote:

> On Thu, 04 Jan 2018, francis picabia wrote:
> > Redhat, Ubuntu and others have kernel updates available today for this
> > kernel patch that has been worked on since November. Normally Debian
> > has been quick out of the gate with security measures.
> >
> > Is there an ETA when Debian will update kernel packages?
>
> The DSA has been (will be shortly?) released for stable. Unstable,
> testing, and likely oldstable will probably follow soon.
> https://security-tracker.debian.org/tracker/DSA-4078-1
>
>
>
Thanks for the response.  I'm looking now and I see stretch and wheezy are
addressed, but not jessie.  Odd.  Why would old-stable be a challenge?

I'm concerned because we run a system for students to do programming, and
there
is typically one in the crowd who will try out any script kiddies in the
news.  For
the time being I've blocked access to the system, but faculty expect it
will be available for use in a week or so.  I have the option to install
the stretch kernel and run in a hybrid version for awhile, but I'm not sure
if there will be problems with that workaround.

Re: CVE-2017-5754 - ETA?

2018-01-08 Thread Jeroen Mathon 
Can't you clone the disk to another machine, then test the stretch
kernel and then run hybrid for a while?

The kernel is just the intermediate between the hardware and userspace,
shoulnd not cause too much trouble, if not you can always test it that way.


On 01/08/2018 04:36 PM, francis picabia wrote:
> On Thu, Jan 4, 2018 at 4:47 PM, Don Armstrong  > wrote:
>
> On Thu, 04 Jan 2018, francis picabia wrote:
> > Redhat, Ubuntu and others have kernel updates available today
> for this
> > kernel patch that has been worked on since November. Normally Debian
> > has been quick out of the gate with security measures.
> >
> > Is there an ETA when Debian will update kernel packages?
>
> The DSA has been (will be shortly?) released for stable. Unstable,
> testing, and likely oldstable will probably follow soon.
> https://security-tracker.debian.org/tracker/DSA-4078-1
> 
>
>
>
> Thanks for the response.  I'm looking now and I see stretch and wheezy are
> addressed, but not jessie.  Odd.  Why would old-stable be a challenge?
>
> I'm concerned because we run a system for students to do programming,
> and there
> is typically one in the crowd who will try out any script kiddies in
> the news.  For
> the time being I've blocked access to the system, but faculty expect it
> will be available for use in a week or so.  I have the option to install
> the stretch kernel and run in a hybrid version for awhile, but I'm not
> sure
> if there will be problems with that workaround.
>
>



signature.asc
Description: OpenPGP digital signature

Re: CVE-2017-5754 - ETA?

2018-01-08 Thread Tixy 
On Mon, 2018-01-08 at 11:36 -0400, francis picabia wrote:
> > The DSA has been (will be shortly?) released for stable. Unstable,
> > testing, and likely oldstable will probably follow soon.
> > https://security-tracker.debian.org/tracker/DSA-4078-1
> >
> >
> >
> Thanks for the response.  I'm looking now and I see stretch and wheezy
> are
> addressed, but not jessie.  Odd.  Why would old-stable be a challenge?

It's a major set of changes that needs to be ported and tested. Perhaps
there we're more companies and distro's working on the 3.2 kernel in
Wheezy compared to 3.16 as used in Jessie. Or perhaps the latter port
hit problems, who knows.

-- 
Tixy

Re: CVE-2017-5754 - ETA?

2018-01-08 Thread Sven Joachim 
On 2018-01-08 17:04 +, Tixy wrote:

> On Mon, 2018-01-08 at 11:36 -0400, francis picabia wrote:
>> > The DSA has been (will be shortly?) released for stable. Unstable,
>> > testing, and likely oldstable will probably follow soon.
>> > https://security-tracker.debian.org/tracker/DSA-4078-1
>> >
>> >
>> >
>> Thanks for the response.  I'm looking now and I see stretch and wheezy
>> are
>> addressed, but not jessie.  Odd.  Why would old-stable be a challenge?
>
> It's a major set of changes that needs to be ported and tested. Perhaps
> there we're more companies and distro's working on the 3.2 kernel in
> Wheezy compared to 3.16 as used in Jessie.

I doubt that, both 3.2 and 3.16 are maintained by Ben Hutchings and are
not used by any major distro except Debian AFAIK.

> Or perhaps the latter port hit problems, who knows.

Definitely, both Ben and testers/reviewers hit showstopper bugs
including failure to boot at all.  See the thread on the stable@vger
list at https://www.spinics.net/lists/stable/index.html#209049.

Cheers,
   Sven

Re: CVE-2017-5754 - ETA?

2018-01-08 Thread Richard Hector 
On 09/01/18 04:36, francis picabia wrote:
> I have the option to install
> the stretch kernel and run in a hybrid version for awhile, but I'm not sure
> if there will be problems with that workaround.

The jessie-backports kernel has been updated, I believe.

Richard




signature.asc
Description: OpenPGP digital signature

Re: CVE-2017-5754 - ETA?

2018-01-10 Thread francis picabia 
On Mon, Jan 8, 2018 at 5:20 PM, Richard Hector 
wrote:

> On 09/01/18 04:36, francis picabia wrote:
> > I have the option to install
> > the stretch kernel and run in a hybrid version for awhile, but I'm not
> sure
> > if there will be problems with that workaround.
>
> The jessie-backports kernel has been updated, I believe.
>
>
The jessie-backports did work, as well as using stretch as the repo for
install.

There is now a 3.16.51-3+deb8u1 released for jessie, so this is now
fixed without using a kernel from 4.* series.

Re: CVE-2017-5754 - ETA?

2018-01-12 Thread Vincent Lefevre 
On 2018-01-04 12:47:42 -0800, Don Armstrong wrote:
> On Thu, 04 Jan 2018, francis picabia wrote:
> > Redhat, Ubuntu and others have kernel updates available today for this
> > kernel patch that has been worked on since November. Normally Debian
> > has been quick out of the gate with security measures.
> > 
> > Is there an ETA when Debian will update kernel packages?
> 
> The DSA has been (will be shortly?) released for stable. Unstable,
> testing, and likely oldstable will probably follow soon.
> https://security-tracker.debian.org/tracker/DSA-4078-1

According to answers on

  
https://security.stackexchange.com/questions/176624/how-do-i-check-if-kpti-is-enabled-on-linux/176654

linux-image-4.9.0-5-amd64 4.9.65-3+deb9u2 is still vulnerable as shown
below:

# dmesg | grep -i isolation
# cat /sys/kernel/debug/x86/pti_enabled
cat: /sys/kernel/debug/x86/pti_enabled: No such file or directory

The command line is:

  root=UUID=... ro console=ttyS0 console=hvc0 nomce loglevel=5 net.ifnames=0

thus KPTI is not disabled via the command line.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: CVE-2017-5754 - ETA?

2018-01-12 Thread Jack Dangler 


On 01/12/2018 10:00 AM, bw wrote:


On Fri, 12 Jan 2018, Vincent Lefevre wrote:


According to answers on

   
https://security.stackexchange.com/questions/176624/how-do-i-check-if-kpti-is-enabled-on-linux/176654

linux-image-4.9.0-5-amd64 4.9.65-3+deb9u2 is still vulnerable as shown
below:

# dmesg | grep -i isolation

You should get either

[0.00] Kernel/User page tables isolation: enabled
or
[0.00] Kernel/User page tables isolation: disabled

Search with dmesg | less it's about two pages down for me,

$ uname -a
Linux debian 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04)
x86_64 GNU/Linux



I tried this on my Ubu workstation and didnt get anything back...
$ dmesg | grep -i isolation
$
$ uname -a
Linux 4.10.0-40-generic #44~16.04.1-Ubuntu SMP Thu Nov 9 15:37:44 UTC 
2017 x86_64 x86_64 x86_64 GNU/Linux

Re: CVE-2017-5754 - ETA?

2018-01-12 Thread Roberto C . Sánchez 
On Fri, Jan 12, 2018 at 10:51:34AM -0500, Jack Dangler wrote:
> I tried this on my Ubu workstation and didnt get anything back...
> $ dmesg | grep -i isolation
> $
> $ uname -a
> Linux 4.10.0-40-generic #44~16.04.1-Ubuntu SMP Thu Nov 9 15:37:44 UTC 2017
 ^^^
> x86_64 x86_64 x86_64 GNU/Linux
> 

Your kernel was built prior to the vulnerbilities being made public.
The patches had not yet made their way into Linux at that point.

Regards,

-Roberto
-- 
Roberto C. Sánchez

Re: CVE-2017-5754 - ETA?

2018-01-12 Thread Vincent Lefevre 
On 2018-01-12 10:00:03 -0500, bw wrote:
> On Fri, 12 Jan 2018, Vincent Lefevre wrote:
> > According to answers on
> > 
> >   
> > https://security.stackexchange.com/questions/176624/how-do-i-check-if-kpti-is-enabled-on-linux/176654
> > 
> > linux-image-4.9.0-5-amd64 4.9.65-3+deb9u2 is still vulnerable as shown
> > below:
> > 
> > # dmesg | grep -i isolation
> 
> You should get either
> 
> [0.00] Kernel/User page tables isolation: enabled
> or
> [0.00] Kernel/User page tables isolation: disabled

I get neither.

> Search with dmesg | less it's about two pages down for me,

If I search for isolation I get:

Pattern not found  (press RETURN)

> $ uname -a
> Linux debian 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) 
> x86_64 GNU/Linux

$ uname -a
Linux joooj 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 
GNU/Linux

There seems to be something really wrong. I'll report a bug.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: CVE-2017-5754 - ETA?

2018-01-12 Thread Roberto C . Sánchez 
On Fri, Jan 12, 2018 at 09:59:20PM +0100, Vincent Lefevre wrote:
> 
> $ uname -a
> Linux joooj 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 
> GNU/Linux
> 
> There seems to be something really wrong. I'll report a bug.
> 
What is the output of `grep vendor_id /proc/cpuinfo` on your machine?

Regards,

-Roberto

-- 
Roberto C. Sánchez

Re: CVE-2017-5754 - ETA?

2018-01-12 Thread Vincent Lefevre 
On 2018-01-12 16:10:40 -0500, Roberto C. Sánchez wrote:
> On Fri, Jan 12, 2018 at 09:59:20PM +0100, Vincent Lefevre wrote:
> > $ uname -a
> > Linux joooj 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 
> > GNU/Linux
> > 
> > There seems to be something really wrong. I'll report a bug.
> > 
> What is the output of `grep vendor_id /proc/cpuinfo` on your machine?

$ grep vendor_id /proc/cpuinfo
vendor_id   : GenuineIntel

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: CVE-2017-5754 - ETA?

2018-01-12 Thread Nick 
On 2018-01-12 21:09 GMT, Vincent Lefevre wrote:
> On 2018-01-12 10:00:03 -0500, bw wrote:
> > On Fri, 12 Jan 2018, Vincent Lefevre wrote:
> > > # dmesg | grep -i isolation
> > 
> > You should get either
> > 
> > [0.00] Kernel/User page tables isolation: enabled
> > or
> > [0.00] Kernel/User page tables isolation: disabled
> 
> I get neither.

> There seems to be something really wrong. I'll report a bug.

It might have aged out of the buffer that dmesg reports on. I don't
see it in my dmesg either but in /var/log/kern.log.1 there is

  Kernel/User page tables isolation: enabled

Try a grep in /var/log ?
-- 
Nick

Re: CVE-2017-5754 - ETA?

2018-01-12 Thread Vincent Lefevre 
On 2018-01-12 21:21:06 +, Nick wrote:
> It might have aged out of the buffer that dmesg reports on.

No, there's the beginning of the dmesg output:

[0.00] Linux version 4.9.0-5-amd64 (debian-ker...@lists.debian.org) 
(gcc version 6.3.0 20170516 (Debian 6.3.0-18) ) #1 SMP Debian 4.9.65-3+deb9u2 
(2018-01-04)

But I think I've found the reason:

In arch/x86/mm/kaiser.c:

void __init kaiser_check_boottime_disable(void)
{
[...]
if (boot_cpu_has(X86_FEATURE_XENPV))
goto silent_disable;
[...]
disable:
pr_info("disabled\n");

silent_disable:
kaiser_enabled = 0;
setup_clear_cpu_cap(X86_FEATURE_KAISER);
}

I must be in the "silent_disable" case (this is a Xen guest).

It's unfortunate that no-one mentions this case!

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: CVE-2017-5754 - ETA?

2018-01-13 Thread Tixy 
On Fri, 2018-01-12 at 22:40 +0100, Vincent Lefevre wrote:
> On 2018-01-12 21:21:06 +, Nick wrote:
> > It might have aged out of the buffer that dmesg reports on.
> 
> No, there's the beginning of the dmesg output:
> 
> [0.00] Linux version 4.9.0-5-amd64 (debian-ker...@lists.debian.org) 
> (gcc version 6.3.0 20170516 (Debian 6.3.0-18) ) #1 SMP Debian 4.9.65-3+deb9u2 
> (2018-01-04)
> 
> But I think I've found the reason:
> 
> In arch/x86/mm/kaiser.c:
> 
> void __init kaiser_check_boottime_disable(void)
> {
> [...]
> if (boot_cpu_has(X86_FEATURE_XENPV))
> goto silent_disable;
> [...]
> disable:
> pr_info("disabled\n");
> 
> silent_disable:
> kaiser_enabled = 0;
> setup_clear_cpu_cap(X86_FEATURE_KAISER);
> }
> 
> I must be in the "silent_disable" case (this is a Xen guest).
> 
> It's unfortunate that no-one mentions this case!

Hmm. I have a system running under Xen and get the 'page tables
isolation: enabled' message. Here's what I hope are relevant parts from
dmesg output...

[0.00] Linux version 4.9.0-5-amd64 (debian-ker...@lists.debian.org) 
(gcc version 6.3.0 20170
516 (Debian 6.3.0-18) ) #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04)
...
[0.00] DMI: Xen HVM domU, BIOS 4.8.1-pre-memset3 06/07/2017
[0.00] Hypervisor detected: Xen
[0.00] Xen version 4.8.
...
[0.00] Booting paravirtualized kernel on Xen HVM
...
[0.00] Kernel/User page tables isolation: enabled

-- 
Tixy

Re: CVE-2017-5754 - ETA?

2018-01-13 Thread Tixy 
On Sat, 2018-01-13 at 08:06 +, Tixy wrote:
> On Fri, 2018-01-12 at 22:40 +0100, Vincent Lefevre wrote:
> > On 2018-01-12 21:21:06 +, Nick wrote:
> > > It might have aged out of the buffer that dmesg reports on.
> > 
> > No, there's the beginning of the dmesg output:
> > 
> > [0.00] Linux version 4.9.0-5-amd64 (debian-ker...@lists.debian.org) 
> > (gcc version 6.3.0 20170516 (Debian 6.3.0-18) ) #1 SMP Debian 
> > 4.9.65-3+deb9u2 (2018-01-04)
> > 
> > But I think I've found the reason:
> > 
> > In arch/x86/mm/kaiser.c:
> > 
> > void __init kaiser_check_boottime_disable(void)
> > {
> > [...]
> > if (boot_cpu_has(X86_FEATURE_XENPV))
> > goto silent_disable;
> > [...]
> > disable:
> > pr_info("disabled\n");
> > 
> > silent_disable:
> > kaiser_enabled = 0;
> > setup_clear_cpu_cap(X86_FEATURE_KAISER);
> > }
> > 
> > I must be in the "silent_disable" case (this is a Xen guest).
> > 
> > It's unfortunate that no-one mentions this case!
> 
> Hmm. I have a system running under Xen and get the 'page tables
> isolation: enabled' message. Here's what I hope are relevant parts from
> dmesg output...
> 
> [0.00] Linux version 4.9.0-5-amd64 (debian-ker...@lists.debian.org) 
> (gcc version 6.3.0 20170
> 516 (Debian 6.3.0-18) ) #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04)
> ...
> [0.00] DMI: Xen HVM domU, BIOS 4.8.1-pre-memset3 06/07/2017
> [0.00] Hypervisor detected: Xen
> [0.00] Xen version 4.8.
> ...
> [0.00] Booting paravirtualized kernel on Xen HVM
> ...
> [0.00] Kernel/User page tables isolation: enabled

Replying to myself... The above makes sense as while the Debian kernel
is built with Xen paravirtualisation support, in my case it is running
under hardware virtualisation (HVM) so the paravirtialisation flag
(X86_FEATURE_XENPV) isn't set.

For people who's boot log says 

  Booting paravirtualized kernel on Xen PVH

I would expect not to see any mention of 

  Kernel/User page tables isolation

as the code Vincent identified [1] silently disables it.

[1] 
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.76&id=402e63de94afdf7cd64e4eb209a8a77310e02d2c

-- 
Tixy