Bug 1092885

Summary: VUL-0: CVE-2018-3639: qemu,kvm,libvirt: V4 – Speculative Store Bypass aka "Memory Disambiguation"
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Bruce Rogers <brogers>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: astieger, bpetkov, brogers, duwe, jfehlig, jkosina, mbenes, meissner, mhocko, mlatimer, msuchanek, nstange, ptesarik
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/202788/
Whiteboard: CVSSv3:SUSE:CVE-2018-3639:4.3:(AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1087078, 1087082    
Attachments: 0001-i386-Add-bit-2-of-SPEC_CTRL-MSR-support-RDS.patch
0001-i386-Add-bit-2-of-SPEC_CTRL-MSR-support-SSBD.patch
Patch to add ssbd to libvirt cpu map

Comment 1 Marcus Meissner 2018-05-11 08:36:52 UTC 
Created attachment 769875 [details]
0001-i386-Add-bit-2-of-SPEC_CTRL-MSR-support-RDS.patch

0001-i386-Add-bit-2-of-SPEC_CTRL-MSR-support-RDS.patch
Comment 2 Marcus Meissner 2018-05-11 08:45:46 UTC 
the flag is named ssbd now, but I ghave not seen a patch with that yet.
Comment 3 Marcus Meissner 2018-05-11 09:11:47 UTC 
Created attachment 769879 [details]
0001-i386-Add-bit-2-of-SPEC_CTRL-MSR-support-SSBD.patch

0001-i386-Add-bit-2-of-SPEC_CTRL-MSR-support-SSBD.patch

v13
Comment 4 Bruce Rogers 2018-05-11 20:32:43 UTC 
(In reply to Marcus Meissner from comment #3)
> Created attachment 769879 [details]
> 0001-i386-Add-bit-2-of-SPEC_CTRL-MSR-support-SSBD.patch
> 
> 0001-i386-Add-bit-2-of-SPEC_CTRL-MSR-support-SSBD.patch
> 
> v13

Looks like we'll also need to tweak some existing QEMU patches (from the last Spectre round) as well.
Comment 9 James Fehlig 2018-05-14 20:51:49 UTC 
Created attachment 770168 [details]
Patch to add ssbd to libvirt cpu map

From what little I know about spectre v4, I suspect a libvirt patch would look something like this.
Comment 11 Bruce Rogers 2018-05-15 15:20:01 UTC 
I've submitted kvm (sle11) and qemu (sle12) maintenance updates with this patch included as follows:
SLE-11 SP3 kvm - MR 165007
SLE-11-SP4 kvm - MR 165008
SLE-12-SP2 qemu - MR 165009
SLE-12-SP3 qemu - MR 165010
Comment 12 Marcus Meissner 2018-05-16 06:44:50 UTC 
can you also do SLE-12-SP1 and SLE-12 GA ?
Comment 13 James Fehlig 2018-05-16 13:54:17 UTC 
Marcus, are you expecting a libvirt fix as part of this bug? I cooked up the patch in #9 based on the patch in #3, but it would be nice to test it on a machine with all the fixes. E.g. after adding the new feature to cpu_map.xml and restarting libvirtd, ensure the feature is shown within the <host> CPU info from 'virsh capabilities'.
Comment 14 Bruce Rogers 2018-05-16 14:22:28 UTC 
(In reply to Marcus Meissner from comment #12)
> can you also do SLE-12-SP1 and SLE-12 GA ?

SLE-12 qemu - MR 165097
SLE-12-SP1 qemu - MR 165096
Comment 17 Marcus Meissner 2018-05-21 21:27:13 UTC 
issue is public.
Comment 18 Swamp Workflow Management 2018-05-22 01:07:46 UTC 
SUSE-SU-2018:1362-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1079405,1092885
CVE References: CVE-2018-3639
Sources used:
SUSE OpenStack Cloud 7 (src):    qemu-2.6.2-41.40.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    qemu-2.6.2-41.40.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    qemu-2.6.2-41.40.1
SUSE Enterprise Storage 4 (src):    qemu-2.6.2-41.40.1
Comment 19 James Fehlig 2018-05-22 04:19:19 UTC 
The libvirt patches were posted to the libvirt list today

https://www.redhat.com/archives/libvir-list/2018-May/msg01560.html

Since there appears to be no urgent rush for those, I'll add them to the various products tomorrow after they have been committed to libvirt.git.
Comment 20 Swamp Workflow Management 2018-05-22 13:08:28 UTC 
SUSE-SU-2018:1363-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1068032,1082276,1092885
CVE References: CVE-2017-5715,CVE-2018-3639
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    qemu-2.3.1-33.9.4
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    qemu-2.3.1-33.9.4
Comment 23 James Fehlig 2018-05-22 21:39:09 UTC 
I've submitted the libvirt patches to Factory, SLE15, SLE12 SP{2,3}, and SLE11 SP{3,4}. I have not added the patches to SLE12 GA or SLE12 SP1 as was requested for qemu in #12. ATM the libvirt in those products have no spectre patches. I wasn't aware they were needed and no one has asked for them.
Comment 25 Swamp Workflow Management 2018-05-23 06:27:43 UTC 
SUSE-SU-2018:1378-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1070615,1092885
CVE References: CVE-2018-3639
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    qemu-2.9.1-6.16.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    qemu-2.9.1-6.16.1
SUSE CaaS Platform ALL (src):    qemu-2.9.1-6.16.1
Comment 26 Swamp Workflow Management 2018-05-23 13:07:49 UTC 
openSUSE-SU-2018:1380-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1070615,1092885
CVE References: CVE-2018-3639
Sources used:
openSUSE Leap 42.3 (src):    qemu-2.9.1-44.1, qemu-linux-user-2.9.1-44.1, qemu-testsuite-2.9.1-44.1
Comment 28 Swamp Workflow Management 2018-05-23 16:08:09 UTC 
SUSE-SU-2018:1386-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1068032,1082276,1092885
CVE References: CVE-2017-5715,CVE-2018-3639
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    qemu-2.0.2-48.40.2
Comment 29 Swamp Workflow Management 2018-05-23 19:10:31 UTC 
SUSE-SU-2018:1389-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1092885
CVE References: CVE-2018-3639
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    kvm-1.4.2-53.20.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kvm-1.4.2-53.20.1
Comment 30 Swamp Workflow Management 2018-05-28 19:08:51 UTC 
SUSE-SU-2018:1452-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1092885
CVE References: CVE-2018-3639
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    libvirt-1.0.5.9-21.9.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    libvirt-1.0.5.9-21.9.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    libvirt-1.0.5.9-21.9.1
Comment 31 Swamp Workflow Management 2018-05-30 16:08:24 UTC 
SUSE-SU-2018:1475-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1092885
CVE References: CVE-2018-3639
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libvirt-1.2.5-23.15.1
SUSE Linux Enterprise Server 11-SP4 (src):    libvirt-1.2.5-23.15.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libvirt-1.2.5-23.15.1
Comment 32 Swamp Workflow Management 2018-05-30 19:08:06 UTC 
SUSE-SU-2018:1479-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1092885
CVE References: CVE-2018-3639
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    kvm-1.4.2-60.12.1
Comment 33 Swamp Workflow Management 2018-06-05 14:50:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1092885) was mentioned in
https://build.opensuse.org/request/show/614294 15.0 / libvirt
https://build.opensuse.org/request/show/614311 15.0 / qemu
Comment 34 Swamp Workflow Management 2018-06-08 19:16:31 UTC 
SUSE-SU-2018:1614-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1092885
CVE References: CVE-2018-3639
Sources used:
SUSE OpenStack Cloud 7 (src):    libvirt-2.0.0-27.42.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    libvirt-2.0.0-27.42.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    libvirt-2.0.0-27.42.1
SUSE Enterprise Storage 4 (src):    libvirt-2.0.0-27.42.1
Comment 35 Swamp Workflow Management 2018-06-09 13:08:14 UTC 
openSUSE-SU-2018:1621-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1092885
CVE References: CVE-2018-3639
Sources used:
openSUSE Leap 15.0 (src):    libvirt-4.0.0-lp150.7.3.1
Comment 36 Swamp Workflow Management 2018-06-09 13:11:40 UTC 
openSUSE-SU-2018:1628-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1092885,1093169
CVE References: CVE-2018-3639
Sources used:
openSUSE Leap 15.0 (src):    qemu-2.11.1-lp150.7.3.1, qemu-linux-user-2.11.1-lp150.7.3.1, qemu-testsuite-2.11.1-lp150.7.3.1
Comment 39 James Fehlig 2018-07-18 20:12:03 UTC 
(In reply to Marcus Meissner from comment #12)
> can you also do SLE-12-SP1 and SLE-12 GA ?

I missed this request, but assume you want it for libvirt too. While at it, I backported fixes for other recent CVEs and will submit to 12 GA and SP1 soon.
Comment 41 Swamp Workflow Management 2018-07-27 16:15:36 UTC 
SUSE-SU-2018:2082-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1076500,1079869,1083625,1092885
CVE References: CVE-2017-5715,CVE-2018-1064,CVE-2018-3639,CVE-2018-5748
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    libvirt-1.2.18.4-22.3.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    libvirt-1.2.18.4-22.3.1
Comment 42 Swamp Workflow Management 2018-07-30 22:08:16 UTC 
SUSE-SU-2018:2141-1: An update that solves 5 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1076500,1079869,1083625,1092885,854343,897352,954872,956298,964465,968483,980558,987527
CVE References: CVE-2016-5008,CVE-2017-5715,CVE-2018-1064,CVE-2018-3639,CVE-2018-5748
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    libvirt-1.2.5-27.13.1
Comment 43 Swamp Workflow Management 2018-08-11 01:08:43 UTC 
SUSE-SU-2018:2304-1: An update that solves one vulnerability and has 9 fixes is now available.

Category: security (moderate)
Bug References: 1074014,1076861,1079150,1087416,1092885,1094325,1094480,1094725,1095556,959329
CVE References: CVE-2018-3639
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libvirt-3.3.0-5.22.1
SUSE Linux Enterprise Server 12-SP3 (src):    libvirt-3.3.0-5.22.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    libvirt-3.3.0-5.22.1
Comment 44 Swamp Workflow Management 2018-08-13 10:08:26 UTC 
openSUSE-SU-2018:2306-1: An update that solves one vulnerability and has 9 fixes is now available.

Category: security (moderate)
Bug References: 1074014,1076861,1079150,1087416,1092885,1094325,1094480,1094725,1095556,959329
CVE References: CVE-2018-3639
Sources used:
openSUSE Leap 42.3 (src):    libvirt-3.3.0-18.1
Comment 45 Marcus Meissner 2018-08-15 12:07:00 UTC 
released
Comment 47 Swamp Workflow Management 2018-08-30 10:17:29 UTC 
SUSE-SU-2018:2556-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1092885,1096223,1098735
CVE References: CVE-2018-11806,CVE-2018-12617,CVE-2018-3639
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    qemu-2.0.2-48.43.3
Comment 48 Swamp Workflow Management 2018-08-30 22:08:32 UTC 
SUSE-SU-2018:2565-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1020928,1092885,1096223,1098735
CVE References: CVE-2018-11806,CVE-2018-12617,CVE-2018-3639
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    qemu-2.3.1-33.12.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    qemu-2.3.1-33.12.1
Comment 49 Swamp Workflow Management 2018-09-04 22:10:17 UTC 
SUSE-SU-2018:2615-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1092885,1096223,1098735
CVE References: CVE-2018-11806,CVE-2018-12617,CVE-2018-3639
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    kvm-1.4.2-53.23.2
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kvm-1.4.2-53.23.2
Comment 50 Swamp Workflow Management 2018-09-07 16:08:52 UTC 
SUSE-SU-2018:2650-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1092885,1096223,1098735
CVE References: CVE-2018-11806,CVE-2018-12617,CVE-2018-3639
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    kvm-1.4.2-60.15.2
Comment 51 Swamp Workflow Management 2018-10-02 16:08:46 UTC 
SUSE-SU-2018:2973-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1092885,1096223,1098735
CVE References: CVE-2018-11806,CVE-2018-12617,CVE-2018-3639
Sources used:
SUSE OpenStack Cloud 7 (src):    qemu-2.6.2-41.43.3
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    qemu-2.6.2-41.43.3
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    qemu-2.6.2-41.43.3
SUSE Enterprise Storage 4 (src):    qemu-2.6.2-41.43.3
Comment 52 Swamp Workflow Management 2018-10-18 16:51:41 UTC 
SUSE-SU-2018:1362-2: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1079405,1092885
CVE References: CVE-2018-3639
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    qemu-2.6.2-41.40.1
Comment 53 Swamp Workflow Management 2018-10-18 16:52:13 UTC 
SUSE-SU-2018:1614-2: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1092885
CVE References: CVE-2018-3639
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    libvirt-2.0.0-27.42.1
Comment 54 Swamp Workflow Management 2018-10-18 17:19:02 UTC 
SUSE-SU-2018:2973-2: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1092885,1096223,1098735
CVE References: CVE-2018-11806,CVE-2018-12617,CVE-2018-3639
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    qemu-2.6.2-41.43.3
Comment 55 Swamp Workflow Management 2018-10-29 20:15:07 UTC 
SUSE-SU-2018:3555-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1092885,1094725,1096223,1098735
CVE References: CVE-2018-11806,CVE-2018-12617,CVE-2018-3639
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    qemu-2.9.1-6.19.11
SUSE Linux Enterprise Desktop 12-SP3 (src):    qemu-2.9.1-6.19.11
SUSE CaaS Platform ALL (src):    qemu-2.9.1-6.19.11
SUSE CaaS Platform 3.0 (src):    qemu-2.9.1-6.19.11
Comment 56 Swamp Workflow Management 2018-11-09 23:24:11 UTC 
openSUSE-SU-2018:3709-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1092885,1094725,1096223,1098735
CVE References: CVE-2018-11806,CVE-2018-12617,CVE-2018-3639
Sources used:
openSUSE Leap 42.3 (src):    qemu-2.9.1-47.1, qemu-linux-user-2.9.1-47.1, qemu-testsuite-2.9.1-47.2