DirtyPipe (CVE-2022-0847) fix for Proxmox VE

I can confirm too - Windows VM works again! Thanks for fast update. It was disaster... when all Windows machines stopped working.
 
Everything looks fine here too with the updated kernel, Windows VMs are running normally, and no more error logs.
@t.lamprecht thanks a lot for your quick response to address the bug !
 
I updated two Cluste-nodes to 5.13.19-5-pve #1 SMP PVE 5.13.19-12 this morning. One node (still) behaves normal. From the other node i got fencing-messages later this morning (mail-subject "FENCE: Try to fence node 'pve-06'"). I discovered that the node had a /var/log/syslog of roughly 164 GB in size and didn't respond anymore. Only Ubuntu-VMs on this node, NO Windows-VMs.

I updated and rebooted the node to 5.13.19-5-pve #1 SMP PVE 5.13.19-13 now. Everything seems fine again so far.

Code:
root@pve-06:/var/log# lscpu
Architecture:                    x86_64
CPU op-mode(s):                  32-bit, 64-bit
Byte Order:                      Little Endian
Address sizes:                   46 bits physical, 48 bits virtual
CPU(s):                          48
On-line CPU(s) list:             0-47
Thread(s) per core:              2
Core(s) per socket:              12
Socket(s):                       2
NUMA node(s):                    2
Vendor ID:                       GenuineIntel
CPU family:                      6
Model:                           63
Model name:                      Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz
Stepping:                        2
CPU MHz:                         2500.000
CPU max MHz:                     2500.0000
CPU min MHz:                     1200.0000
BogoMIPS:                        4988.36
Virtualization:                  VT-x
L1d cache:                       768 KiB
L1i cache:                       768 KiB
L2 cache:                        6 MiB
L3 cache:                        60 MiB
NUMA node0 CPU(s):               0-11,24-35
NUMA node1 CPU(s):               12-23,36-47
Vulnerability Itlb multihit:     KVM: Mitigation: VMX disabled
Vulnerability L1tf:              Mitigation; PTE Inversion; VMX conditional cache flushes, SMT vulnerable
Vulnerability Mds:               Mitigation; Clear CPU buffers; SMT vulnerable
Vulnerability Meltdown:          Mitigation; PTI
Vulnerability Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp
Vulnerability Spectre v1:        Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:        Mitigation; Full generic retpoline, IBPB conditional, IBRS_FW, STIBP conditional, RSB filling
Vulnerability Srbds:             Not affected
Vulnerability Tsx async abort:   Not affected
Flags:                           fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe s
                                 yscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni p
                                 clmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic movbe popcnt t
                                 sc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm cpuid_fault epb invpcid_single pti intel_ppin ssbd ibrs ibpb stib
                                 p tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid cqm xsaveopt cqm_llc
                                 cqm_occup_llc dtherm arat pln pts md_clear flush_l1d
 
Great!

Both clusters with enterprise license are working fine:
  1. 2x Dell R720 - Intel(R) Xeon(R) CPU E5-2650 0 @ 2.00GHz - ZFS
  2. 4x HP DL385 G10+ - AMD EPYC 7452 32-Core Processor - HA, Ceph
Not a single issue on Windows hosts.

I've did not observed any of the issues you mentioned before on this machine:
Supermicro X9SCL/X9SCM - Intel(R) Xeon(R) CPU E3-1275 V2 @ 3.50GHz after upgrading from pve-no-subscription

Thanks for your support and quick responses.

Best regards,
Chema.
 
I can confirm pve-kernel-5.13.19-5-pve version 5.13.19-13 is having a good term with Windows KVM, including PCI passthrough (vfio-pci). Host is HP DL380 Gen 10 with Intel Xeon Scalable processors (Skylake). Thank you for the quick response.
 
Last edited:
Does the latest pve-kernel-5.13.19-6-pve version 5.13.19-14 (currently in pve-no-subscription) contain any improvements for CVE-2022-0847 from a security perspective?

No, those have nothing to do with the CVE-2022-0847 (Dirty Pipe) issue, that is fully fixed with the previous, aforementioned kernel version.
The newer ones are for CVE-2022-0001, a continuation from the Specter vulnerability that can also get mitigated by turning of eBPF for unpriv. users.
 
  • Like
Reactions: onlime
Hi, i've incurred same error

The package pve-kernel-5.13.19-5-pve needs to be reinstalled, but I can't find an archive for it.

tried to reinstall without success.
Thanks
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!