kernel-packages team mailing list archive

Thread
Date
[Bug 1352994] Re: remap_4K_pfn() safety improvement needed for Ubuntu 14.10

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1352994@xxxxxxxxxxxxxxxxxx>
Date: Thu, 14 Aug 2014 15:41:44 -0000
Reply-to: Bug 1352994 <1352994@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package linux - 3.16.0-8.13

---------------
linux (3.16.0-8.13) utopic; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1356403

  [ dann frazier ]

  * [debian] Allow for package revisions condusive for branching

  [ Upstream Kernel Changes ]

  * ahci_xgene: Fix the watermark threshold for the APM X-Gene SATA host controller driver.
    - LP: #1350087
  * ahci_xgene: Use correct OOB tunning parameters for APM X-Gene SoC AHCI SATA Host controller driver.
    - LP: #1350087
  * powerpc/powernv: Enable M64 aperatus for PHB3
    - LP: #1355469
  * powerpc: Fail remap_4k_pfn() if PFN doesn't fit inside PTE
    - LP: #1352994
  * powerpc: Add machine_early_initcall()
    - LP: #1352640
  * powerpc/powernv: Switch powernv drivers to use machine_xxx_initcall()
    - LP: #1352640
  * powerpc/eeh: Avoid event on passed PE
    - LP: #1352640
  * powerpc/eeh: EEH support for VFIO PCI device
    - LP: #1352640
  * powerpc/eeh: sysfs entries lost
    - LP: #1352640
  * powerpc/powernv: Fix IOMMU table for VFIO dev
    - LP: #1352640
  * powerpc/eeh: Fetch IOMMU table in reliable way
    - LP: #1352640
  * powerpc/eeh: Refactor EEH flag accessors
    - LP: #1352640
  * powerpc/eeh: Selectively enable IO for error log
    - LP: #1352640
  * powerpc/eeh: Reduce lines of log dump
    - LP: #1352640
  * powerpc/eeh: Replace pr_warning() with pr_warn()
    - LP: #1352640
  * powerpc/eeh: Make diag-data not endian dependent
    - LP: #1352640
  * powerpc/eeh: Aux PE data for error log
    - LP: #1352640
  * PCI: Support BAR sizes up to 128GB
    - LP: #1352640
  * powerpc/powernv: Allow to freeze PE
    - LP: #1352640
  * powerpc/powernv: Split ioda_eeh_get_state()
    - LP: #1352640
  * powerpc/powernv: Handle compound PE
    - LP: #1352640
  * powerpc/powernv: Handle compound PE for EEH
    - LP: #1352640
  * powerpc/powernv: Handle compound PE in config accessors
    - LP: #1352640
  * mnt: Only change user settable mount flags in remount
    - LP: #1356318
    - CVE-2014-5206
  * mnt: Move the test for MNT_LOCK_READONLY from change_mount_flags into do_remount
    - LP: #1356318
    - CVE-2014-5206
  * mnt: Correct permission checks in do_remount
    - LP: #1356323
    - CVE-2014-5207
  * mnt: Change the default remount atime from relatime to the existing value
    - LP: #1356323
    - CVE-2014-5207
 -- Tim Gardner <tim.gardner@xxxxxxxxxxxxx>   Sun, 10 Aug 2014 09:10:51 -0600

** Changed in: linux (Ubuntu Utopic)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-5206

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-5207

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1352994

Title:
  remap_4K_pfn() safety improvement needed for Ubuntu 14.10

Status in “linux” package in Ubuntu:
  Fix Released
Status in “linux” source package in Utopic:
  Fix Released

Bug description:
  == Comment: #0 - Brian Hart <hartb@xxxxxxxxxx> - 2014-08-04 17:41:57 ==
  ---Problem Description---
  The current implementation of remap_4k_pfn() trusts that it's safe to map the PFN supplied by the requestor.  But there may be PFNs that are not safe to map via remap_4k_pfn().  (For example, the addresses at which PCI MMIO regions are mapped in some hypervisor configurations.)  When an unsafe PFN passes through remap_4k_pfn() some address bits may be unknowingly dropped by the underlying remapping routines.  When that happens the remap will appear to succeed, but any later attempt to use the mapping will checkstop the machine because the truncated target address is not present in the machine.

  A patch has been submitted that will cause remap_4k_pfn() to detect
  and reject these unsafe requests:

  https://lists.ozlabs.org/pipermail/linuxppc-dev/2014-July/119179.html

  Our project needs some form of this safety improvement in the Ubuntu 14.10 release.
   
  ---uname output---
  Linux tul115p1 3.16.0-6-generic #11-Ubuntu SMP Mon Jul 28 02:00:45 UTC 2014 ppc64le ppc64le ppc64le GNU/Linux
   
  Machine Type = 8286-42A 
   
  ---Debugger---
  A debugger is not configured
   
  ---Steps to Reproduce---
   The problem requires a hypervisor that allows PCI MMIO regions to span above the 46-bit line, and a device driver that maps MMIO regions using remap_4k_pfn().

  I can provide detailed instructions and a driver upon request.
   
  Stack trace output:
   no
   
  Oops output:
   no
   
  System Dump Info:
    The system is not configured to capture a system dump.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1352994/+subscriptions