[cip-dev] Backporting of security patches for Intel i40e drivers required?

[cip-dev] Backporting of security patches for Intel i40e drivers required?

[masashi.kudo]

[-- Attachment #1: Type: text/plain, Size: 662 bytes --]

Hi, Jan-san, All,

At the IRC meeting today, we identified the following new CVEs are not in LTS4.4 yet.

- CVE-2019-0145, CVE-2019-0147, CVE-2019-0148 [net/i40e] - Fixed for mainline and 4.19+

These are for i40e driver for Intel.

The kernel team would like to know whether their backporting is needed or not.

For details of those CVE checking results, please see the following.
https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec/-/merge_requests/75/diffs

Regarding the discussion of the IRC meeting, please see the following.
https://irclogs.baserock.org/meetings/cip/2020/10/cip.2020-10-08-09.00.log.html

Best regards,
--
M. Kudo

[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5514): https://lists.cip-project.org/g/cip-dev/message/5514
Mute This Topic: https://lists.cip-project.org/mt/77380165/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] Backporting of security patches for Intel i40e drivers required?

[Nobuhiro Iwamatsu]

[-- Attachment #1: Type: text/plain, Size: 2709 bytes --]

Hi,

I have some comment for this issue.
  https://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon-20200810/021006.html
  https://lore.kernel.org/stable/20200807205517.1740307-1-jesse.brandeburg@intel.com/

There are multiple patches fixed for 4.19, which can be separated by feature.

 - i40e: add num_vectors checker in iwarp handler

     This issue has been produced by e3219ce6a7754 ("i40e: Add support for client interface for IWARP driver").
     e3219ce6a7754 is not included in 4.4.y and can be ignored.

 - i40e: Wrong truncation from u16 to u8
   This can be apply in 4.4.y.

 - i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c

   This issue has been produced by e284fc280473b ("i40e: Add and delete cloud filter").
   It is not included in 4.4.y. However, this patch has several different fixes, so some patches need to be applied.

--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -181,7 +181,7 @@ static inline bool i40e_vc_isvalid_vsi_id(struct
i40e_vf *vf, u16 vsi_id)
  * check for the valid queue id
  **/
 static inline bool i40e_vc_isvalid_queue_id(struct i40e_vf *vf, u16 vsi_id,
-                        u8 qid)
+                        u16 qid)
 {
     struct i40e_pf *pf = vf->pf;
     struct i40e_vsi *vsi = i40e_find_vsi_from_id(pf, vsi_id);


 - i40e: Memory leak in i40e_config_iwarp_qvlist
   This issue has been produced by e3219ce6a7754 ("i40e: Add support for client interface for IWARP driver").
   e3219ce6a7754 is not included in 4.4.y and can be ignored.

Best regards,
  Nobuhiro

> -----Original Message-----
> From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of
> masashi.kudo@cybertrust.co.jp
> Sent: Thursday, October 8, 2020 6:43 PM
> To: cip-dev@lists.cip-project.org
> Cc: jan.kiszka@siemens.com
> Subject: [cip-dev] Backporting of security patches for Intel i40e drivers required?
> 
> Hi, Jan-san, All,
> 
> At the IRC meeting today, we identified the following new CVEs are not in LTS4.4 yet.
> 
> - CVE-2019-0145, CVE-2019-0147, CVE-2019-0148 [net/i40e] - Fixed for mainline and 4.19+
> 
> These are for i40e driver for Intel.
> 
> The kernel team would like to know whether their backporting is needed or not.
> 
> For details of those CVE checking results, please see the following.
> https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec/-/merge_requests/75/diffs
> 
> Regarding the discussion of the IRC meeting, please see the following.
> https://irclogs.baserock.org/meetings/cip/2020/10/cip.2020-10-08-09.00.log.html
> 
> Best regards,
> --
> M. Kudo

[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5515): https://lists.cip-project.org/g/cip-dev/message/5515
Mute This Topic: https://lists.cip-project.org/mt/77380165/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] Backporting of security patches for Intel i40e drivers required?

[Jan Kiszka]

[-- Attachment #1: Type: text/plain, Size: 3036 bytes --]

Hi all,

given the exposure of such a device but also the fact that I can't tell
for sure if/where it's used (not only by us), I would recommend backporting.

Jan

On 09.10.20 02:23, nobuhiro1.iwamatsu@toshiba.co.jp wrote:
> Hi,
> 
> I have some comment for this issue.
>   https://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon-20200810/021006.html
>   https://lore.kernel.org/stable/20200807205517.1740307-1-jesse.brandeburg@intel.com/
> 
> There are multiple patches fixed for 4.19, which can be separated by feature.
> 
>  - i40e: add num_vectors checker in iwarp handler
> 
>      This issue has been produced by e3219ce6a7754 ("i40e: Add support for client interface for IWARP driver").
>      e3219ce6a7754 is not included in 4.4.y and can be ignored.
> 
>  - i40e: Wrong truncation from u16 to u8
>    This can be apply in 4.4.y.
> 
>  - i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c
> 
>    This issue has been produced by e284fc280473b ("i40e: Add and delete cloud filter").
>    It is not included in 4.4.y. However, this patch has several different fixes, so some patches need to be applied.
> 
> --- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
> +++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
> @@ -181,7 +181,7 @@ static inline bool i40e_vc_isvalid_vsi_id(struct
> i40e_vf *vf, u16 vsi_id)
>   * check for the valid queue id
>   **/
>  static inline bool i40e_vc_isvalid_queue_id(struct i40e_vf *vf, u16 vsi_id,
> -                        u8 qid)
> +                        u16 qid)
>  {
>      struct i40e_pf *pf = vf->pf;
>      struct i40e_vsi *vsi = i40e_find_vsi_from_id(pf, vsi_id);
> 
> 
>  - i40e: Memory leak in i40e_config_iwarp_qvlist
>    This issue has been produced by e3219ce6a7754 ("i40e: Add support for client interface for IWARP driver").
>    e3219ce6a7754 is not included in 4.4.y and can be ignored.
> 
> Best regards,
>   Nobuhiro
> 
>> -----Original Message-----
>> From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of
>> masashi.kudo@cybertrust.co.jp
>> Sent: Thursday, October 8, 2020 6:43 PM
>> To: cip-dev@lists.cip-project.org
>> Cc: jan.kiszka@siemens.com
>> Subject: [cip-dev] Backporting of security patches for Intel i40e drivers required?
>>
>> Hi, Jan-san, All,
>>
>> At the IRC meeting today, we identified the following new CVEs are not in LTS4.4 yet.
>>
>> - CVE-2019-0145, CVE-2019-0147, CVE-2019-0148 [net/i40e] - Fixed for mainline and 4.19+
>>
>> These are for i40e driver for Intel.
>>
>> The kernel team would like to know whether their backporting is needed or not.
>>
>> For details of those CVE checking results, please see the following.
>> https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec/-/merge_requests/75/diffs
>>
>> Regarding the discussion of the IRC meeting, please see the following.
>> https://irclogs.baserock.org/meetings/cip/2020/10/cip.2020-10-08-09.00.log.html
>>
>> Best regards,
>> --
>> M. Kudo

-- 
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5516): https://lists.cip-project.org/g/cip-dev/message/5516
Mute This Topic: https://lists.cip-project.org/mt/77380165/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] Backporting of security patches for Intel i40e drivers required?

[masashi.kudo]

[-- Attachment #1: Type: text/plain, Size: 3740 bytes --]

Hi, Jan-san,

Thanks for your response.

Best regards,
--
M. Kudo

> -----Original Message-----
> From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of
> Jan Kiszka
> Sent: Friday, October 9, 2020 4:24 PM
> To: nobuhiro1.iwamatsu@toshiba.co.jp; cip-dev@lists.cip-project.org
> Subject: Re: [cip-dev] Backporting of security patches for Intel i40e drivers
> required?
> 
> Hi all,
> 
> given the exposure of such a device but also the fact that I can't tell for sure
> if/where it's used (not only by us), I would recommend backporting.
> 
> Jan
> 
> On 09.10.20 02:23, nobuhiro1.iwamatsu@toshiba.co.jp wrote:
> > Hi,
> >
> > I have some comment for this issue.
> >
> https://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon-20200810/021
> 006.html
> >
> > https://lore.kernel.org/stable/20200807205517.1740307-1-jesse.brandebu
> > rg@intel.com/
> >
> > There are multiple patches fixed for 4.19, which can be separated by feature.
> >
> >  - i40e: add num_vectors checker in iwarp handler
> >
> >      This issue has been produced by e3219ce6a7754 ("i40e: Add support for
> client interface for IWARP driver").
> >      e3219ce6a7754 is not included in 4.4.y and can be ignored.
> >
> >  - i40e: Wrong truncation from u16 to u8
> >    This can be apply in 4.4.y.
> >
> >  - i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c
> >
> >    This issue has been produced by e284fc280473b ("i40e: Add and delete
> cloud filter").
> >    It is not included in 4.4.y. However, this patch has several different fixes, so
> some patches need to be applied.
> >
> > --- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
> > +++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
> > @@ -181,7 +181,7 @@ static inline bool i40e_vc_isvalid_vsi_id(struct
> > i40e_vf *vf, u16 vsi_id)
> >   * check for the valid queue id
> >   **/
> >  static inline bool i40e_vc_isvalid_queue_id(struct i40e_vf *vf, u16 vsi_id,
> > -                        u8 qid)
> > +                        u16 qid)
> >  {
> >      struct i40e_pf *pf = vf->pf;
> >      struct i40e_vsi *vsi = i40e_find_vsi_from_id(pf, vsi_id);
> >
> >
> >  - i40e: Memory leak in i40e_config_iwarp_qvlist
> >    This issue has been produced by e3219ce6a7754 ("i40e: Add support for
> client interface for IWARP driver").
> >    e3219ce6a7754 is not included in 4.4.y and can be ignored.
> >
> > Best regards,
> >   Nobuhiro
> >
> >> -----Original Message-----
> >> From: cip-dev@lists.cip-project.org
> >> [mailto:cip-dev@lists.cip-project.org] On Behalf Of
> >> masashi.kudo@cybertrust.co.jp
> >> Sent: Thursday, October 8, 2020 6:43 PM
> >> To: cip-dev@lists.cip-project.org
> >> Cc: jan.kiszka@siemens.com
> >> Subject: [cip-dev] Backporting of security patches for Intel i40e drivers
> required?
> >>
> >> Hi, Jan-san, All,
> >>
> >> At the IRC meeting today, we identified the following new CVEs are not in
> LTS4.4 yet.
> >>
> >> - CVE-2019-0145, CVE-2019-0147, CVE-2019-0148 [net/i40e] - Fixed for
> >> mainline and 4.19+
> >>
> >> These are for i40e driver for Intel.
> >>
> >> The kernel team would like to know whether their backporting is needed or
> not.
> >>
> >> For details of those CVE checking results, please see the following.
> >> https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec/-/merge_requ
> >> ests/75/diffs
> >>
> >> Regarding the discussion of the IRC meeting, please see the following.
> >> https://irclogs.baserock.org/meetings/cip/2020/10/cip.2020-10-08-09.0
> >> 0.log.html
> >>
> >> Best regards,
> >> --
> >> M. Kudo
> 
> --
> Siemens AG, T RDA IOT
> Corporate Competence Center Embedded Linux

[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5518): https://lists.cip-project.org/g/cip-dev/message/5518
Mute This Topic: https://lists.cip-project.org/mt/77380165/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] Backporting of security patches for Intel i40e drivers required?

[Pavel Machek]

[-- Attachment #1.1: Type: text/plain, Size: 1441 bytes --]

Hi!

> given the exposure of such a device but also the fact that I can't tell
> for sure if/where it's used (not only by us), I would recommend backporting.

> > There are multiple patches fixed for 4.19, which can be separated by feature.
> > 
> >  - i40e: add num_vectors checker in iwarp handler
> > 
> >      This issue has been produced by e3219ce6a7754 ("i40e: Add support for client interface for IWARP driver").
> >      e3219ce6a7754 is not included in 4.4.y and can be ignored.

It is interesting this one is listed in both CVE-145, CVE-147 in
cip-kernel-sec. Is that an error?

> >  - i40e: Wrong truncation from u16 to u8
> >    This can be apply in 4.4.y.
> > 
> >  - i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c
> > 
> >    This issue has been produced by e284fc280473b ("i40e: Add and delete cloud filter").
> >    It is not included in 4.4.y. However, this patch has several different fixes, so some patches need to be applied.

I see also

- i40e: Set RX_ONLY mode for unicast promiscuous on VLAN

which apparently allows people to listen to packets they should not
see. But I assume this requires elevated priviledges to begin with...

Best regards,
                                                                Pavel
--
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5577): https://lists.cip-project.org/g/cip-dev/message/5577
Mute This Topic: https://lists.cip-project.org/mt/77380165/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] Backporting of security patches for Intel i40e drivers required?

[Chen-Yu Tsai (Moxa)]

[-- Attachment #1: Type: text/plain, Size: 1918 bytes --]

On Wed, Oct 14, 2020 at 10:14 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > given the exposure of such a device but also the fact that I can't tell
> > for sure if/where it's used (not only by us), I would recommend backporting.
>
> > > There are multiple patches fixed for 4.19, which can be separated by feature.
> > >
> > >  - i40e: add num_vectors checker in iwarp handler
> > >
> > >      This issue has been produced by e3219ce6a7754 ("i40e: Add support for client interface for IWARP driver").
> > >      e3219ce6a7754 is not included in 4.4.y and can be ignored.
>
> It is interesting this one is listed in both CVE-145, CVE-147 in
> cip-kernel-sec. Is that an error?

Given that Intel's security notice did not state which patches fixed which
issues, nor which commits caused them, I tried to guess which patch fixed
which issue, based solely on their descriptions. Then I looked at the history
of the driver to see which commit the patches fixed.

Grouping by feature is probably a better way to determine if the backport
is required or not.

ChenYu

> > >  - i40e: Wrong truncation from u16 to u8
> > >    This can be apply in 4.4.y.
> > >
> > >  - i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c
> > >
> > >    This issue has been produced by e284fc280473b ("i40e: Add and delete cloud filter").
> > >    It is not included in 4.4.y. However, this patch has several different fixes, so some patches need to be applied.
>
> I see also
>
> - i40e: Set RX_ONLY mode for unicast promiscuous on VLAN
>
> which apparently allows people to listen to packets they should not
> see. But I assume this requires elevated priviledges to begin with...
>
> Best regards,
>                                                                 Pavel
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>

[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5578): https://lists.cip-project.org/g/cip-dev/message/5578
Mute This Topic: https://lists.cip-project.org/mt/77380165/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] Backporting of security patches for Intel i40e drivers required?

[masashi.kudo]

[-- Attachment #1: Type: text/plain, Size: 4328 bytes --]

Hi, 

The other day, I inquired about CVE-2019-0145, CVE-2019-0147, and CVE-2019-0148 in the following email.

The kernel team discussed for weeks how to deal with them.
As a result of these discussions, we concluded to ignore them until Intel fixes issues, because:
 - The descriptions of patches are not clear, and we cannot figure out what is right
 - The patches we identified do not really look like fixing too serious stuff.

So far, we had the following AI, but we close this based on the above situation.

2. Check whether CVE-2019-0145, CVE-2019-0147, CVE-2019-0148 needs to be backported to 4.4 - Kernel Team

Best regards,
--
M. Kudo

> -----Original Message-----
> From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of
> Jan Kiszka
> Sent: Friday, October 9, 2020 4:24 PM
> To: nobuhiro1.iwamatsu@toshiba.co.jp; cip-dev@lists.cip-project.org
> Subject: Re: [cip-dev] Backporting of security patches for Intel i40e drivers
> required?
> 
> Hi all,
> 
> given the exposure of such a device but also the fact that I can't tell for sure
> if/where it's used (not only by us), I would recommend backporting.
> 
> Jan
> 
> On 09.10.20 02:23, nobuhiro1.iwamatsu@toshiba.co.jp wrote:
> > Hi,
> >
> > I have some comment for this issue.
> >
> https://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon-20200810/021
> 006.html
> >
> > https://lore.kernel.org/stable/20200807205517.1740307-1-jesse.brandebu
> > rg@intel.com/
> >
> > There are multiple patches fixed for 4.19, which can be separated by feature.
> >
> >  - i40e: add num_vectors checker in iwarp handler
> >
> >      This issue has been produced by e3219ce6a7754 ("i40e: Add support for
> client interface for IWARP driver").
> >      e3219ce6a7754 is not included in 4.4.y and can be ignored.
> >
> >  - i40e: Wrong truncation from u16 to u8
> >    This can be apply in 4.4.y.
> >
> >  - i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c
> >
> >    This issue has been produced by e284fc280473b ("i40e: Add and delete
> cloud filter").
> >    It is not included in 4.4.y. However, this patch has several different fixes, so
> some patches need to be applied.
> >
> > --- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
> > +++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
> > @@ -181,7 +181,7 @@ static inline bool i40e_vc_isvalid_vsi_id(struct
> > i40e_vf *vf, u16 vsi_id)
> >   * check for the valid queue id
> >   **/
> >  static inline bool i40e_vc_isvalid_queue_id(struct i40e_vf *vf, u16 vsi_id,
> > -                        u8 qid)
> > +                        u16 qid)
> >  {
> >      struct i40e_pf *pf = vf->pf;
> >      struct i40e_vsi *vsi = i40e_find_vsi_from_id(pf, vsi_id);
> >
> >
> >  - i40e: Memory leak in i40e_config_iwarp_qvlist
> >    This issue has been produced by e3219ce6a7754 ("i40e: Add support for
> client interface for IWARP driver").
> >    e3219ce6a7754 is not included in 4.4.y and can be ignored.
> >
> > Best regards,
> >   Nobuhiro
> >
> >> -----Original Message-----
> >> From: cip-dev@lists.cip-project.org
> >> [mailto:cip-dev@lists.cip-project.org] On Behalf Of
> >> masashi.kudo@cybertrust.co.jp
> >> Sent: Thursday, October 8, 2020 6:43 PM
> >> To: cip-dev@lists.cip-project.org
> >> Cc: jan.kiszka@siemens.com
> >> Subject: [cip-dev] Backporting of security patches for Intel i40e drivers
> required?
> >>
> >> Hi, Jan-san, All,
> >>
> >> At the IRC meeting today, we identified the following new CVEs are not in
> LTS4.4 yet.
> >>
> >> - CVE-2019-0145, CVE-2019-0147, CVE-2019-0148 [net/i40e] - Fixed for
> >> mainline and 4.19+
> >>
> >> These are for i40e driver for Intel.
> >>
> >> The kernel team would like to know whether their backporting is needed or
> not.
> >>
> >> For details of those CVE checking results, please see the following.
> >> https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec/-/merge_requ
> >> ests/75/diffs
> >>
> >> Regarding the discussion of the IRC meeting, please see the following.
> >> https://irclogs.baserock.org/meetings/cip/2020/10/cip.2020-10-08-09.0
> >> 0.log.html
> >>
> >> Best regards,
> >> --
> >> M. Kudo
> 
> --
> Siemens AG, T RDA IOT
> Corporate Competence Center Embedded Linux

[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5790): https://lists.cip-project.org/g/cip-dev/message/5790
Mute This Topic: https://lists.cip-project.org/mt/77380165/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] Backporting of security patches for Intel i40e drivers required?

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 1386 bytes --]

On Wed, 2020-11-11 at 13:18 +0000, masashi.kudo@cybertrust.co.jp wrote:
> Hi, 
> 
> The other day, I inquired about CVE-2019-0145, CVE-2019-0147, and CVE-2019-0148 in the following email.
> 
> The kernel team discussed for weeks how to deal with them.
> As a result of these discussions, we concluded to ignore them until Intel fixes issues, because:
>  - The descriptions of patches are not clear, and we cannot figure out what is right
>  - The patches we identified do not really look like fixing too serious stuff.

They all seemed to involve communication with the owner of a PCIe
Virtual Function (VF).  A VF might be assigned to a VM or privileged
process.  In Civil Infrastructure systems those should already be
trusted and so the issues don't matter that much.

> So far, we had the following AI, but we close this based on the above situation.
> 
> 2. Check whether CVE-2019-0145, CVE-2019-0147, CVE-2019-0148 needs to be backported to 4.4 - Kernel Team
[...]

Well, I found it quite easy to backport the applicable parts of the
fixes.  I already sent them along with some other fixes for the 4.14
and 4.9 branches, and could still do so for 4.4.

Ben.

-- 
Ben Hutchings, Software Developer                         Codethink Ltd
https://www.codethink.co.uk/                 Dale House, 35 Dale Street
                                     Manchester, M1 2HF, United Kingdom


[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5791): https://lists.cip-project.org/g/cip-dev/message/5791
Mute This Topic: https://lists.cip-project.org/mt/77380165/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] Backporting of security patches for Intel i40e drivers required?

[masashi.kudo]

[-- Attachment #1: Type: text/plain, Size: 2383 bytes --]

Hi, Ben-san,

By this time, you may have already left from cip-dev, but I wanted to update our status.

We again discussed this, and Iwamatsu-san kindly took over this and created patches.
In order to make sure that those patches appropriately address the issue, he is sending
RFC to the Intel contributors.

Thanks again for your comments.

Also, I wanted to re-iterate my thankfulness to you for what you have done for CIP.
I am really hoping your good luck in your new tasks.

Best regards,
--
M. Kudo

> -----Original Message-----
> From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of
> Ben Hutchings
> Sent: Thursday, November 12, 2020 5:50 AM
> To: cip-dev@lists.cip-project.org; nobuhiro1.iwamatsu@toshiba.co.jp;
> jan.kiszka@siemens.com
> Subject: Re: [cip-dev] Backporting of security patches for Intel i40e drivers
> required?
> 
> On Wed, 2020-11-11 at 13:18 +0000, masashi.kudo@cybertrust.co.jp wrote:
> > Hi,
> >
> > The other day, I inquired about CVE-2019-0145, CVE-2019-0147, and
> CVE-2019-0148 in the following email.
> >
> > The kernel team discussed for weeks how to deal with them.
> > As a result of these discussions, we concluded to ignore them until Intel fixes
> issues, because:
> >  - The descriptions of patches are not clear, and we cannot figure out
> > what is right
> >  - The patches we identified do not really look like fixing too serious stuff.
> 
> They all seemed to involve communication with the owner of a PCIe Virtual
> Function (VF).  A VF might be assigned to a VM or privileged process.  In Civil
> Infrastructure systems those should already be trusted and so the issues don't
> matter that much.
> 
> > So far, we had the following AI, but we close this based on the above situation.
> >
> > 2. Check whether CVE-2019-0145, CVE-2019-0147, CVE-2019-0148 needs to
> > be backported to 4.4 - Kernel Team
> [...]
> 
> Well, I found it quite easy to backport the applicable parts of the fixes.  I already
> sent them along with some other fixes for the 4.14 and 4.9 branches, and could
> still do so for 4.4.
> 
> Ben.
> 
> --
> Ben Hutchings, Software Developer                         Codethink Ltd
> https://www.codethink.co.uk/                 Dale House, 35 Dale Street
>                                      Manchester, M1 2HF, United Kingdom


[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5797): https://lists.cip-project.org/g/cip-dev/message/5797
Mute This Topic: https://lists.cip-project.org/mt/77380165/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-