Meltdown/Spectre: Unauthorized Disclosure of Kernel Memory

Message

eccerr0r · Post by **eccerr0r** » Mon Jan 08, 2018 4:54 am

BTW, whoever can change the topic from "Meltdown/Spectre: Kernel Memory Leaking":

memory leak sort of means something ("malloc without free").

private memory content leakage or unauthorized memory read may mean something else...

just saying (yeah, I hate this term too, but I think it's well deserved for this topic.)

gengreen · Post by **gengreen** » Mon Jan 08, 2018 5:02 am

Last firmware 20171117_p20171215-r1

Code: Select all

[    0.000000] microcode: microcode updated early to revision 0xba, date = 2017-04-09
[    2.692722] microcode: sig=0x506e3, pf=0x20, revision=0xba
[    2.692854] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba

Look better today, but still unable to known if I'm still vulnerable by meltdown

6 month they are aware of the problem and yet not capable to give a proper patch...

Naib · Post by **Naib** » Mon Jan 08, 2018 7:49 am

gengreen wrote:Last firmware 20171117_p20171215-r1
Code: Select all
[    0.000000] microcode: microcode updated early to revision 0xba, date = 2017-04-09
[    2.692722] microcode: sig=0x506e3, pf=0x20, revision=0xba
[    2.692854] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
Look better today, but still unable to known if I'm still vulnerable by meltdown

6 month they are aware of the problem and yet not capable to give a proper patch...

For meltdown you need a patched kernel (grep secure /proc/cpuinfo)
For spectre you need gcc,kernel patching plus microcode for intel (gcc + kernel only for amd)

Wallsandfences · Post by **Wallsandfences** » Mon Jan 08, 2018 8:15 am

What am I missing? There wasn't a new gcc in the last few days??

Naib · Post by **Naib** » Mon Jan 08, 2018 9:46 am

Wallsandfences wrote:What am I missing? There wasn't a new gcc in the last few days??

its not out yet... Spectre isn't resolved yet...

Post by **NeddySeagoon** » Mon Jan 08, 2018 10:14 am

That will be another

Code: Select all

emerge -e @world

when the new gcc is out.

Naib · Post by **Naib** » Mon Jan 08, 2018 10:45 am

NeddySeagoon wrote:That will be another
Code: Select all
emerge -e @world
when the new gcc is out.

Will it? or will it just be the kernel? I would have thought it would just be the kernel that needs to be rebuild with the new speculative branching mitigation (ie poisoning it)

luiztux · Post by **luiztux** » Mon Jan 08, 2018 11:02 am

GCC 8 patch for Spectre...

EasterParade · Post by **EasterParade** » Mon Jan 08, 2018 11:22 am

Got patched kernel and updated microcode

Code: Select all

[    0.000000] microcode: microcode updated early to revision 0x22, date = 2017-01-27
[    0.000000] Linux version 4.14.11-gentoo-r2 (root@aldebaran) (gcc version 6.4.0 (Gentoo 6.4.0 p1.1)) #2 SMP Sun Jan 7 10:09:37 CET 2018

I still see this:

Code: Select all

grep secure /proc/cpuinfo
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure

Or is the patch in 4.14.11-r2 not complete yet?

Naib · Post by **Naib** » Mon Jan 08, 2018 11:24 am

transsib wrote:Got patched kernel and updated microcode

Code: Select all

[    0.000000] microcode: microcode updated early to revision 0x22, date = 2017-01-27
[    0.000000] Linux version 4.14.11-gentoo-r2 (root@aldebaran) (gcc version 6.4.0 (Gentoo 6.4.0 p1.1)) #2 SMP Sun Jan 7 10:09:37 CET 2018

I still see this:

Code: Select all

grep secure /proc/cpuinfo
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure

Or is the patch in 4.14.11-r2 not complete yet?

you will see that, that is just a verbose note that your CPU is classified as insecure. dmesg | grep -i isolation should indicate whether the page table isolation is loaded

mv · Post by mv » Mon Jan 08, 2018 11:25 am

Naib wrote:Will it? or will it just be the kernel?

Every program/library is vulnerable until recompiled with a gcc which has a corresponidng patch.

PrSo · Post by **PrSo** » Mon Jan 08, 2018 11:26 am

Naib wrote:
NeddySeagoon wrote:That will be another
Code: Select all
emerge -e @world
when the new gcc is out.
Will it? or will it just be the kernel? I would have thought it would just be the kernel that needs to be rebuild with the new speculative branching mitigation (ie poisoning it)

IMHO it is needed for Spectre v2 to recompile everything, but I am not sure about Spectre v1 tho:

https://security.googleblog.com/2018/01 ... cpu_4.html

transpetaflops · Post by **transpetaflops** » Mon Jan 08, 2018 11:47 am

gengreen wrote:Last firmware 20171117_p20171215-r1
Code: Select all
[    0.000000] microcode: microcode updated early to revision 0xba, date = 2017-04-09
[    2.692722] microcode: sig=0x506e3, pf=0x20, revision=0xba
[    2.692854] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
Look better today, but still unable to known if I'm still vulnerable by meltdown

6 month they are aware of the problem and yet not capable to give a proper patch...

What is the source of these new microcode files? On Intel's website I can only find the original microcode file from 20171117 and none of the updated ones.
https://downloadcenter.intel.com/download/27337

Wallsandfences · Post by **Wallsandfences** » Mon Jan 08, 2018 11:51 am

I can confirm that the microcode works on meltdown for skylake u/y

Code: Select all

0x000406e3

krinn · Post by **krinn** » Mon Jan 08, 2018 11:53 am

google guys:
- "hey, we had rumour krinn is about to switch to profile 17.0"
- "ok release spectre and meldown papers to delay him more!"

Wallsandfences · Post by **Wallsandfences** » Mon Jan 08, 2018 12:12 pm

Wallsandfences wrote:I can confirm that the microcode works on meltdown for skylake u/y
Code: Select all
0x000406e3

Oops, on the next reboot it's gone. I can only speculate, since I updated my bios (intel nuc) and its revision is January the 3rd, that it got new microcode from bios now, skipping the early microcode patching.

R.

PrSo · Post by **PrSo** » Mon Jan 08, 2018 12:33 pm

This is another 3 in 1 meltdown-spectre mitigation checker:
https://github.com/speed47/spectre-meltdown-checker

It checks if any of the mitigations were applied.

On AMD apu , kernel 4.14.12-gentoo, without KPTI enabled in kernel config:

Code: Select all

sh spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.13

Checking vulnerabilities against Linux 4.14.12-gentoo #1 SMP Sun Jan 7 17:54:49 CET 2018 x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places:  NO  (only 23 opcodes found, should be >= 70)
> STATUS:  VULNERABLE 

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpolines:  NO 
> STATUS:  NOT VULNERABLE  (your CPU is not vulnerable as per the vendor)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO 
* PTI enabled and active:  NO 
> STATUS:  NOT VULNERABLE  (your CPU is not vulnerable as per the vendor)

krinn · Post by **krinn** » Mon Jan 08, 2018 12:36 pm

latest microcode will be mark stable in a few, you can get it there if you don't want wait :
https://gitweb.gentoo.org/repo/gentoo.g ... 80a1a31b5e

Naib · Post by **Naib** » Mon Jan 08, 2018 12:41 pm

krinn wrote:latest microcode will be mark stable in a few, you can get it there if you don't want wait :
https://gitweb.gentoo.org/repo/gentoo.g ... 80a1a31b5e

Thats not new enough. That is Intels microcode from nov 2017... they have not made avail microcode for spectre ( well maybe to vendors for BIOS updates)

krinn · Post by **krinn** » Mon Jan 08, 2018 12:44 pm

it's all we have for now, and i didn't myself check, but it's possible that a nov2017 update is indeed the fix.
spectre has been release to public jan2018, it doesn't mean intel has discover the issue that day

and "not quiet sure", but i think devs have find and report the flaw in feb or march 2017.

at least from https://wiki.gentoo.org/wiki/Project:Se ... nd_Spectre

cpu:Haswell cpuid: 000306C3 rev need: 0x23

and i have

>cpuid -1 | grep serial | tail -n1 | awk '{print $4}' | cut -d\- -f1,2 | sed 's/-//g'
000306C3
>iucode_tool -S -l /lib/firmware/intel-ucode/*
049/001: sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552

Naib · Post by **Naib** » Mon Jan 08, 2018 1:01 pm

Except...

Intel's PR release on 4th Jan: https://newsroom.intel.com/news-release ... -exploits/

Intel has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years. In addition, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services.

Now the nov2017 update may have covered "products introduced within the past five years" as the press statement didn't actually state when that occured

mike155 · Post by **mike155** » Mon Jan 08, 2018 1:20 pm

PrSo wrote:This is another 3 in 1 meltdown-spectre mitigation checker:
https://github.com/speed47/spectre-meltdown-checker

This tool is pretty good! Thanks for sharing this. I'm especially glad it's only a shell script - and not a sophisticated C program. So I can see easily what it does.

I just executed it on a newly updated RHEL 7 server. It looks like they already have implemented LFENCE and IBRS in the kernel - here is the output:

Code: Select all

Spectre and Meltdown mitigation detection tool v0.13

Checking vulnerabilities against Linux 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Dec 28 14:23:39 EST 2017 x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places:  YES  (112 opcodes found, which is >= 70)
> STATUS:  NOT VULNERABLE 

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  YES 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpolines:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

EasterParade · Post by **EasterParade** » Mon Jan 08, 2018 1:23 pm

( well maybe to vendors for BIOS updates)

not holding breath; no UEFI update available since 2015 for this system (ASUS).
Broadwell systems have had updates only this year though.

Ant P. · Post by **Ant P.** » Mon Jan 08, 2018 1:27 pm

PrSo wrote:This is another 3 in 1 meltdown-spectre mitigation checker:
https://github.com/speed47/spectre-meltdown-checker

It checks if any of the mitigations were applied.

On AMD apu , kernel 4.14.12-gentoo, without KPTI enabled in kernel config:
Code: Select all
sh spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.13

Checking vulnerabilities against Linux 4.14.12-gentoo #1 SMP Sun Jan 7 17:54:49 CET 2018 x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places:  NO  (only 23 opcodes found, should be >= 70)
> STATUS:  VULNERABLE 

I wonder if that's a side effect of Gentoo kernels not compiling in thousands of useless drivers. Maybe we're fine there.

khayyam · Post by **khayyam** » Mon Jan 08, 2018 1:47 pm

Add Snapdragon SoC to the list: Qualcomm Joins The CPU Affected List.