LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

March 2018

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS March 2018

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Security ERRATA Important: kernel on SL7.x x86_64
From:	Gilles Detillieux <[log in to unmask]>
Reply To:	Gilles Detillieux <[log in to unmask]>
Date:	Fri, 9 Mar 2018 14:51:25 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (100 lines)

I wasn't sure if you could safely mix code compiled with and without the 
retpoline extensions into the same kernel, which is why I thought the 
Makefile threw an error. But if it's safe to do, I may give this a shot 
next week if the gcc update doesn't come as expected, or if for some 
reason it doesn't allow the third party driver to build properly.

Thanks!
Gilles

On 03/09/2018 03:58 AM, Stephan Wiesand wrote:
> Meanwhile, this change should help:
>
> ---8<---
> --- /usr/src/kernels/3.10.0-693.21.1.el7.x86_64/arch/x86/Makefile.orig	2018-03-09 10:49:58.902263193 +0100
> +++ /usr/src/kernels/3.10.0-693.21.1.el7.x86_64/arch/x86/Makefile	2018-03-09 10:50:51.820305074 +0100
> @@ -160,12 +160,12 @@
>   # Avoid indirect branches in kernel to deal with Spectre
>   ifdef CONFIG_RETPOLINE
>       RETPOLINE_CFLAGS += $(call cc-option,-mindirect-branch=thunk-extern -mindirect-branch-register)
>       ifneq ($(RETPOLINE_CFLAGS),)
>           KBUILD_CFLAGS += $(RETPOLINE_CFLAGS) -DRETPOLINE
> -    else
> -        $(error CONFIG_RETPOLINE=y, but not supported by the compiler. Toolchain update recommended.)
> +#    else
> +#        $(error CONFIG_RETPOLINE=y, but not supported by the compiler. Toolchain update recommended.)
>       endif
>   endif
>
>   archscripts: scripts_basic
>   	$(Q)$(MAKE) $(build)=arch/x86/tools relocs
> --->8---
>
> - Stephan
>
>> On 8. Mar 2018, at 18:59, Pat Riehecky <[log in to unmask]> wrote:
>>
>> An updated gcc that supports this option is scheduled for publication on Tuesday.
>>
>> Pat
>>
>> On 03/08/2018 11:46 AM, Gilles Detillieux wrote:
>>> I realize this problem was likely introduced by upsteam updates, but I thought I'd point it out here anyway so you're aware of it. An unintended consequence of this latest kernel update is that it breaks recompilation of third-party kernel modules. The new kernel was built with CONFIG_RETPOLINE enabled, so presumably with a compiler that supports it, but that updated compiler hasn't been released through a corresponding security ERRATA update. (Not yet, anyway.) When I try to build a third-party device driver, I get the following error:
>>>
>>> make[1]: Entering directory `/usr/src/kernels/3.10.0-693.21.1.el7.x86_64'
>>> arch/x86/Makefile:166: *** CONFIG_RETPOLINE=y, but not supported by the compiler. Toolchain update recommended..  Stop.
>>> make[1]: Leaving directory `/usr/src/kernels/3.10.0-693.21.1.el7.x86_64'
>>> make: *** [default] Error 2
>>>
>>> Is an update of the compiler toolchain for RHEL7/SL7 through the usual update repos forthcoming? Until then, I don't think I can use this kernel update on systems that rely on that 3rd party driver.
>>>
>>> Thanks,
>>> Gilles
>>>
>>> On 2018-03-07 16:16, Pat Riehecky wrote:
>>>> Synopsis:          Important: kernel security and bug fix update
>>>> Advisory ID:       SLSA-2018:0395-1
>>>> Issue Date:        2018-03-06
>>>> CVE Numbers:       CVE-2017-7518
>>>>                      CVE-2017-12188
>>>> -- 
>>>>
>>>> Security Fix(es):
>>>>
>>>> * Kernel: KVM: MMU potential stack buffer overrun during page walks
>>>> (CVE-2017-12188, Important)
>>>>
>>>> * Kernel: KVM: debug exception via syscall emulation (CVE-2017-7518,
>>>> Moderate)
>>>> -- 
>>>>
>>>> SL7
>>>>     x86_64
>>>>       kernel-3.10.0-693.21.1.el7.x86_64.rpm
>>>>       kernel-debug-3.10.0-693.21.1.el7.x86_64.rpm
>>>>       kernel-debug-debuginfo-3.10.0-693.21.1.el7.x86_64.rpm
>>>>       kernel-debug-devel-3.10.0-693.21.1.el7.x86_64.rpm
>>>>       kernel-debuginfo-3.10.0-693.21.1.el7.x86_64.rpm
>>>> kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.x86_64.rpm
>>>>       kernel-devel-3.10.0-693.21.1.el7.x86_64.rpm
>>>>       kernel-headers-3.10.0-693.21.1.el7.x86_64.rpm
>>>>       kernel-tools-3.10.0-693.21.1.el7.x86_64.rpm
>>>>       kernel-tools-debuginfo-3.10.0-693.21.1.el7.x86_64.rpm
>>>>       kernel-tools-libs-3.10.0-693.21.1.el7.x86_64.rpm
>>>>       perf-3.10.0-693.21.1.el7.x86_64.rpm
>>>>       perf-debuginfo-3.10.0-693.21.1.el7.x86_64.rpm
>>>>       python-perf-3.10.0-693.21.1.el7.x86_64.rpm
>>>>       python-perf-debuginfo-3.10.0-693.21.1.el7.x86_64.rpm
>>>>       kernel-tools-libs-devel-3.10.0-693.21.1.el7.x86_64.rpm
>>>>     noarch
>>>>       kernel-abi-whitelists-3.10.0-693.21.1.el7.noarch.rpm
>>>>       kernel-doc-3.10.0-693.21.1.el7.noarch.rpm
>>>>
>>>> - Scientific Linux Development Team

-- 
Gilles R. Detillieux              E-mail: <[log in to unmask]>
Spinal Cord Research Centre       WWW:    http://www.scrc.umanitoba.ca/
Dept. of Physiology and Pathophysiology, Rady Faculty of Health Sciences,
Univ. of Manitoba  Winnipeg, MB  R3E 0J9  (Canada)

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV