Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
hardened-sources wrt CVE-2014-3153 and CVE-2014-0196
basile at opensource
Jun 7, 2014, 6:07 AM
Post #1 of 5 (1965 views)
Permalink
Hi everyone,

This is one of those rare situations where there are enough serious bugs
against the kernel that we may have to rapid stabilize
hardened-sources-3.2.59-r5 and 3.14.5-r2. These are currently marked ~
because I need feedback from users. So please try to upgrade to either
one (3.2 is preferred for mission critical) and give me feedback. The
only caution is do not enable KSTACKOVERFLOW, a new option which is know
to cause panics, eg virtio iface.

Within the next few days I will mark those stable if they pass. And a
few days later I will start to prune the older stables that are
susceptible to 3153.

A note to what ~ means. ~ does not mean "unstable". I know that we say
a package on an arch is "stable" when we remove the ~, but adding the ~
doesn't make it "unstable". It means its of an unknown state. So
please read ~ as "test me!" The kernel is unlike most packages in that
it is vast and at any given time has dozens of bugs or other problems.
You'll never have a prefect kernel, only one that is "good enough". I
will only know its "good enough" if you don't complain. And you
complain via bugs so that when my spider senses suggest its time for a
new kernel, i look through the bugs and see which one is "good enough".

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
Re: hardened-sources wrt CVE-2014-3153 and CVE-2014-0196 [ In reply to ]
powerman at powerman
Jun 7, 2014, 2:19 PM
Post #2 of 5 (1947 views)
Permalink
Hi!

Not sure is this a "bug", so I'll reply here: 3.14.5-r2 not compatible
with latest stable nvidia-drivers, but looks like it works with ~ 337.25.
So it may make sense to stabilise both at same time.

--
WBR, Alex.
Re: hardened-sources wrt CVE-2014-3153 and CVE-2014-0196 [ In reply to ]
atoth at atoth
Jun 7, 2014, 2:51 PM
Post #3 of 5 (1899 views)
Permalink
2014.Június 7.(Szo) 15:07 időpontban Anthony G. Basile ezt írta:
> This is one of those rare situations where there are enough serious bugs
> against the kernel that we may have to rapid stabilize
> hardened-sources-3.2.59-r5 and 3.14.5-r2. These are currently marked ~
> because I need feedback from users. So please try to upgrade to either
> one (3.2 is preferred for mission critical) and give me feedback. The
> only caution is do not enable KSTACKOVERFLOW, a new option which is know
> to cause panics, eg virtio iface.

I'm running hardened-sources-3.14.5 since Tuesday, and rebooted into
hardened-sources-3.14.5-r2 on Saturday. I kept KSTACKOVERFLOW enabled for
both kernels and experienced no crashes so far on two systems.

Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057
Re: hardened-sources wrt CVE-2014-3153 and CVE-2014-0196 [ In reply to ]
basile at opensource
Jun 7, 2014, 5:38 PM
Post #4 of 5 (1908 views)
Permalink
On 06/07/14 17:51, "Tóth Attila" wrote:
> 2014.Június 7.(Szo) 15:07 időpontban Anthony G. Basile ezt írta:
>> This is one of those rare situations where there are enough serious bugs
>> against the kernel that we may have to rapid stabilize
>> hardened-sources-3.2.59-r5 and 3.14.5-r2. These are currently marked ~
>> because I need feedback from users. So please try to upgrade to either
>> one (3.2 is preferred for mission critical) and give me feedback. The
>> only caution is do not enable KSTACKOVERFLOW, a new option which is know
>> to cause panics, eg virtio iface.
>
> I'm running hardened-sources-3.14.5 since Tuesday, and rebooted into
> hardened-sources-3.14.5-r2 on Saturday. I kept KSTACKOVERFLOW enabled for
> both kernels and experienced no crashes so far on two systems.
>
> Dw.
>

You can try KSTACKOVERFLOW. When I hit the issue with virtio iface, it
panicked as soon as the init scripts brought it up. When I switched to
e1000 it worked fine.

So if it works with your devices you're probably safe. Still, if you're
running some mission critical stuff, don't use it just in case.

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
Re: hardened-sources wrt CVE-2014-3153 and CVE-2014-0196 [ In reply to ]
alexander at tsoy
Jun 8, 2014, 4:51 AM
Post #5 of 5 (1920 views)
Permalink
÷ Sat, 07 Jun 2014 09:07:23 -0400
"Anthony G. Basile" <basile@opensource.dyc.edu> ÐÉÛÅÔ:

> Hi everyone,
>
> This is one of those rare situations where there are enough serious
> bugs against the kernel that we may have to rapid stabilize
> hardened-sources-3.2.59-r5 and 3.14.5-r2. These are currently marked
> ~ because I need feedback from users. So please try to upgrade to
> either one (3.2 is preferred for mission critical) and give me
> feedback. The only caution is do not enable KSTACKOVERFLOW, a new
> option which is know to cause panics, eg virtio iface.

Hello,

3.14.5-r2 with KSTACKOVERFLOW disabled works fine on several tested
systems.

3.14.5-r2 with KSTACKOVERFLOW enabled:
- old Pentium D based system works fine;
- KVM VMs with realtek network interface works fine;
- on modern Opteron 43xx based system I see many errors in dmesg:
"kernel: AMD-Vi: Completion-Wait loop timed out" and experience
slowdowns;
- KVM VMs with virtio network interface completely crashes without any
error messages

--
Alexander Tsoy

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal