| Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback |
| Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition | ||
|
|
||
 |
||||||||||||||||||||||||||||||||||
Solution Type Predictive Self-Healing Sure Solution 2357485.1 : Big Data Appliance (BDA) / Big Data Cloud Service (BDCS) Remediation for CVE-2017-5753 (Spectre v1), CVE-2017-5715 (Spectre v2), and CVE-2017-5754 (Meltdown) Vulnerabilities
In this Document
Applies to:Big Data Appliance Hardware - Version All Versions and laterBig Data Appliance Integrated Software - Version 2.2.1 to 4.11 [Release 2.2 to 4.10] Linux x86-64 PurposeThis document provides details about affected versions of Oracle Big Data Appliance(BDA)/Big Data Cloud Service (BDCS) by CVE-2017-5753 (Spectre v1), CVE-2017-5715 (Spectre v2), and CVE-2017-5754 (Meltdown) vulnerabilities and instructions on how to obtain the corresponding patches for the BDA. ScopeThis document applies to:
BDA 4.12 and beyond will automatically include these fixes. Release date of BDA 4.12 has not been determined and is not known. DetailsBackgroundGeneralAddendum to the January 2018 CPU Advisory for Spectre (CVE-2017-5715, CVE-2017-5753) and Meltdown (CVE-2017-5754) vulnerabilities (Doc ID 2347948.1). PerformanceThe Oracle Linux UEK patches are expected to have some performance impact. Oracle currently expects that the impact on most Hadoop workloads will be minimal because most Hadoop workloads are IO-bound. The expectation is that the impact should be similar to what Cloudera has found in their testing. Affected BDA Releases
Remediation DetailsAll steps are done as 'root' user on the affected node, or if dcli is used then on Node 1 or any other node where passwordless ssh is set up. 1. Verify that mitigation is not already in effect. Verify with "grep flags /proc/cpuinfo | grep pti". The output will be empty if the pti flag is not set which indicates that the mitigation is not in effect. a) With dcli: # dcli -C "grep flags /proc/cpuinfo | grep pti"
or b) On an individual node: # grep flags /proc/cpuinfo | grep pti
If there is no output then the mitigation is not effect so continue to the next step. 2. Perform the mitigation as follows: For BDAFollow the steps in How To Upgrade a Kernel on BDA V4.2 and Higher/V4.1 <Document 2033797.1>. To ensure fixes for CVE-2017-5753 (Spectre v1), CVE-2017-5715 (Spectre v2), and CVE-2017-5754 (Meltdown), you must upgrade the kernel and dracut and microcode_ctl packages to the kernel version indicated below and as described in <Document 2033797.1>:
Once completed continue to Step 3. For BDCSFollow the steps in How to Upgrade the UEK2 Kernel in a Big Data Cloud Service Cluster <Document 2394933.1>. Once completed continue to Step 3. 3. Validate that the mitigation is in place. Check that the mitigation is in place by running the commands below on an individual node or on all cluster nodes with dcli. # dmesg | grep isolation
# rpm -q --changelog kernel-uek | egrep 'CVE-2017-5753' # rpm -q --changelog kernel-uek | egrep 'CVE-2017-5715' # rpm -q --changelog kernel-uek | egrep 'CVE-2017-5754' # grep flags /proc/cpuinfo | grep pti Ensure that the output matches that shown in Appendix A below. Appendix AThis section details the expected output for the five mitigation check commands listed below. # rpm -q --changelog kernel-uek | egrep 'CVE-2017-5753'
# rpm -q --changelog kernel-uek | egrep 'CVE-2017-5715' # rpm -q --changelog kernel-uek | egrep 'CVE-2017-5754' # grep flags /proc/cpuinfo | grep pti # dmesg | grep isolation 1. Output for: "rpm -q --changelog kernel-uek | egrep 'CVE-2017-5753'" is like. a) On UEK2: # rpm -q --changelog kernel-uek | egrep 'CVE-2017-5753'
- x86: Use PRED_CMD MSR when ibpb is enabled (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/spec: Don't print the Missing arguments for option spectre_v2 (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86: Move ENABLE_IBRS in the interrupt macro (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - Add set_ibrs_disabled and set_ibpb_disabled (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/boot: Add early cmdline parsing for options with arguments (Tom Lendacky) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86, boot: Carve out early cmdline parsing function (Borislav Petkov) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86: Fix kABI build breakage (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86: Add command-line options 'spectre_v2' and 'nospectre_v2' (Kanth Ghatraju) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/mm: Set IBPB upon context switch (Brian Maly) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86: Display correct settings for the SPECTRE_V2 bug (Kanth Ghatraju) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - Set CONFIG_GENERIC_CPU_VULNERABILITIES flag (Kanth Ghatraju) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/cpu: Implement CPU vulnerabilites sysfs functions (Thomas Gleixner) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - sysfs/cpu: Fix typos in vulnerability documentation (David Woodhouse) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - sysfs/cpu: Add vulnerability folder (Thomas Gleixner) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86, cpu: Expand cpufeature facility to include cpu bugs (Borislav Petkov) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] (David Woodhouse) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/cpufeatures: Add X86_BUG_CPU_MELTDOWN (Kanth Ghatraju) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/spec: STUFF_RSB _before_ ENABLE_IBRS (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86: Move STUFF_RSB in to the idt macro (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/IBRS/IBPB: Set sysctl_ibrs/ibpb_enabled properly (Boris Ostrovsky) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/IBRS: Make sure we restore MSR_IA32_SPEC_CTRL to a valid value (Boris Ostrovsky) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/spec_ctrl: Add missing 'lfence' when IBRS is not supported (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/ia32: Move STUFF_RSB And ENABLE_IBRS (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/entry: Stuff RSB for entry to kernel for non-SMEP platform (Tim Chen) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86: Use IBRS for firmware update path (David Woodhouse) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/spec_ctrl: Disable if running as Xen PV guest (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/microcode: Recheck IBRS features on microcode reload (Tim Chen) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/idle: Disable IBRS entering idle and enable it on wakeup (Tim Chen) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature (Tim Chen) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/enter: Use IBRS on syscall and interrupts (Tim Chen) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/enter: MACROS to set/clear IBRS and set IBPB (Tim Chen) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/feature: Detect the x86 IBRS feature to control Speculation (Tim Chen) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86: fix build breakage (Brian Maly) [Orabug: 27346425] {CVE-2017-5753} - locking/barriers: fix compile issue (Brian Maly) [Orabug: 27346425] {CVE-2017-5753} - x86: Add another set of MSR accessor functions (Borislav Petkov) [Orabug: 27346425] {CVE-2017-5753} - udf: prevent speculative execution (Elena Reshetova) [Orabug: 27346425] {CVE-2017-5753} - fs: prevent speculative execution (Elena Reshetova) [Orabug: 27346425] {CVE-2017-5753} - qla2xxx: prevent speculative execution (Elena Reshetova) [Orabug: 27346425] {CVE-2017-5753} - p54: prevent speculative execution (Elena Reshetova) [Orabug: 27346425] {CVE-2017-5753} - carl9170: prevent speculative execution (Elena Reshetova) [Orabug: 27346425] {CVE-2017-5753} - uvcvideo: prevent speculative execution (Elena Reshetova) [Orabug: 27346425] {CVE-2017-5753} - locking/barriers: introduce new observable speculation barrier (Elena Reshetova) [Orabug: 27346425] {CVE-2017-5753} - x86/cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature (Elena Reshetova) [Orabug: 27346425] {CVE-2017-5753} - x86/cpu/AMD: Make the LFENCE instruction serialized (Elena Reshetova) [Orabug: 27346425] {CVE-2017-5753} b) On UEK4: # rpm -q --changelog kernel-uek | egrep 'CVE-2017-5753'
- KVM: x86: Add memory barrier on vmcs field lookup (Andrew Honig) {CVE-2017-5753} - userns: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753} - udf: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753} - net: mpls: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753} - fs: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753} - ipv6: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753} - ipv4: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753} - Thermal/int340x: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753} - cw1200: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753} - qla2xxx: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753} - p54: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753} - carl9170: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753} - uvcvideo: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753} - bpf: prevent speculative execution in eBPF interpreter (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753} - locking/barriers: introduce new observable speculation barrier (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753} - x86/cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753} - x86/cpu/AMD: Make the LFENCE instruction serialized (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753} 2. Output for: "rpm -q --changelog kernel-uek | egrep 'CVE-2017-5715'" is like. a) On UEK2: # rpm -q --changelog kernel-uek | egrep 'CVE-2017-5715'
- x86: Use PRED_CMD MSR when ibpb is enabled (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}- x86/spec: Don't print the Missing arguments for option spectre_v2 (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86: Move ENABLE_IBRS in the interrupt macro (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - Add set_ibrs_disabled and set_ibpb_disabled (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/boot: Add early cmdline parsing for options with arguments (Tom Lendacky) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86, boot: Carve out early cmdline parsing function (Borislav Petkov) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86: Fix kABI build breakage (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86: Add command-line options 'spectre_v2' and 'nospectre_v2' (Kanth Ghatraju) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/mm: Set IBPB upon context switch (Brian Maly) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86: Display correct settings for the SPECTRE_V2 bug (Kanth Ghatraju) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - Set CONFIG_GENERIC_CPU_VULNERABILITIES flag (Kanth Ghatraju) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/cpu: Implement CPU vulnerabilites sysfs functions (Thomas Gleixner) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - sysfs/cpu: Fix typos in vulnerability documentation (David Woodhouse) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - sysfs/cpu: Add vulnerability folder (Thomas Gleixner) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86, cpu: Expand cpufeature facility to include cpu bugs (Borislav Petkov) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] (David Woodhouse) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/cpufeatures: Add X86_BUG_CPU_MELTDOWN (Kanth Ghatraju) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/spec: STUFF_RSB _before_ ENABLE_IBRS (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86: Move STUFF_RSB in to the idt macro (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/IBRS/IBPB: Set sysctl_ibrs/ibpb_enabled properly (Boris Ostrovsky) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/IBRS: Make sure we restore MSR_IA32_SPEC_CTRL to a valid value (Boris Ostrovsky) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/spec_ctrl: Add missing 'lfence' when IBRS is not supported (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/ia32: Move STUFF_RSB And ENABLE_IBRS (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/entry: Stuff RSB for entry to kernel for non-SMEP platform (Tim Chen) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86: Use IBRS for firmware update path (David Woodhouse) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/spec_ctrl: Disable if running as Xen PV guest (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/microcode: Recheck IBRS features on microcode reload (Tim Chen) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/idle: Disable IBRS entering idle and enable it on wakeup (Tim Chen) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature (Tim Chen) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/enter: Use IBRS on syscall and interrupts (Tim Chen) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/enter: MACROS to set/clear IBRS and set IBPB (Tim Chen) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} - x86/feature: Detect the x86 IBRS feature to control Speculation (Tim Chen) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753} b) On UEK4: # rpm -q --changelog kernel-uek | egrep 'CVE-2017-5715'
- x86/spec_ctrl: Add missing 'lfence' when IBRS is not supported. (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715} - x86/entry_64: TRACE_IRQS_OFF before re-enabling. (Jamie Iles) [Orabug: 27339995] {CVE-2017-5715} - ptrace: remove unlocked RCU dereference. (Jamie Iles) [Orabug: 27339995] {CVE-2017-5715} - x86/ia32: Adds code hygiene for 32bit SYSCALL instruction entry. (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715} - x86/ia32: don't save registers on audit call (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715} - x86/spec/ia32: Sprinkle IBRS and RSB at the 32-bit SYSCALL (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715} - x86/ia32: Move STUFF_RSB And ENABLE_IBRS (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715} - x86/spec: Always set IBRS to guest value on VMENTER and host on VMEXIT. (Konrad Rzeszutek Wilk) [Orabug: 27365544] {CVE-2017-5715} - x86/spec: Actually do the check for in_use on ENABLE_IBRS (Konrad Rzeszutek Wilk) {CVE-2017-5715} - kvm: svm: Expose the CPUID.0x80000008 ebx flag. (Konrad Rzeszutek Wilk) {CVE-2017-5715} - x86/spec_ctrl: Provide the sysfs version of the ibrs_enabled (Konrad Rzeszutek Wilk) {CVE-2017-5715} - x86: Use better #define for FEATURE_ENABLE_IBRS and 0 (Konrad Rzeszutek Wilk) {CVE-2017-5715} - x86: Instead of 0x2, 0x4, and 0x1 use #defines. (Konrad Rzeszutek Wilk) {CVE-2017-5715} - x86: Don't ENABLE_IBRS in nmi when we are still running on user cr3 (Konrad Rzeszutek Wilk) {CVE-2017-5715} - x86/enter: Use IBRS on syscall and interrupts - fix ia32 path (Konrad Rzeszutek Wilk) {CVE-2017-5715} - kABI: Revert kABI: Make the boot_cpu_data look normal (Konrad Rzeszutek Wilk) {CVE-2017-5715} - kABI: Make the boot_cpu_data look normal. (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715} - kernel.spec: Require the new microcode_ctl. (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715} {CVE-2017-5715} - x86/microcode/AMD: Add support for fam17h microcode loading (Tom Lendacky) [Orabug: 27339995] {CVE-2017-5715} - x86/spec_ctrl: Disable if running as Xen PV guest. (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715} - Set IBPB when running a different VCPU (Dave Hansen) [Orabug: 27339995] {CVE-2017-5715} - Clear the host registers after setbe (Jun Nakajima) [Orabug: 27339995] {CVE-2017-5715} - Use the ibpb_inuse variable. (Jun Nakajima) [Orabug: 27339995] {CVE-2017-5715} - KVM: x86: add SPEC_CTRL to MSR and CPUID lists (Andrea Arcangeli) [Orabug: 27339995] {CVE-2017-5715} - kvm: vmx: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Paolo Bonzini) [Orabug: 27339995] {CVE-2017-5715} - Use the "ibrs_inuse" variable. (Jun Nakajima) [Orabug: 27339995] {CVE-2017-5715} - kvm: svm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Andrea Arcangeli) [Orabug: 27339995] {CVE-2017-5715} - x86/svm: Set IBPB when running a different VCPU (Paolo Bonzini) [Orabug: 27339995] {CVE-2017-5715} - x86/kvm: Pad RSB on VM transition (Tim Chen) [Orabug: 27339995] {CVE-2017-5715} - x86/cpu/AMD: Add speculative control support for AMD (Tom Lendacky) [Orabug: 27339995] {CVE-2017-5715} - x86/microcode: Recheck IBRS and IBPB feature on microcode reload (Tim Chen) [Orabug: 27339995] {CVE-2017-5715} - x86: Move IBRS/IBPB feature detection to scattered.c (Tim Chen) [Orabug: 27339995] {CVE-2017-5715} - x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control (Tim Chen) [Orabug: 27339995] {CVE-2017-5715} - x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715} - x86/kvm: clear registers on VM exit (Tom Lendacky) [Orabug: 27339995] {CVE-2017-5715} - x86/kvm: Set IBPB when switching VM (Tim Chen) [Orabug: 27339995] {CVE-2017-5715} - *INCOMPLETE* x86/syscall: Clear unused extra registers on syscall entrance (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715} - x86/entry: Stuff RSB for entry to kernel for non-SMEP platform (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715} - x86/mm: Only set IBPB when the new thread cannot ptrace current thread (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715} - x86/mm: Set IBPB upon context switch (Tim Chen) [Orabug: 27339995] {CVE-2017-5715} - x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup (Tim Chen) [Orabug: 27339995] {CVE-2017-5715} - x86/idle: Disable IBRS entering idle and enable it on wakeup (Tim Chen) [Orabug: 27339995] {CVE-2017-5715} - x86/spec_ctrl: save IBRS MSR value in paranoid_entry (Andrea Arcangeli) [Orabug: 27339995] {CVE-2017-5715} - *Scaffolding* x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature (Tim Chen) [Orabug: 27339995] {CVE-2017-5715} - x86/enter: Use IBRS on syscall and interrupts (Tim Chen) [Orabug: 27339995] {CVE-2017-5715} - x86: Add macro that does not save rax, rcx, rdx on stack to disable IBRS (Tim Chen) [Orabug: 27339995] {CVE-2017-5715} - x86/enter: MACROS to set/clear IBRS and set IBP (Tim Chen) [Orabug: 27339995] {CVE-2017-5715} - x86/feature: Report presence of IBPB and IBRS control (Tim Chen) [Orabug: 27339995] {CVE-2017-5715} - x86: Add STIBP feature enumeration (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715} - x86/cpufeature: Add X86_FEATURE_IA32_ARCH_CAPS and X86_FEATURE_IBRS_ATT (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715} - x86/feature: Enable the x86 feature to control (Tim Chen) [Orabug: 27339995] {CVE-2017-5715} 3. Output for: "rpm -q --changelog kernel-uek | egrep 'CVE-2017-5754'" is like. a) On UEK2: # rpm -q --changelog kernel-uek | egrep 'CVE-2017-5754'
- kaiser: rename X86_FEATURE_KAISER to X86_FEATURE_PTI to match upstream (Mike Kravetz) {CVE-2017-5754} - x86/kaiser: Check boottime cmdline params (Mike Kravetz) [Orabug: 27333761] {CVE-2017-5754} - x86/kaiser: Rename and simplify X86_FEATURE_KAISER handling (Borislav Petkov) [Orabug: 27333761] {CVE-2017-5754} - KPTI: Report when enabled (Mike Kravetz) [Orabug: 27333761] {CVE-2017-5754} - PTI: unbreak EFI old_memmap (Jiri Kosina) [Orabug: 27333761] [Orabug: 27333760] {CVE-2017-5754} - kaiser: Set _PAGE_NX only if supported (Guenter Roeck) [Orabug: 27333761] [Orabug: 27333760] {CVE-2017-5754} - KPTI: Rename to PAGE_TABLE_ISOLATION (Kees Cook) [Orabug: 27333761] {CVE-2017-5754} - kaiser: kaiser_flush_tlb_on_return_to_user() check PCID (Hugh Dickins) [Orabug: 27333761] {CVE-2017-5754} - kaiser: asm/tlbflush.h handle noPGE at lower level (Hugh Dickins) [Orabug: 27333761] {CVE-2017-5754} - kaiser: use ALTERNATIVE instead of x86_cr3_pcid_noflush (Hugh Dickins) [Orabug: 27333761] {CVE-2017-5754} - x86/alternatives: add asm ALTERNATIVE macro (Mike Kravetz) [Orabug: 27333761] {CVE-2017-5754} - x86/kaiser: Reenable PARAVIRT, dynamically disable KAISER if PARAVIRT (Borislav Petkov) [Orabug: 27333761] {CVE-2017-5754} - kaiser: add "nokaiser" boot option, using ALTERNATIVE (Hugh Dickins) [Orabug: 27333761] {CVE-2017-5754} - x86-32: Fix boot with CONFIG_X86_INVD_BUG (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754} - kaiser: alloc_ldt_struct() use get_zeroed_page() (Hugh Dickins) [Orabug: 27333761] {CVE-2017-5754} - kaiser: user_map __kprobes_text too (Hugh Dickins) [Orabug: 27333761] {CVE-2017-5754} - x86/mm/kaiser: re-enable vsyscalls (Andrea Arcangeli) [Orabug: 27333761] {CVE-2017-5754} - KAISER: Kernel Address Isolation (Hugh Dickins) [Orabug: 27333761] {CVE-2017-5754} - x86/mm: fix bad backport to disable PCID on Xen (Borislav Petkov) [Orabug: 27333761] {CVE-2017-5754} - x86/mm/64: Fix reboot interaction with CR4.PCIDE (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754} - x86/mm: Enable CR4.PCIDE on supported systems (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754} - x86/mm: Add the 'nopcid' boot option to turn off PCID (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754} - x86/mm: Disable PCID on 32-bit kernels (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754} - x86/mm: Remove the UP asm/tlbflush.h code, always use the (formerly) SMP code (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754} - sched/core: Idle_task_exit() shouldn't use switch_mm_irqs_off() (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754} - x86/mm, sched/core: Turn off IRQs in switch_mm() (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754} - x86/mm, sched/core: Uninline switch_mm() (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754} - x86/mm: Build arch/x86/mm/tlb.c even on !SMP (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754} - sched/core: Add switch_mm_irqs_off() and use it in the scheduler (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754} - mm/mmu_context, sched/core: Fix mmu_context.h assumption (Ingo Molnar) [Orabug: 27333761] {CVE-2017-5754} - x86/mm: If INVPCID is available, use it to flush global mappings (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754} - x86/mm: Add a 'noinvpcid' boot option to turn off INVPCID (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754} - x86/mm: Fix INVPCID asm constraint (Borislav Petkov) [Orabug: 27333761] {CVE-2017-5754} - x86/mm: Add INVPCID helpers (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754} - x86, cpufeature: Add CPU features from Intel document 319433-012A (H. Peter Anvin) [Orabug: 27333761] {CVE-2017-5754} - x86/paravirt: Dont patch flush_tlb_single (Thomas Gleixner) [Orabug: 27333761] {CVE-2017-5754} - x86-64: Map the HPET NX (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754} - x86/ldt: Make modify_ldt synchronous (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754} {CVE-2015-5157} - x86, cpu: Add cpufeature flag for PCIDs (Arun Thomas) [Orabug: 27333761] {CVE-2017-5754} - x86/mm: Disable preemption during CR3 read+write (Sebastian Andrzej Siewior) [Orabug: 27333761] {CVE-2017-5754} b) On UEK4: # rpm -q --changelog kernel-uek | egrep 'CVE-2017-5754'
- x86/pti/efi: broken conversion from efi to kernel page table (Pavel Tatashin) [Orabug: 27363926] [Orabug: 27352353] {CVE-2017-5754} - x86/ia32: save and clear registers on syscall. (Jamie Iles) [Orabug: 27355759] {CVE-2017-5754} - pti: Rename X86_FEATURE_KAISER to X86_FEATURE_PTI (Pavel Tatashin) [Orabug: 27352353] {CVE-2017-5754} - Re-introduce clearing of r12-15, rbp, rbx (Kris Van Hees) [Orabug: 27352353] {CVE-2017-5754} - x86: more ibrs/pti fixes (Pavel Tatashin) [Orabug: 27352353] {CVE-2017-5754} - kpti: Disable when running under Xen PV (Konrad Rzeszutek Wilk) [Orabug: 27352353] {CVE-2017-5754} - x86: Fix spectre/kpti integration (Konrad Rzeszutek Wilk) [Orabug: 27352353] {CVE-2017-5754} - PTI: unbreak EFI old_memmap (Jiri Kosina) [Orabug: 27352353] {CVE-2017-5754} - KAISER KABI tweaks. (Martin K. Petersen) [Orabug: 27352353] {CVE-2017-5754} - x86/ldt: fix crash in ldt freeing. (Jamie Iles) [Orabug: 27352353] {CVE-2017-5754} - x86/entry: Define 'cpu_current_top_of_stack' for 64-bit code (Denys Vlasenko) [Orabug: 27352353] {CVE-2017-5754} - x86/entry: Remove unused 'kernel_stack' per-cpu variable (Denys Vlasenko) [Orabug: 27352353] {CVE-2017-5754} - x86/entry: Stop using PER_CPU_VAR(kernel_stack) (Denys Vlasenko) [Orabug: 27352353] {CVE-2017-5754} - kaiser: Set _PAGE_NX only if supported (Guenter Roeck) [Orabug: 27352353] {CVE-2017-5754} - x86/vdso: Get pvclock data from the vvar VMA instead of the fixmap (Andy Lutomirski) [Orabug: 27352353] {CVE-2017-5754} - KPTI: Report when enabled (Kees Cook) [Orabug: 27352353] {CVE-2017-5754} - KPTI: Rename to PAGE_TABLE_ISOLATION (Kees Cook) [Orabug: 27352353] {CVE-2017-5754} - x86/kaiser: Move feature detection up (Borislav Petkov) [Orabug: 27352353] {CVE-2017-5754} - x86/kaiser: Reenable PARAVIRT (Borislav Petkov) [Orabug: 27352353] {CVE-2017-5754} - x86/paravirt: Dont patch flush_tlb_single (Thomas Gleixner) [Orabug: 27352353] {CVE-2017-5754} - kaiser: kaiser_flush_tlb_on_return_to_user() check PCID (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: asm/tlbflush.h handle noPGE at lower level (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: drop is_atomic arg to kaiser_pagetable_walk() (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: use ALTERNATIVE instead of x86_cr3_pcid_noflush (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - x86/kaiser: Check boottime cmdline params (Borislav Petkov) [Orabug: 27352353] {CVE-2017-5754} - x86/kaiser: Rename and simplify X86_FEATURE_KAISER handling (Borislav Petkov) [Orabug: 27352353] {CVE-2017-5754} - kaiser: add "nokaiser" boot option, using ALTERNATIVE (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: fix unlikely error in alloc_ldt_struct() (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: _pgd_alloc() without __GFP_REPEAT to avoid stalls (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: paranoid_entry pass cr3 need to paranoid_exit (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: x86_cr3_pcid_noflush and x86_cr3_pcid_user (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: PCID 0 for kernel and 128 for user (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: load_new_mm_cr3() let SWITCH_USER_CR3 flush user (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: enhanced by kernel and user PCIDs (Dave Hansen) [Orabug: 27352353] {CVE-2017-5754} - kaiser: vmstat show NR_KAISERTABLE as nr_overhead (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: delete KAISER_REAL_SWITCH option (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: name that 0x1000 KAISER_SHADOW_PGD_OFFSET (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: cleanups while trying for gold link (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: kaiser_remove_mapping() move along the pgd (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: tidied up kaiser_add/remove_mapping slightly (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: tidied up asm/kaiser.h somewhat (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: ENOMEM if kaiser_pagetable_walk() NULL (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: fix perf crashes (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: fix regs to do_nmi() ifndef CONFIG_KAISER (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: KAISER depends on SMP (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: fix build and FIXME in alloc_ldt_struct() (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: stack map PAGE_SIZE at THREAD_SIZE-PAGE_SIZE (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: do not set _PAGE_NX on pgd_none (Hugh Dickins) [Orabug: 27352353] {CVE-2017-5754} - kaiser: merged update (Dave Hansen) [Orabug: 27352353] {CVE-2017-5754} - KAISER: Kernel Address Isolation (Richard Fellner) [Orabug: 27352353] {CVE-2017-5754} - x86/boot: Add early cmdline parsing for options with arguments (Tom Lendacky) [Orabug: 27352353] {CVE-2017-5754} - x86/mm/64: Fix reboot interaction with CR4.PCIDE (Andy Lutomirski) [Orabug: 27352353] {CVE-2017-5754} - x86/mm: Enable CR4.PCIDE on supported systems (Andy Lutomirski) [Orabug: 27352353] {CVE-2017-5754} - x86/mm: Add the 'nopcid' boot option to turn off PCID (Andy Lutomirski) [Orabug: 27352353] {CVE-2017-5754} - x86/mm: Disable PCID on 32-bit kernels (Andy Lutomirski) [Orabug: 27352353] {CVE-2017-5754} - x86/mm: Remove the UP asm/tlbflush.h code, always use the (formerly) SMP code (Andy Lutomirski) [Orabug: 27352353] {CVE-2017-5754} - x86/mm: Reimplement flush_tlb_page() using flush_tlb_mm_range() (Andy Lutomirski) [Orabug: 27352353] {CVE-2017-5754} - x86/mm: Make flush_tlb_mm_range() more predictable (Andy Lutomirski) [Orabug: 27352353] {CVE-2017-5754} - x86/mm: Remove flush_tlb() and flush_tlb_current_task() (Andy Lutomirski) [Orabug: 27352353] {CVE-2017-5754} - x86/vm86/32: Switch to flush_tlb_mm_range() in mark_screen_rdonly() (Andy Lutomirski) [Orabug: 27352353] {CVE-2017-5754} - x86/irq: Do not substract irq_tlb_count from irq_call_count (Aaron Lu) [Orabug: 27352353] {CVE-2017-5754} - sched/core: Idle_task_exit() shouldn't use switch_mm_irqs_off() (Andy Lutomirski) [Orabug: 27352353] {CVE-2017-5754} - ARM: Hide finish_arch_post_lock_switch() from modules (Steven Rostedt) [Orabug: 27352353] {CVE-2017-5754} - x86/mm, sched/core: Turn off IRQs in switch_mm() (Andy Lutomirski) [Orabug: 27352353] {CVE-2017-5754} - x86/mm, sched/core: Uninline switch_mm() (Andy Lutomirski) [Orabug: 27352353] {CVE-2017-5754} - x86/mm: Build arch/x86/mm/tlb.c even on !SMP (Andy Lutomirski) [Orabug: 27352353] {CVE-2017-5754} - sched/core: Add switch_mm_irqs_off() and use it in the scheduler (Andy Lutomirski) [Orabug: 27352353] {CVE-2017-5754} - mm/mmu_context, sched/core: Fix mmu_context.h assumption (Ingo Molnar) [Orabug: 27352353] {CVE-2017-5754} - x86/mm: If INVPCID is available, use it to flush global mappings (Andy Lutomirski) [Orabug: 27352353] {CVE-2017-5754} - x86/mm: Add a 'noinvpcid' boot option to turn off INVPCID (Andy Lutomirski) [Orabug: 27352353] {CVE-2017-5754} - x86/mm: Fix INVPCID asm constraint (Borislav Petkov) [Orabug: 27352353] {CVE-2017-5754} - x86/mm: Add INVPCID helpers (Andy Lutomirski) [Orabug: 27352353] {CVE-2017-5754} 4. Output for: "grep flags /proc/cpuinfo | grep pti" is like. # grep flags /proc/cpuinfo | grep pti
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid dca sse4_1 sse4_2 popcnt aes lahf_lm ida arat epb dtherm pti tpr_shadow vnmi flexpriority ept vpid 5. Output for the "dmesg | grep isolation" command is like: a) UEK2 # dmesg | grep isolation
Kernel/User page tables isolation: enabled b) UEK4 # dmesg | grep isolation
[ 0.000000] Kernel/User page tables isolation: enabled
Attachments This solution has no attachment |
||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||