Re: CVE-2017-5754 - ETA?

To: debian-user@lists.debian.org
Subject: Re: CVE-2017-5754 - ETA?
From: Tixy <tixy@yxit.co.uk>
Date: Sat, 13 Jan 2018 08:42:50 +0000
Message-id: <[🔎] 1515832970.4806.9.camel@yxit.co.uk>
In-reply-to: <[🔎] 1515830797.2588.6.camel@yxit.co.uk>
References: <[🔎] CA+AKB6H3bbKZueJO_jXcuG9WLnR4t-Laukvbe3Q9C8yx_g2Ehw@mail.gmail.com> <[🔎] 20180104204742.bx7yeejh2fesiept@qor.donarmstrong.com> <[🔎] 20180112132217.GA12433@cventin.lip.ens-lyon.fr> <[🔎] alpine.DEB.2.20.1801120956370.4931@localhost> <[🔎] 20180112205920.GA31578@zira.vinc17.org> <[🔎] 20180112212106.6rjxdthqi767ntsy@neon.par> <[🔎] 20180112214011.GC31578@zira.vinc17.org> <[🔎] 1515830797.2588.6.camel@yxit.co.uk>

On Sat, 2018-01-13 at 08:06 +0000, Tixy wrote:
> On Fri, 2018-01-12 at 22:40 +0100, Vincent Lefevre wrote:
> > On 2018-01-12 21:21:06 +0000, Nick wrote:
> > > It might have aged out of the buffer that dmesg reports on.
> > 
> > No, there's the beginning of the dmesg output:
> > 
> > [    0.000000] Linux version 4.9.0-5-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18) ) #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04)
> > 
> > But I think I've found the reason:
> > 
> > In arch/x86/mm/kaiser.c:
> > 
> > void __init kaiser_check_boottime_disable(void)
> > {
> > [...]
> >         if (boot_cpu_has(X86_FEATURE_XENPV))
> >                 goto silent_disable;
> > [...]
> > disable:
> >         pr_info("disabled\n");
> > 
> > silent_disable:
> >         kaiser_enabled = 0;
> >         setup_clear_cpu_cap(X86_FEATURE_KAISER);
> > }
> > 
> > I must be in the "silent_disable" case (this is a Xen guest).
> > 
> > It's unfortunate that no-one mentions this case!
> 
> Hmm. I have a system running under Xen and get the 'page tables
> isolation: enabled' message. Here's what I hope are relevant parts from
> dmesg output...
> 
> [    0.000000] Linux version 4.9.0-5-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170
> 516 (Debian 6.3.0-18) ) #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04)
> ...
> [    0.000000] DMI: Xen HVM domU, BIOS 4.8.1-pre-memset3 06/07/2017
> [    0.000000] Hypervisor detected: Xen
> [    0.000000] Xen version 4.8.
> ...
> [    0.000000] Booting paravirtualized kernel on Xen HVM
> ...
> [    0.000000] Kernel/User page tables isolation: enabled

Replying to myself... The above makes sense as while the Debian kernel
is built with Xen paravirtualisation support, in my case it is running
under hardware virtualisation (HVM) so the paravirtialisation flag
(X86_FEATURE_XENPV) isn't set.

For people who's boot log says 

  Booting paravirtualized kernel on Xen PVH

I would expect not to see any mention of 

  Kernel/User page tables isolation

as the code Vincent identified [1] silently disables it.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.76&id=402e63de94afdf7cd64e4eb209a8a77310e02d2c

-- 
Tixy

Reply to:

References:
- CVE-2017-5754 - ETA?
  - From: francis picabia <fpicabia@gmail.com>
- Re: CVE-2017-5754 - ETA?
  - From: Don Armstrong <don@debian.org>
- Re: CVE-2017-5754 - ETA?
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: CVE-2017-5754 - ETA?
  - From: bw <bwtnguy@yahoo.com>
- Re: CVE-2017-5754 - ETA?
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: CVE-2017-5754 - ETA?
  - From: Nick <debuser@acrasis.net>
- Re: CVE-2017-5754 - ETA?
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: CVE-2017-5754 - ETA?
  - From: Tixy <tixy@yxit.co.uk>

Prev by Date: Re: CVE-2017-5754 - ETA?
Next by Date: Re: CVE-2017-5754 - XEN silent_disable?
Previous by thread: Re: CVE-2017-5754 - ETA?
Next by thread: After upgrade jessie -> stretch : php problems
Index(es):
- Date
- Thread