@t.lamprecht : Yesterday I updated to the newest kernel 5.15.19-2-pve after this bug.
With the newest kernel this issue is also not appearing.
With the newest kernel this issue is also not appearing.
DirtyPipe (CVE-2022-0847) fix for Proxmox VE
- Thread starter psuter
- Start date
Everything looks fine here too with the updated kernel, Windows VMs are running normally, and no more error logs.
@t.lamprecht thanks a lot for your quick response to address the bug !
@t.lamprecht thanks a lot for your quick response to address the bug !
I updated two Cluste-nodes to
I updated and rebooted the node to
5.13.19-5-pve #1 SMP PVE 5.13.19-12 this morning. One node (still) behaves normal. From the other node i got fencing-messages later this morning (mail-subject "FENCE: Try to fence node 'pve-06'"). I discovered that the node had a /var/log/syslog of roughly 164 GB in size and didn't respond anymore. Only Ubuntu-VMs on this node, NO Windows-VMs.I updated and rebooted the node to
5.13.19-5-pve #1 SMP PVE 5.13.19-13 now. Everything seems fine again so far.
Code:
root@pve-06:/var/log# lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
Address sizes: 46 bits physical, 48 bits virtual
CPU(s): 48
On-line CPU(s) list: 0-47
Thread(s) per core: 2
Core(s) per socket: 12
Socket(s): 2
NUMA node(s): 2
Vendor ID: GenuineIntel
CPU family: 6
Model: 63
Model name: Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz
Stepping: 2
CPU MHz: 2500.000
CPU max MHz: 2500.0000
CPU min MHz: 1200.0000
BogoMIPS: 4988.36
Virtualization: VT-x
L1d cache: 768 KiB
L1i cache: 768 KiB
L2 cache: 6 MiB
L3 cache: 60 MiB
NUMA node0 CPU(s): 0-11,24-35
NUMA node1 CPU(s): 12-23,36-47
Vulnerability Itlb multihit: KVM: Mitigation: VMX disabled
Vulnerability L1tf: Mitigation; PTE Inversion; VMX conditional cache flushes, SMT vulnerable
Vulnerability Mds: Mitigation; Clear CPU buffers; SMT vulnerable
Vulnerability Meltdown: Mitigation; PTI
Vulnerability Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp
Vulnerability Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2: Mitigation; Full generic retpoline, IBPB conditional, IBRS_FW, STIBP conditional, RSB filling
Vulnerability Srbds: Not affected
Vulnerability Tsx async abort: Not affected
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe s
yscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni p
clmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic movbe popcnt t
sc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm cpuid_fault epb invpcid_single pti intel_ppin ssbd ibrs ibpb stib
p tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid cqm xsaveopt cqm_llc
cqm_occup_llc dtherm arat pln pts md_clear flush_l1dFYI: Now both, the 5.13 and the 5.15 based kernel packages are also available on the
pve-enterprise repository.Great!
Both clusters with enterprise license are working fine:
I've did not observed any of the issues you mentioned before on this machine:
Supermicro X9SCL/X9SCM - Intel(R) Xeon(R) CPU E3-1275 V2 @ 3.50GHz after upgrading from pve-no-subscription
Thanks for your support and quick responses.
Best regards,
Chema.
Both clusters with enterprise license are working fine:
- 2x Dell R720 - Intel(R) Xeon(R) CPU E5-2650 0 @ 2.00GHz - ZFS
- 4x HP DL385 G10+ - AMD EPYC 7452 32-Core Processor - HA, Ceph
I've did not observed any of the issues you mentioned before on this machine:
Supermicro X9SCL/X9SCM - Intel(R) Xeon(R) CPU E3-1275 V2 @ 3.50GHz after upgrading from pve-no-subscription
Thanks for your support and quick responses.
Best regards,
Chema.
I can confirm
pve-kernel-5.13.19-5-pve version 5.13.19-13 is having a good term with Windows KVM, including PCI passthrough (vfio-pci). Host is HP DL380 Gen 10 with Intel Xeon Scalable processors (Skylake). Thank you for the quick response.
Last edited:
Hi,
I'm linking this here.
https://forum.proxmox.com/threads/systemd-logind-fail-to-connect-to-dbus.106174/
Last step may indicate that there's an issue with lxcfs.
Considering that pve-kernel has fuse built in, I think that it would make sense.
Does anyone have issues with LXC containers after upgrade?
I concluded, that this upgrade was not involved in the mentioned issue. Sorry.
Greetings,
Chema.
I'm linking this here.
https://forum.proxmox.com/threads/systemd-logind-fail-to-connect-to-dbus.106174/
Last step may indicate that there's an issue with lxcfs.
Considering that pve-kernel has fuse built in, I think that it would make sense.
Does anyone have issues with LXC containers after upgrade?
I concluded, that this upgrade was not involved in the mentioned issue. Sorry.
Greetings,
Chema.
Last edited:
Hi there,
Does the latest
Cheers, Philip
Does the latest
pve-kernel-5.13.19-6-pve version 5.13.19-14 (currently in pve-no-subscription) contain any improvements for CVE-2022-0847 from a security perspective?Cheers, Philip
No, those have nothing to do with the CVE-2022-0847 (Dirty Pipe) issue, that is fully fixed with the previous, aforementioned kernel version.
The newer ones are for CVE-2022-0001, a continuation from the Specter vulnerability that can also get mitigated by turning of eBPF for unpriv. users.
Hi, i've incurred same error
The package pve-kernel-5.13.19-5-pve needs to be reinstalled, but I can't find an archive for it.
tried to reinstall without success.
Thanks
The package pve-kernel-5.13.19-5-pve needs to be reinstalled, but I can't find an archive for it.
tried to reinstall without success.
Thanks
There's no need for that as the problem got only introduced with the 5.8 kernel.