RHSA-2018:1826 Important: kernel security, bug fix, and enhancement update

Updated

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Security Fixes are described in RHSA-2018:1826.

This update adds the following enhancements and fixes the following bugs :

  • This update provides a standard vulnerability status file and a mitigation switch file for the Meltdown vulnerability on IBM Power systems. These files allow you to verify whether the system is vulnerable against the Meltdown attack with a standard sysfs file, and to switch the RFI Flush mitigation against the attack on and off at runtime using a debugfs file if required. The vulnerability status file is located at "/sys/devices/system/cpu/vulnerabilities/meltdown", and the mitigation switch is available at "/sys/kernel/debug/powerpc/rfi_flush". (This content is not included.BZ#1565986)

  • This update provides support for enabling or disabling the Return from Interrupt (RFI) flush functionality on IBM POWER Systems with up-to-date firmware. In certain secured environments, a system administrator prefers the system performance to its security. As a result, disabling RFI allows to choose higher system performance over its security. (This content is not included.BZ#1565988)

  • Under certain circumstances, such as when using out-of-date firmware, the Meltdown attack mitigation was not effective on destination host systems after a Live Partition Mobility (LPM) operation. As a consequence, Logical Partitions (LPARs) could be compromised during LPM operations. This update ensures reconfiguration of Meltdown attack mitigation on the destination host system. As a result, LPARs are now secure against the Meltdown attack. (This content is not included.BZ#1568324)

  • This update adds necessary sysfs files which verify that the system is protected against the Meltdown and Spectre attacks. As a result, the following sysfs files are available: /sys/devices/system/cpu/vulnerabilities/meltdown, /sys/devices/system/cpu/vulnerabilities/spectre_v1, /sys/devices/system/cpu/vulnerabilities/spectre_v2. (This content is not included.BZ#1569881)

  • Previously, an erroneous code in the x86 kexec system call path caused a memory corruption. As a consequence, the system became unresponsive with the following kernel stack trace:

       'WARNING: CPU: 13 PID: 36409 at lib/list_debug.c:59 __list_del_entry+0xa1/0xd0 list_del corruption. prev->next should be ffffdd03fddeeca0, but was (null)'

    This update ensures that the code does not corrupt memory. As a result, the operating system no longer hangs. (This content is not included.BZ#1573178)

  • This update adds support for retpolines to GCC on IBM z Systems. Retpolines are a technique used by the kernel to reduce overhead of mitigating Spectre Variant 2 attacks described in CVE-2017-5715. (This content is not included.BZ#1573733)

  • Previously, the support of the Page Table Isolation (PTI) kernel feature on the 32-bit Intel architecture kernels, introduced conflicts between the kernel entry code and the kernel debugger. As a consequence, the debugger was not able to pause correctly. This update fixes the kernel entry code not to conflict with the debugger. As a result, the debugger now works correctly as before the support of PTI. (This content is not included.BZ#1577780)

  • The support of the Page Table Isolation (PTI) kernel feature on the 32-bit Intel architecture kernels introduced a change in the kernel stack handling. However, the vm86 system call was not modified accordingly. As a consequence, calling vm86 led to a kernel panic. This update modifies the vm86 code to work well with the right kernel stack. As a result, vm86 no longer causes the kernel panic. (This content is not included.BZ#1577786)

  • Previously, microcode updates on 32 and 64-bit AMD and Intel architectures were not synchronized. As a consequence, it was not possible to apply the microcode updates. This fix adds the synchronization to the microcode updates so that processors of the stated architectures receive updates at the same time. As a result, microcode updates are now synchronized. (This content is not included.BZ#1578304)

  • The initial Speculative Store Bypass Disable (SSBD) mitigation on AMD 32 and 64-bit architecture kernels required the use of a non-architectural model-specific register (MSR) that was not supported by KVM. As a consequence, SSBD caused a fault in the boot process inside of a virtual machine (VM) guest. Subsequently, the operating system was not able to handle the fault gracefully and the kernel panicked. This update temporarily disables SSBD mitigation for the AMD 32 and 64-bit architecture kernels when running as a VM guest. As a result, the kernel no longer panics. Note that the engineering team is going to re-enable the SSBD mitigation in the future version of AMD 32 and 64-bit architecture kernels. (This content is not included.BZ#1582420)

Article Type