|
masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
|
|
|
Hi, I have some comment for this issue. https://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon-20200810/021006.html https://lore.kernel.org/stable/20200807205517.1740307-1-jesse.brandeburg@intel.com/There are multiple patches fixed for 4.19, which can be separated by feature. - i40e: add num_vectors checker in iwarp handler This issue has been produced by e3219ce6a7754 ("i40e: Add support for client interface for IWARP driver"). e3219ce6a7754 is not included in 4.4.y and can be ignored. - i40e: Wrong truncation from u16 to u8 This can be apply in 4.4.y. - i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c This issue has been produced by e284fc280473b ("i40e: Add and delete cloud filter"). It is not included in 4.4.y. However, this patch has several different fixes, so some patches need to be applied. --- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c @@ -181,7 +181,7 @@ static inline bool i40e_vc_isvalid_vsi_id(struct i40e_vf *vf, u16 vsi_id) * check for the valid queue id **/ static inline bool i40e_vc_isvalid_queue_id(struct i40e_vf *vf, u16 vsi_id, - u8 qid) + u16 qid) { struct i40e_pf *pf = vf->pf; struct i40e_vsi *vsi = i40e_find_vsi_from_id(pf, vsi_id); - i40e: Memory leak in i40e_config_iwarp_qvlist This issue has been produced by e3219ce6a7754 ("i40e: Add support for client interface for IWARP driver"). e3219ce6a7754 is not included in 4.4.y and can be ignored. Best regards, Nobuhiro
-----Original Message-----
From: cip-dev@... [mailto:cip-dev@...] On Behalf Of
masashi.kudo@...
Sent: Thursday, October 8, 2020 6:43 PM
To: cip-dev@...
Cc: jan.kiszka@...
Subject: [cip-dev] Backporting of security patches for Intel i40e drivers required?
Hi, Jan-san, All,
At the IRC meeting today, we identified the following new CVEs are not in LTS4.4 yet.
- CVE-2019-0145, CVE-2019-0147, CVE-2019-0148 [net/i40e] - Fixed for mainline and 4.19+
These are for i40e driver for Intel.
The kernel team would like to know whether their backporting is needed or not.
For details of those CVE checking results, please see the following.
https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec/-/merge_requests/75/diffs
Regarding the discussion of the IRC meeting, please see the following.
https://irclogs.baserock.org/meetings/cip/2020/10/cip.2020-10-08-09.00.log.html
Best regards,
--
M. Kudo
|
|
|
Hi all,
given the exposure of such a device but also the fact that I can't tell
for sure if/where it's used (not only by us), I would recommend backporting.
Jan
toggle quoted message
Show quoted text
On 09.10.20 02:23, nobuhiro1.iwamatsu@... wrote: Hi,
I have some comment for this issue.
https://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon-20200810/021006.html
https://lore.kernel.org/stable/20200807205517.1740307-1-jesse.brandeburg@intel.com/
There are multiple patches fixed for 4.19, which can be separated by feature.
- i40e: add num_vectors checker in iwarp handler
This issue has been produced by e3219ce6a7754 ("i40e: Add support for client interface for IWARP driver").
e3219ce6a7754 is not included in 4.4.y and can be ignored.
- i40e: Wrong truncation from u16 to u8
This can be apply in 4.4.y.
- i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c
This issue has been produced by e284fc280473b ("i40e: Add and delete cloud filter").
It is not included in 4.4.y. However, this patch has several different fixes, so some patches need to be applied.
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -181,7 +181,7 @@ static inline bool i40e_vc_isvalid_vsi_id(struct
i40e_vf *vf, u16 vsi_id)
* check for the valid queue id
**/
static inline bool i40e_vc_isvalid_queue_id(struct i40e_vf *vf, u16 vsi_id,
- u8 qid)
+ u16 qid)
{
struct i40e_pf *pf = vf->pf;
struct i40e_vsi *vsi = i40e_find_vsi_from_id(pf, vsi_id);
- i40e: Memory leak in i40e_config_iwarp_qvlist
This issue has been produced by e3219ce6a7754 ("i40e: Add support for client interface for IWARP driver").
e3219ce6a7754 is not included in 4.4.y and can be ignored.
Best regards,
Nobuhiro
-----Original Message-----
From: cip-dev@... [mailto:cip-dev@...] On Behalf Of
masashi.kudo@...
Sent: Thursday, October 8, 2020 6:43 PM
To: cip-dev@...
Cc: jan.kiszka@...
Subject: [cip-dev] Backporting of security patches for Intel i40e drivers required?
Hi, Jan-san, All,
At the IRC meeting today, we identified the following new CVEs are not in LTS4.4 yet.
- CVE-2019-0145, CVE-2019-0147, CVE-2019-0148 [net/i40e] - Fixed for mainline and 4.19+
These are for i40e driver for Intel.
The kernel team would like to know whether their backporting is needed or not.
For details of those CVE checking results, please see the following.
https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec/-/merge_requests/75/diffs
Regarding the discussion of the IRC meeting, please see the following.
https://irclogs.baserock.org/meetings/cip/2020/10/cip.2020-10-08-09.00.log.html
Best regards,
--
M. Kudo
--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux
|
|
|
masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
Hi, Jan-san,
Thanks for your response.
Best regards,
--
M. Kudo
toggle quoted message
Show quoted text
-----Original Message-----
From: cip-dev@... <cip-dev@...> On Behalf Of
Jan Kiszka
Sent: Friday, October 9, 2020 4:24 PM
To: nobuhiro1.iwamatsu@...; cip-dev@...
Subject: Re: [cip-dev] Backporting of security patches for Intel i40e drivers
required?
Hi all,
given the exposure of such a device but also the fact that I can't tell for sure
if/where it's used (not only by us), I would recommend backporting.
Jan
On 09.10.20 02:23, nobuhiro1.iwamatsu@... wrote:
Hi,
I have some comment for this issue.
https://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon-20200810/021
006.html
https://lore.kernel.org/stable/20200807205517.1740307-1-jesse.brandebu
rg@.../
There are multiple patches fixed for 4.19, which can be separated by feature.
- i40e: add num_vectors checker in iwarp handler
This issue has been produced by e3219ce6a7754 ("i40e: Add support for
client interface for IWARP driver").
e3219ce6a7754 is not included in 4.4.y and can be ignored.
- i40e: Wrong truncation from u16 to u8
This can be apply in 4.4.y.
- i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c
This issue has been produced by e284fc280473b ("i40e: Add and delete cloud filter").
It is not included in 4.4.y. However, this patch has several different fixes, so some patches need to be applied.
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -181,7 +181,7 @@ static inline bool i40e_vc_isvalid_vsi_id(struct
i40e_vf *vf, u16 vsi_id)
* check for the valid queue id
**/
static inline bool i40e_vc_isvalid_queue_id(struct i40e_vf *vf, u16 vsi_id,
- u8 qid)
+ u16 qid)
{
struct i40e_pf *pf = vf->pf;
struct i40e_vsi *vsi = i40e_find_vsi_from_id(pf, vsi_id);
- i40e: Memory leak in i40e_config_iwarp_qvlist
This issue has been produced by e3219ce6a7754 ("i40e: Add support for
client interface for IWARP driver").
e3219ce6a7754 is not included in 4.4.y and can be ignored.
Best regards,
Nobuhiro
-----Original Message-----
From: cip-dev@...
[mailto:cip-dev@...] On Behalf Of
masashi.kudo@...
Sent: Thursday, October 8, 2020 6:43 PM
To: cip-dev@...
Cc: jan.kiszka@...
Subject: [cip-dev] Backporting of security patches for Intel i40e drivers required?
Hi, Jan-san, All,
At the IRC meeting today, we identified the following new CVEs are not in
LTS4.4 yet.
- CVE-2019-0145, CVE-2019-0147, CVE-2019-0148 [net/i40e] - Fixed for
mainline and 4.19+
These are for i40e driver for Intel.
The kernel team would like to know whether their backporting is needed or
not.
For details of those CVE checking results, please see the following.
https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec/-/merge_requ
ests/75/diffs
Regarding the discussion of the IRC meeting, please see the following.
https://irclogs.baserock.org/meetings/cip/2020/10/cip.2020-10-08-09.0
0.log.html
Best regards,
--
M. Kudo
--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux
|
|
|
Hi! given the exposure of such a device but also the fact that I can't tell
for sure if/where it's used (not only by us), I would recommend backporting. There are multiple patches fixed for 4.19, which can be separated by feature.
- i40e: add num_vectors checker in iwarp handler
This issue has been produced by e3219ce6a7754 ("i40e: Add support for client interface for IWARP driver").
e3219ce6a7754 is not included in 4.4.y and can be ignored.
It is interesting this one is listed in both CVE-145, CVE-147 in cip-kernel-sec. Is that an error? - i40e: Wrong truncation from u16 to u8
This can be apply in 4.4.y.
- i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c
This issue has been produced by e284fc280473b ("i40e: Add and delete cloud filter").
It is not included in 4.4.y. However, this patch has several different fixes, so some patches need to be applied.
I see also - i40e: Set RX_ONLY mode for unicast promiscuous on VLAN which apparently allows people to listen to packets they should not see. But I assume this requires elevated priviledges to begin with... Best regards, Pavel -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
|
|
|
Chen-Yu Tsai (Moxa) <wens@...>
On Wed, Oct 14, 2020 at 10:14 PM Pavel Machek <pavel@...> wrote:
Hi!
given the exposure of such a device but also the fact that I can't tell
for sure if/where it's used (not only by us), I would recommend backporting. There are multiple patches fixed for 4.19, which can be separated by feature.
- i40e: add num_vectors checker in iwarp handler
This issue has been produced by e3219ce6a7754 ("i40e: Add support for client interface for IWARP driver").
e3219ce6a7754 is not included in 4.4.y and can be ignored.
It is interesting this one is listed in both CVE-145, CVE-147 in
cip-kernel-sec. Is that an error?
Given that Intel's security notice did not state which patches fixed which issues, nor which commits caused them, I tried to guess which patch fixed which issue, based solely on their descriptions. Then I looked at the history of the driver to see which commit the patches fixed. Grouping by feature is probably a better way to determine if the backport is required or not. ChenYu - i40e: Wrong truncation from u16 to u8
This can be apply in 4.4.y.
- i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c
This issue has been produced by e284fc280473b ("i40e: Add and delete cloud filter").
It is not included in 4.4.y. However, this patch has several different fixes, so some patches need to be applied.
I see also
- i40e: Set RX_ONLY mode for unicast promiscuous on VLAN
which apparently allows people to listen to packets they should not
see. But I assume this requires elevated priviledges to begin with...
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
|
|
|
masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
Hi,
The other day, I inquired about CVE-2019-0145, CVE-2019-0147, and CVE-2019-0148 in the following email.
The kernel team discussed for weeks how to deal with them.
As a result of these discussions, we concluded to ignore them until Intel fixes issues, because:
- The descriptions of patches are not clear, and we cannot figure out what is right
- The patches we identified do not really look like fixing too serious stuff.
So far, we had the following AI, but we close this based on the above situation.
2. Check whether CVE-2019-0145, CVE-2019-0147, CVE-2019-0148 needs to be backported to 4.4 - Kernel Team
Best regards,
--
M. Kudo
toggle quoted message
Show quoted text
-----Original Message-----
From: cip-dev@... <cip-dev@...> On Behalf Of
Jan Kiszka
Sent: Friday, October 9, 2020 4:24 PM
To: nobuhiro1.iwamatsu@...; cip-dev@...
Subject: Re: [cip-dev] Backporting of security patches for Intel i40e drivers
required?
Hi all,
given the exposure of such a device but also the fact that I can't tell for sure
if/where it's used (not only by us), I would recommend backporting.
Jan
On 09.10.20 02:23, nobuhiro1.iwamatsu@... wrote:
Hi,
I have some comment for this issue.
https://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon-20200810/021
006.html
https://lore.kernel.org/stable/20200807205517.1740307-1-jesse.brandebu
rg@.../
There are multiple patches fixed for 4.19, which can be separated by feature.
- i40e: add num_vectors checker in iwarp handler
This issue has been produced by e3219ce6a7754 ("i40e: Add support for
client interface for IWARP driver").
e3219ce6a7754 is not included in 4.4.y and can be ignored.
- i40e: Wrong truncation from u16 to u8
This can be apply in 4.4.y.
- i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c
This issue has been produced by e284fc280473b ("i40e: Add and delete cloud filter").
It is not included in 4.4.y. However, this patch has several different fixes, so some patches need to be applied.
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -181,7 +181,7 @@ static inline bool i40e_vc_isvalid_vsi_id(struct
i40e_vf *vf, u16 vsi_id)
* check for the valid queue id
**/
static inline bool i40e_vc_isvalid_queue_id(struct i40e_vf *vf, u16 vsi_id,
- u8 qid)
+ u16 qid)
{
struct i40e_pf *pf = vf->pf;
struct i40e_vsi *vsi = i40e_find_vsi_from_id(pf, vsi_id);
- i40e: Memory leak in i40e_config_iwarp_qvlist
This issue has been produced by e3219ce6a7754 ("i40e: Add support for
client interface for IWARP driver").
e3219ce6a7754 is not included in 4.4.y and can be ignored.
Best regards,
Nobuhiro
-----Original Message-----
From: cip-dev@...
[mailto:cip-dev@...] On Behalf Of
masashi.kudo@...
Sent: Thursday, October 8, 2020 6:43 PM
To: cip-dev@...
Cc: jan.kiszka@...
Subject: [cip-dev] Backporting of security patches for Intel i40e drivers required?
Hi, Jan-san, All,
At the IRC meeting today, we identified the following new CVEs are not in
LTS4.4 yet.
- CVE-2019-0145, CVE-2019-0147, CVE-2019-0148 [net/i40e] - Fixed for
mainline and 4.19+
These are for i40e driver for Intel.
The kernel team would like to know whether their backporting is needed or
not.
For details of those CVE checking results, please see the following.
https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec/-/merge_requ
ests/75/diffs
Regarding the discussion of the IRC meeting, please see the following.
https://irclogs.baserock.org/meetings/cip/2020/10/cip.2020-10-08-09.0
0.log.html
Best regards,
--
M. Kudo
--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux
|
|
|
Ben Hutchings <ben.hutchings@...>
On Wed, 2020-11-11 at 13:18 +0000, masashi.kudo@... wrote: Hi,
The other day, I inquired about CVE-2019-0145, CVE-2019-0147, and CVE-2019-0148 in the following email.
The kernel team discussed for weeks how to deal with them.
As a result of these discussions, we concluded to ignore them until Intel fixes issues, because:
- The descriptions of patches are not clear, and we cannot figure out what is right
- The patches we identified do not really look like fixing too serious stuff. They all seemed to involve communication with the owner of a PCIe Virtual Function (VF). A VF might be assigned to a VM or privileged process. In Civil Infrastructure systems those should already be trusted and so the issues don't matter that much. So far, we had the following AI, but we close this based on the above situation.
2. Check whether CVE-2019-0145, CVE-2019-0147, CVE-2019-0148 needs to be backported to 4.4 - Kernel Team [...] Well, I found it quite easy to backport the applicable parts of the fixes. I already sent them along with some other fixes for the 4.14 and 4.9 branches, and could still do so for 4.4. Ben. -- Ben Hutchings, Software Developer Codethink Ltd https://www.codethink.co.uk/ Dale House, 35 Dale Street Manchester, M1 2HF, United Kingdom
|
|
|
masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
Hi, Ben-san,
By this time, you may have already left from cip-dev, but I wanted to update our status.
We again discussed this, and Iwamatsu-san kindly took over this and created patches.
In order to make sure that those patches appropriately address the issue, he is sending
RFC to the Intel contributors.
Thanks again for your comments.
Also, I wanted to re-iterate my thankfulness to you for what you have done for CIP.
I am really hoping your good luck in your new tasks.
Best regards,
--
M. Kudo
toggle quoted message
Show quoted text
-----Original Message-----
From: cip-dev@... <cip-dev@...> On Behalf Of
Ben Hutchings
Sent: Thursday, November 12, 2020 5:50 AM
To: cip-dev@...; nobuhiro1.iwamatsu@...;
jan.kiszka@...
Subject: Re: [cip-dev] Backporting of security patches for Intel i40e drivers
required?
On Wed, 2020-11-11 at 13:18 +0000, masashi.kudo@... wrote:
Hi,
The other day, I inquired about CVE-2019-0145, CVE-2019-0147, and CVE-2019-0148 in the following email.
The kernel team discussed for weeks how to deal with them.
As a result of these discussions, we concluded to ignore them until Intel fixes
issues, because:
- The descriptions of patches are not clear, and we cannot figure out
what is right
- The patches we identified do not really look like fixing too serious stuff. They all seemed to involve communication with the owner of a PCIe Virtual
Function (VF). A VF might be assigned to a VM or privileged process. In Civil
Infrastructure systems those should already be trusted and so the issues don't
matter that much.
So far, we had the following AI, but we close this based on the above situation.
2. Check whether CVE-2019-0145, CVE-2019-0147, CVE-2019-0148 needs to
be backported to 4.4 - Kernel Team [...]
Well, I found it quite easy to backport the applicable parts of the fixes. I already
sent them along with some other fixes for the 4.14 and 4.9 branches, and could
still do so for 4.4.
Ben.
--
Ben Hutchings, Software Developer Codethink Ltd
https://www.codethink.co.uk/ Dale House, 35 Dale Street
Manchester, M1 2HF, United Kingdom
|
|
|
