Meltdown/Spectre: Unauthorized Disclosure of Kernel Memory

Message

Naib · Post by **Naib** » Fri Jan 05, 2018 12:50 am

I just tried it on my patched BUT disabled system...

 ./a.out 
Putting 'The Magic Words are Squeamish Ossifrage.' in memory
Reading 40 bytes:
Reading at malicious_x = 0xffffffffffdfee18... Success: 0x54=’T’ score=2 
Reading at malicious_x = 0xffffffffffdfee19... Success: 0x68=’h’ score=2 
Reading at malicious_x = 0xffffffffffdfee1a... Success: 0x65=’e’ score=2 
Reading at malicious_x = 0xffffffffffdfee1b... Success: 0x20=’ ’ score=2 
Reading at malicious_x = 0xffffffffffdfee1c... Success: 0x4D=’M’ score=2 
Reading at malicious_x = 0xffffffffffdfee1d... Success: 0x61=’a’ score=2 
Reading at malicious_x = 0xffffffffffdfee1e... Success: 0x67=’g’ score=2 
Reading at malicious_x = 0xffffffffffdfee1f... Success: 0x69=’i’ score=2 
Reading at malicious_x = 0xffffffffffdfee20... Success: 0x63=’c’ score=2 
Reading at malicious_x = 0xffffffffffdfee21... Success: 0x20=’ ’ score=2 
Reading at malicious_x = 0xffffffffffdfee22... Success: 0x57=’W’ score=2 
Reading at malicious_x = 0xffffffffffdfee23... Success: 0x6F=’o’ score=2 
Reading at malicious_x = 0xffffffffffdfee24... Success: 0x72=’r’ score=2 
Reading at malicious_x = 0xffffffffffdfee25... Success: 0x64=’d’ score=2 
Reading at malicious_x = 0xffffffffffdfee26... Success: 0x73=’s’ score=2 
Reading at malicious_x = 0xffffffffffdfee27... Success: 0x20=’ ’ score=2 
Reading at malicious_x = 0xffffffffffdfee28... Success: 0x61=’a’ score=2 
Reading at malicious_x = 0xffffffffffdfee29... Success: 0x72=’r’ score=2 
Reading at malicious_x = 0xffffffffffdfee2a... Success: 0x65=’e’ score=2 
Reading at malicious_x = 0xffffffffffdfee2b... Success: 0x20=’ ’ score=2 
Reading at malicious_x = 0xffffffffffdfee2c... Success: 0x53=’S’ score=2 
Reading at malicious_x = 0xffffffffffdfee2d... Success: 0x71=’q’ score=2 
Reading at malicious_x = 0xffffffffffdfee2e... Success: 0x75=’u’ score=2 
Reading at malicious_x = 0xffffffffffdfee2f... Success: 0x65=’e’ score=2 
Reading at malicious_x = 0xffffffffffdfee30... Success: 0x61=’a’ score=2 
Reading at malicious_x = 0xffffffffffdfee31... Success: 0x6D=’m’ score=2 
Reading at malicious_x = 0xffffffffffdfee32... Success: 0x69=’i’ score=2 
Reading at malicious_x = 0xffffffffffdfee33... Success: 0x73=’s’ score=2 
Reading at malicious_x = 0xffffffffffdfee34... Success: 0x68=’h’ score=2 
Reading at malicious_x = 0xffffffffffdfee35... Success: 0x20=’ ’ score=2 
Reading at malicious_x = 0xffffffffffdfee36... Success: 0x4F=’O’ score=2 
Reading at malicious_x = 0xffffffffffdfee37... Success: 0x73=’s’ score=2 
Reading at malicious_x = 0xffffffffffdfee38... Success: 0x73=’s’ score=2 
Reading at malicious_x = 0xffffffffffdfee39... Success: 0x69=’i’ score=2 
Reading at malicious_x = 0xffffffffffdfee3a... Success: 0x66=’f’ score=2 
Reading at malicious_x = 0xffffffffffdfee3b... Success: 0x72=’r’ score=2 
Reading at malicious_x = 0xffffffffffdfee3c... Success: 0x61=’a’ score=2 
Reading at malicious_x = 0xffffffffffdfee3d... Success: 0x67=’g’ score=2 
Reading at malicious_x = 0xffffffffffdfee3e... Success: 0x65=’e’ score=2 
Reading at malicious_x = 0xffffffffffdfee3f... Success: 0x2E=’.’ score=2

This is a Ryzen setup and AMD states that this arch is susceptible to variant 1

gengreen · Post by **gengreen** » Fri Jan 05, 2018 12:51 am

kajzer wrote:
gengreen wrote:https://paste.pound-python.org/show/X9O ... CgOKMTwTc/
Interesting, so the code actually works. On patched or non-patched system?
I just had to try it and on the same machine I have another gentoo installation that hasn't been updated in awhile (couple of months) , and I get the same result (zsh: illegal hardware instruction ./a.out), thought maybe it's zsh so I tried to execute in bash but I got the same thing. Maybe I'm doing something wrong, I've compiled the source with "gcc Source.c"

Unpatched

(I'm reinstall Gentoo from scratch with musl / minimal / hardened at this moment...)

The Main Man · Post by **The Main Man** » Fri Jan 05, 2018 12:55 am

Well, I just realized that there is only a patch for Meltdown , for Spectre there's no cure at the moment and this test is for Spectre.
It's all so confusing

Still... I have to figure out why it's not working on my machine (which is good , I guess

)

gengreen · Post by **gengreen** » Fri Jan 05, 2018 12:57 am

kajzer wrote:Well, I just realized that there is only a patch for Meltdown , for Spectre there's no cure at the moment and this test is for Spectre.
It's all so confusing

Still... I have to figure out why it's not working on my machine (which is good , I guess )

Indeed, cpu of your machine ?

The Main Man · Post by **The Main Man** » Fri Jan 05, 2018 12:59 am

gengreen wrote:
kajzer wrote:Well, I just realized that there is only a patch for Meltdown , for Spectre there's no cure at the moment and this test is for Spectre.
It's all so confusing

Still... I have to figure out why it's not working on my machine (which is good , I guess )
Indeed, cpu of your machine ?

Old dual core.
I'm on 17.1 profile and gcc 7.2.0, if that matters in this case.
Edit: actually that doesn't matter since on that other gentoo installation I don't have that, profile there is 13 and gcc is 5.4.0 I think.

gengreen · Post by **gengreen** » Fri Jan 05, 2018 1:03 am

kajzer wrote:
gengreen wrote:
kajzer wrote:Well, I just realized that there is only a patch for Meltdown , for Spectre there's no cure at the moment and this test is for Spectre.
It's all so confusing

Still... I have to figure out why it's not working on my machine (which is good , I guess )
Indeed, cpu of your machine ?
Old dual core.
I'm on 17.1 profile and gcc 7.2.0, if that matters in this case.

can you show the output of a cat

/proc/cpuinfo

?

How did you build Spectre.c ?

The Main Man · Post by **The Main Man** » Fri Jan 05, 2018 1:07 am

gengreen wrote:can you show the output of a cat /proc/cpuinfo?

Code: Select all

$ cat /proc/cpuinfo                                                                                                                                                                                                       
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 15
model name	: Intel(R) Pentium(R) Dual  CPU  E2180  @ 2.00GHz
stepping	: 13
microcode	: 0xa4
cpu MHz		: 1200.000
cache size	: 1024 KB
physical id	: 0
siblings	: 2
core id		: 0
cpu cores	: 2
apicid		: 0
initial apicid	: 0
fpu		: yes
fpu_exception	: yes
cpuid level	: 10
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good nopl cpuid aperfmperf pni dtes64 monitor ds_cpl est tm2 ssse3 cx16 xtpr pdcm lahf_lm pti dtherm
bugs		: cpu_insecure
bogomips	: 4784.78
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual
power management:

processor	: 1
vendor_id	: GenuineIntel
cpu family	: 6
model		: 15
model name	: Intel(R) Pentium(R) Dual  CPU  E2180  @ 2.00GHz
stepping	: 13
microcode	: 0xa4
cpu MHz		: 1200.000
cache size	: 1024 KB
physical id	: 0
siblings	: 2
core id		: 1
cpu cores	: 2
apicid		: 1
initial apicid	: 1
fpu		: yes
fpu_exception	: yes
cpuid level	: 10
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good nopl cpuid aperfmperf pni dtes64 monitor ds_cpl est tm2 ssse3 cx16 xtpr pdcm lahf_lm pti dtherm
bugs		: cpu_insecure
bogomips	: 4784.78
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual
power management:

As I said before, I compiled the source with "gcc Source.c"
Now that I think of it I didn't compile on that other partition the source, just executed it, which might be the problem, I'll try it later.

Edit: I compiled it with gcc 6.4.0 and it was the same result, so I guess Spectre isn't working on old Intel CPUs, or maybe this PoC isn't, hard to tell.

eccerr0r · Post by **eccerr0r** » Fri Jan 05, 2018 1:16 am

The PoC seems not to be clean for generic x86 as it uses clflush and rdtsc, so watch out for those older machines...
Also seems to be problems with my rdtsc on qemu KVM, so that bombs out.

Works scarily fine on 64-bit on an i7.

ct85711 · Post by **ct85711** » Fri Jan 05, 2018 1:26 am

Well, I complied it on my AMD A10-7850k (APU) system, and it appears to not be vulnerable to this issue.
Note: I did not do anything special to compile it, beyond a straight gcc Source.c using gcc-7.2.0.

Code: Select all

ct85711@Oate ~/tmp/spectre-attack $ ./a.out
Putting 'The Magic Words are Squeamish Ossifrage.' in memory
Reading 40 bytes:
Reading at malicious_x = 0xffffffffffdfedd8... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedd9... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedda... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeddb... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeddc... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeddd... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedde... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeddf... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfede0... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfede1... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfede2... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfede3... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfede4... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfede5... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfede6... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfede7... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfede8... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfede9... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedea... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedeb... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedec... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeded... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedee... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedef... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedf0... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedf1... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedf2... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedf3... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedf4... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedf5... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedf6... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedf7... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedf8... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedf9... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedfa... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedfb... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedfc... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedfd... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedfe... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedff... Success: 0xFF=’?’ score=0

ct85711@Oate ~/tmp/spectre-attack $ cat /proc/cpuinfo
processor       : 0
vendor_id       : AuthenticAMD
cpu family      : 21
model           : 48
model name      : AMD A10-7850K Radeon R7, 12 Compute Cores 4C+8G
stepping        : 1
microcode       : 0x6003104
cpu MHz         : 3700.000
cache size      : 2048 KB
...

nokilli · Post by **nokilli** » Fri Jan 05, 2018 2:54 am

And I was all set to go all-in on Ethereum and its web3 stuff. Dapps, if you weren't aware, are highly javascript-dependent and of course, are dealing with passphrases and private keys for which loss offers little hope of recovery.

There are some of us who were waiting to see what the powers-that-be response to crypto would be. It is known that these same people have for long worked hard to subvert the security of our computer systems and for their own gain. Now we see a very conveniently-timed reveal of just such a subversion. Total market cap of crypto recently crossed $.75T USD.

Post by Hu » Fri Jan 05, 2018 3:28 am

greyspoke wrote:So if AMD and ARM are affected by spectre, does that mean it exposes a flaw in the instruction set they are implementing? Or is there some shared code with a flaw in it?

Neither. The flaw is a design flaw in how the CPU optimizes evaluation of its native instruction set. The ISA is fine in the abstract, which is why CPUs as different as IA32/x86_64/ARM can all have a problem.

yamabiko wrote:Is it possible to provide a patch for the current stable gentoo-sources? Manually patching it on 4.9.72 gives me an hunk fail.

Maybe, but given the invasiveness of the changes, you really want the backport to be done by somebody who has been heavily involved in the Linux kernel memory management subsystem. Some patches can be backported by anybody competent to read and write C. In my opinion, these patches are not in that category, because they deal with very complicated and subtle logic in a core kernel component. It's not enough to make the patches apply cleanly. The backport maintainer also needs to know that any prerequisite changes have been backported, and those may have been included in 4.10/4.11/4.12/4.13 kernels by other people for other purposes, and thus not marked for backporting as part of this series.

1clue wrote:
Ralphred wrote:
1clue wrote:It would be really neat if they fixed the bug with gcc 6.4 and recent kernels. The combination of this bug and the backported kernels is really unfortunate right now.
I appreciate anecdotal evidence is mostly useless, but just built 4.14.11 with 6.4 and it's working fine, nothing funky other than the ~amd64 for the kernel in package.use
I would be happy as a clam with that, except my attempt panics inside the first second of boot. No logs written.

As a wild guess, since neither of you posted any details to confirm or refute this, Ralphred is on a non-hardened gcc and 1clue is on a hardened gcc. As discussed in another thread, the solution (if this guess is accurate) is to use a non-hardened gcc, to include -fno-stack-check, or to upgrade to a kernel that includes -fno-stack-check automatically.

sligo wrote:
Watcom wrote:So as you can see not running untrusted code goes a long way in preventing Spectre attacks.
Does that include Javascript?

Although the browsers attempt to sandbox Javascript, clever researchers keep identifying novel ways to do things that the Javascript sandbox really ought not allow, so I would say yes, it includes not running Javascript from untrusted hosts.

Ronaldlees · Post by **Ronaldlees** » Fri Jan 05, 2018 3:29 am

kajzer wrote:Well, I just realized that there is only a patch for Meltdown , for Spectre there's no cure at the moment and this test is for Spectre.
It's all so confusing

Still... I have to figure out why it's not working on my machine (which is good , I guess )

They're working on a (full?partial? - don't really know) "fix" for spectre:

https://support.google.com/faqs/answer/7625886

Basically it's a compiler re-do.

gengreen · Post by **gengreen** » Fri Jan 05, 2018 6:55 am

A question remain and need some expert on this domain to give a proper answer since I haven't the sufficient knowledge in the low programming level :

This is not first time that their hardware are compromised :

- https://www.techrepublic.com/article/is ... -backdoor/
- http://news.softpedia.com/news/intel-x8 ... 5347.shtml

Intel is a very big corporate and have probably multi billion of dollars, I don't get how this kind of bug can be a mistake. They have an unlimited (almost) budget, skilled dev / worker to make a product of quality.

From intel

Is this a bug in Intel hardware or processor design?

No. This is not a bug or a flaw in Intel products. These new exploits leverage data about the proper operation of processing techniques common to modern computing platforms...

So they are saying that their product aren't responsable but it is because new exploits have just appear like some disease in certain country, a natural meteorology disaster or an experimental medicine...

We are talking about technology , purely made by human from the scratch, so typically anything resulting from the tech cannot give some unexpected result, anything can be calculated, or known since we known how the thing work at 100 %.

All this said, the question is

Is this new flaw was purely a mistake or made by purpose ?

eccerr0r · Post by **eccerr0r** » Fri Jan 05, 2018 7:01 am

Should I be glad I haven't

emerge -e @world

on all my machines yet (after a new compiler is available)? Sounds like this will be needed again to work around spectre?

nokilli · Post by **nokilli** » Fri Jan 05, 2018 7:46 am

gengreen wrote:Is this new flaw was purely a mistake or made by purpose ?

We should probably move this line of inquiry over to Off the Wall. Until then, look at the timing. Did Intel move their design to another country at about the same time this flaw we introduced? Has that country seen other incidents of misuse of American proprietary technology realized when corporations move their design work there? Microsomething, I think, is a very notable example. There is actually a long list of misdeeds along these lines but then too there is a taboo against discussing such things at work here that is very effective and which I don't believe many of you fully appreciate.

eccerr0r · Post by **eccerr0r** » Fri Jan 05, 2018 8:06 am

They say that this was a problem ever since the ppro in 1994; I still have a ppro but unsure how to hack the code to test it as the PoC uses rdtsc and clflush which aren't supported by this old processor. I suspect the problem still exists but harder to ensure the code actually "worked" versus side effect of a context swap or interrupt which could invalidate the slurped data. (Anyone got this to work on a Core2, I can't seem to get rdtsc to work on my core2 machines.)

Incidentally, disabling rdtsc probably would make it harder to swipe data though it does NOT fix the problem as the problem still manifests without it.

Now the question I do have... Anyone with an Alpha and could test this, I'm curious... They say that ia64 does not have this problem (VLIW...)

[Edit] It seems rdtsc should have been available since the Pentium; so perhaps need to figure out why it's showing up as an invalid instruction...

Aiken · Post by **Aiken** » Fri Jan 05, 2018 8:40 am

eccerr0r wrote:(Anyone got this to work on a Core2, I can't seem to get rdtsc to work on my core2 machines.)
.
.
Now the question I do have... Anyone with an Alpha and could test this, I'm curious... They say that ia64 does not have this problem (VLIW...)

Do you mean rdtcs or rdtscp? C2d does have rdtsc but seems not to have rdtscp.

Awhile back I had something using __asm__ volatile ("rdtsc" : "=A" (x)); which works on c2d. If I change that to rdtscp I get Illegal Instruction. The spectre code works on my i7 7700k and i5 2500k. On both c2d and a celeron 550 both give illegal instruction on the rdtscp.

I have an 433MHz alpha that started life with nt4 but the big question, what safe place has it been put in.

edit: I changed the rdtscp to rdtsc. It runs but with the machine idle nothing found. Start running some 100% cpu processes and spectre starts finding characters but nothing like as accurate as the unmodified code on the i5 and i7. The c2d is a e8500 @ 3.16GHz.

PrSo · Post by **PrSo** » Fri Jan 05, 2018 9:00 am

Naib wrote:I just tried it on my patched BUT disabled system...

Code: Select all

 ./a.out 
Putting 'The Magic Words are Squeamish Ossifrage.' in memory
Reading 40 bytes:
Reading at malicious_x = 0xffffffffffdfee18... Success: 0x54=’T’ score=2 
Reading at malicious_x = 0xffffffffffdfee19... Success: 0x68=’h’ score=2 
Reading at malicious_x = 0xffffffffffdfee1a... Success: 0x65=’e’ score=2 
Reading at malicious_x = 0xffffffffffdfee1b... Success: 0x20=’ ’ score=2 
Reading at malicious_x = 0xffffffffffdfee1c... Success: 0x4D=’M’ score=2 
Reading at malicious_x = 0xffffffffffdfee1d... Success: 0x61=’a’ score=2 
Reading at malicious_x = 0xffffffffffdfee1e... Success: 0x67=’g’ score=2 
Reading at malicious_x = 0xffffffffffdfee1f... Success: 0x69=’i’ score=2 
Reading at malicious_x = 0xffffffffffdfee20... Success: 0x63=’c’ score=2 
Reading at malicious_x = 0xffffffffffdfee21... Success: 0x20=’ ’ score=2 
Reading at malicious_x = 0xffffffffffdfee22... Success: 0x57=’W’ score=2 
Reading at malicious_x = 0xffffffffffdfee23... Success: 0x6F=’o’ score=2 
Reading at malicious_x = 0xffffffffffdfee24... Success: 0x72=’r’ score=2 
Reading at malicious_x = 0xffffffffffdfee25... Success: 0x64=’d’ score=2 
Reading at malicious_x = 0xffffffffffdfee26... Success: 0x73=’s’ score=2 
Reading at malicious_x = 0xffffffffffdfee27... Success: 0x20=’ ’ score=2 
Reading at malicious_x = 0xffffffffffdfee28... Success: 0x61=’a’ score=2 
Reading at malicious_x = 0xffffffffffdfee29... Success: 0x72=’r’ score=2 
Reading at malicious_x = 0xffffffffffdfee2a... Success: 0x65=’e’ score=2 
Reading at malicious_x = 0xffffffffffdfee2b... Success: 0x20=’ ’ score=2 
Reading at malicious_x = 0xffffffffffdfee2c... Success: 0x53=’S’ score=2 
Reading at malicious_x = 0xffffffffffdfee2d... Success: 0x71=’q’ score=2 
Reading at malicious_x = 0xffffffffffdfee2e... Success: 0x75=’u’ score=2 
Reading at malicious_x = 0xffffffffffdfee2f... Success: 0x65=’e’ score=2 
Reading at malicious_x = 0xffffffffffdfee30... Success: 0x61=’a’ score=2 
Reading at malicious_x = 0xffffffffffdfee31... Success: 0x6D=’m’ score=2 
Reading at malicious_x = 0xffffffffffdfee32... Success: 0x69=’i’ score=2 
Reading at malicious_x = 0xffffffffffdfee33... Success: 0x73=’s’ score=2 
Reading at malicious_x = 0xffffffffffdfee34... Success: 0x68=’h’ score=2 
Reading at malicious_x = 0xffffffffffdfee35... Success: 0x20=’ ’ score=2 
Reading at malicious_x = 0xffffffffffdfee36... Success: 0x4F=’O’ score=2 
Reading at malicious_x = 0xffffffffffdfee37... Success: 0x73=’s’ score=2 
Reading at malicious_x = 0xffffffffffdfee38... Success: 0x73=’s’ score=2 
Reading at malicious_x = 0xffffffffffdfee39... Success: 0x69=’i’ score=2 
Reading at malicious_x = 0xffffffffffdfee3a... Success: 0x66=’f’ score=2 
Reading at malicious_x = 0xffffffffffdfee3b... Success: 0x72=’r’ score=2 
Reading at malicious_x = 0xffffffffffdfee3c... Success: 0x61=’a’ score=2 
Reading at malicious_x = 0xffffffffffdfee3d... Success: 0x67=’g’ score=2 
Reading at malicious_x = 0xffffffffffdfee3e... Success: 0x65=’e’ score=2 
Reading at malicious_x = 0xffffffffffdfee3f... Success: 0x2E=’.’ score=2

This is a Ryzen setup and AMD states that this arch is susceptible to variant 1

Same situation here, PTI disabled in kernel config, and with patch from amd disabling marking AMD cpu as insecure applied.

APU a6-6310

Did you try to execute this code after magical amd microcode 17h update?

krinn · Post by **krinn** » Fri Jan 05, 2018 9:19 am

Interresting, to read it you have to flush the cpu cache, but it's an sse2 instruction.
https://software.intel.com/en-us/cpp-co ... intrinsics

So unability to use _mm_clflush doesn't protect from it, but avoid the cache flush and so avoid it.
on my affect core2 running x86 it couldn't flush its cache.

Code: Select all

LC_ALL="C" ./a.out 
Putting 'The Magic Words are Squeamish Ossifrage.' in memory
Reading 40 bytes:
Instruction non permise

Look at that

Code: Select all

LANG="C" gcc  spectre.c -march=i686
In file included from /usr/lib/gcc/i686-pc-linux-gnu/5.4.0/include/xmmintrin.h:1249:0,
                 from /usr/lib/gcc/i686-pc-linux-gnu/5.4.0/include/x86intrin.h:31,
                 from spectre.c:8:
spectre.c: In function 'readMemoryByte':
/usr/lib/gcc/i686-pc-linux-gnu/5.4.0/include/emmintrin.h:1479:1: error: inlining failed in call to always_inline '_mm_clflush': target specific option mismatch
 _mm_clflush (void const *__A)
 ^
spectre.c:57:4: error: called from here
    _mm_clflush(&array2[i * 512]); /* intrinsic for clflush instruction */
    ^
In file included from /usr/lib/gcc/i686-pc-linux-gnu/5.4.0/include/xmmintrin.h:1249:0,
                 from /usr/lib/gcc/i686-pc-linux-gnu/5.4.0/include/x86intrin.h:31,
                 from spectre.c:8:
/usr/lib/gcc/i686-pc-linux-gnu/5.4.0/include/emmintrin.h:1479:1: error: inlining failed in call to always_inline '_mm_clflush': target specific option mismatch
 _mm_clflush (void const *__A)
 ^
spectre.c:63:4: error: called from here
    _mm_clflush(&array1_size);

Code: Select all

LANG="C" gcc  spectre.c -march=core2 && echo "good"
good

Dunno if we have another way to flush cpu cache, but disabling sse2 for now, disallow _mm_clflush
2nd problem: how to disallow an sse2 ready cpu from using sse2 at runtime

Watcom · Post by **Watcom** » Fri Jan 05, 2018 10:19 am

You can flush (evict) the cache by reading from a large array. It's less convenient, but still possible. It's actually described in the paper.

krinn · Post by **krinn** » Fri Jan 05, 2018 10:29 am

I knew it wasn't that easy, else it would had been made already

anyone also notice that pie made it worst?
when using the test program with -pie -fpie i get higher score (the program count backward, the higher the score, the fastest it has find the info), without pie i nearly always get a 2 score.
that's just for oddity, because as long as score is >0 you're doom.
(however i'm using pie with gcc 5.4, which might not be as good as 6.4)

Ant P. · Post by **Ant P.** » Fri Jan 05, 2018 10:58 am

roki942 wrote:Came across these:
"We translated Intel's crap attempt to spin its way out of CPU security bug PR nightmare" http://www.theregister.co.uk/2018/01/04 ... notations/
"Azure VMs borked following Meltdown patch, er, meltdown" https://www.theregister.co.uk/2018/01/0 ... own_patch/

The preferred phrase at present is "coordinated disclosure." "Responsible disclosure" suggests the media and security researchers have been irresponsible for reporting on this issue before Intel was ready to go public. Once we get into assigning blame, that invites terms like "responsible microarchitecture design" or "responsible sales of processors known to contain vulnerabilities" or "responsible handling of security disclosures made last June."

https://marc.info/?l=openbsd-misc&m=118296441702631&w=2 also worth noting - OBSD called out the state of Intel's garbage QA years before things like Poulsbo, xf86-video-intel becoming abandonware, all their network card bricking fiascos, defective BIOSes, Haswell TSX, hyperthreading data leaks, this, or next week's news.

JuNix · Post by **JuNix** » Fri Jan 05, 2018 11:00 am

I have some interesting results for my Gentoo Xen HVM

I updated my system to 4.14.11-gentoo-r2 and the PoC code produces this

Code: Select all

johnh@flatline ~ $ gcc Source.c -o plap
johnh@flatline ~ $ ./plap
Putting 'The Magic Words are Squeamish Ossifrage.' in memory
Reading 40 bytes:
Reading at malicious_x = 0xffffffffffdfee68... Success: 0x54=’T’ score=2 
Reading at malicious_x = 0xffffffffffdfee69... Success: 0x68=’h’ score=2 
Reading at malicious_x = 0xffffffffffdfee6a... Success: 0x65=’e’ score=2 
Reading at malicious_x = 0xffffffffffdfee6b... Success: 0x20=’ ’ score=2 
Reading at malicious_x = 0xffffffffffdfee6c... Success: 0x4D=’M’ score=2 
Reading at malicious_x = 0xffffffffffdfee6d... Success: 0x61=’a’ score=2 
Reading at malicious_x = 0xffffffffffdfee6e... Success: 0x67=’g’ score=2 
Reading at malicious_x = 0xffffffffffdfee6f... Success: 0x69=’i’ score=2 
Reading at malicious_x = 0xffffffffffdfee70... Success: 0x63=’c’ score=2 
Reading at malicious_x = 0xffffffffffdfee71... Success: 0x20=’ ’ score=2 
Reading at malicious_x = 0xffffffffffdfee72... Success: 0x57=’W’ score=2 
Reading at malicious_x = 0xffffffffffdfee73... Success: 0x6F=’o’ score=2 
Reading at malicious_x = 0xffffffffffdfee74... Success: 0x72=’r’ score=2 
Reading at malicious_x = 0xffffffffffdfee75... Success: 0x64=’d’ score=2 
Reading at malicious_x = 0xffffffffffdfee76... Success: 0x73=’s’ score=2 
Reading at malicious_x = 0xffffffffffdfee77... Success: 0x20=’ ’ score=2 
Reading at malicious_x = 0xffffffffffdfee78... Success: 0x61=’a’ score=2 
Reading at malicious_x = 0xffffffffffdfee79... Success: 0x72=’r’ score=2 
Reading at malicious_x = 0xffffffffffdfee7a... Success: 0x65=’e’ score=2 
Reading at malicious_x = 0xffffffffffdfee7b... Success: 0x20=’ ’ score=2 
Reading at malicious_x = 0xffffffffffdfee7c... Success: 0x53=’S’ score=2 
Reading at malicious_x = 0xffffffffffdfee7d... Success: 0x71=’q’ score=2 
Reading at malicious_x = 0xffffffffffdfee7e... Success: 0x75=’u’ score=2 
Reading at malicious_x = 0xffffffffffdfee7f... Success: 0x65=’e’ score=2 
Reading at malicious_x = 0xffffffffffdfee80... Success: 0x61=’a’ score=2 
Reading at malicious_x = 0xffffffffffdfee81... Success: 0x6D=’m’ score=2 
Reading at malicious_x = 0xffffffffffdfee82... Success: 0x69=’i’ score=2 
Reading at malicious_x = 0xffffffffffdfee83... Success: 0x73=’s’ score=2 
Reading at malicious_x = 0xffffffffffdfee84... Success: 0x68=’h’ score=2 
Reading at malicious_x = 0xffffffffffdfee85... Success: 0x20=’ ’ score=2 
Reading at malicious_x = 0xffffffffffdfee86... Success: 0x4F=’O’ score=2 
Reading at malicious_x = 0xffffffffffdfee87... Success: 0x73=’s’ score=2 
Reading at malicious_x = 0xffffffffffdfee88... Success: 0x73=’s’ score=2 
Reading at malicious_x = 0xffffffffffdfee89... Success: 0x69=’i’ score=2 
Reading at malicious_x = 0xffffffffffdfee8a... Success: 0x66=’f’ score=2 
Reading at malicious_x = 0xffffffffffdfee8b... Success: 0x72=’r’ score=2 
Reading at malicious_x = 0xffffffffffdfee8c... Success: 0x61=’a’ score=2 
Reading at malicious_x = 0xffffffffffdfee8d... Success: 0x67=’g’ score=2 
Reading at malicious_x = 0xffffffffffdfee8e... Success: 0x65=’e’ score=2 
Reading at malicious_x = 0xffffffffffdfee8f... Success: 0x2E=’.’ score=2

which is an interesting result

Code: Select all

johnh@flatline ~ $ dmesg|grep -i isola
[    0.000000] Kernel/User page tables isolation: enabled
johnh@flatline ~ $ grep ISOLA /usr/src/linux/.config
CONFIG_PAGE_TABLE_ISOLATION=y
johnh@flatline ~ $ uname -a
Linux flatline 4.14.11-gentoo-r2 #1 SMP PREEMPT Fri Jan 5 10:41:42 GMT 2018 x86_64 Intel(R) Core(TM) i7-4790T CPU @ 2.70GHz GenuineIntel GNU/Linux
johnh@flatline ~ $ grep -i secure /proc/cpuinfo 
bugs		: cpu_insecure
bugs		: cpu_insecure

Code: Select all

johnh@flatline ~ $ cat /proc/cpuinfo 
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 60
model name	: Intel(R) Core(TM) i7-4790T CPU @ 2.70GHz
stepping	: 3
microcode	: 0x1d
cpu MHz		: 2699.836
cache size	: 8192 KB
physical id	: 0
siblings	: 2
core id		: 0
cpu cores	: 2
apicid		: 0
initial apicid	: 0
fpu		: yes
fpu_exception	: yes
cpuid level	: 13
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush acpi mmx fxsr sse sse2 ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm cpuid_fault invpcid_single pti fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid xsaveopt
bugs		: cpu_insecure
bogomips	: 5399.98
clflush size	: 64
cache_alignment	: 64
address sizes	: 39 bits physical, 48 bits virtual
power management:

processor	: 1
vendor_id	: GenuineIntel
cpu family	: 6
model		: 60
model name	: Intel(R) Core(TM) i7-4790T CPU @ 2.70GHz
stepping	: 3
microcode	: 0x1d
cpu MHz		: 2699.836
cache size	: 8192 KB
physical id	: 0
siblings	: 2
core id		: 1
cpu cores	: 2
apicid		: 2
initial apicid	: 2
fpu		: yes
fpu_exception	: yes
cpuid level	: 13
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush acpi mmx fxsr sse sse2 ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm cpuid_fault invpcid_single pti fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid xsaveopt
bugs		: cpu_insecure
bogomips	: 5399.98
clflush size	: 64
cache_alignment	: 64
address sizes	: 39 bits physical, 48 bits virtual
power management:

So, Xen hardware virtual machines need more than a local kernel fix, they need the actual Hypervisor code patched as well? Interesting......

yamabiko · Post by **yamabiko** » Fri Jan 05, 2018 11:06 am

JuNix wrote:I have some interesting results for my Gentoo Xen HVM

I updated my system to 4.14.11-gentoo-r2 and the PoC code produces this

So, Xen hardware virtual machines need more than a local kernel fix, they need the actual Hypervisor code patched as well? Interesting......

The patch is for Meltdown, not Spectre.

Is there a PoC that works on older processors?
Both https://github.com/Eugnis/spectre-attack/ and https://github.com/gkaindl/meltdown-poc (only for OSX ?) are not working on my core2.

Atom2 · Post by **Atom2** » Fri Jan 05, 2018 12:15 pm

JuNix,

JuNix wrote:I have some interesting results for my Gentoo Xen HVM

I updated my system to 4.14.11-gentoo-r2 and the PoC code produces this

[snip]

So, Xen hardware virtual machines need more than a local kernel fix, they need the actual Hypervisor code patched as well? Interesting......

I don't think this proves anything with regards to XEN. My understanding is that HVM domUs (and 32 bit PV domUs) under XEN are not able to access data from (or in other words: data that exclusively belongs to) the hypervisor/dom0 or any other domU running under the hypervisor - and that's what XEN is and should be held accountable for.

In my view you can't hold XEN responsible for what is happening inside any domU guest. XEN just needs to make sure that nothing from one domU spills over to any other domU/the dom0 or that no single domU does have access to data from any other domU/the dom0.

Albeit XEN only provides a virtual machine environment for other systems to run inside which should be fully encapsulated from the hypervisor/dom0 and all other virtual machine environments running on the same hardware.

What's happening within any such XEN provided virtual machine environment is completely up to the operating system running therein. I would even go one step further and proclaim that XEN would be grossly wrong if it interfered with what's solely happening inside any of its domUs.

Regards Atom2