Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Meltdown/Spectre: Unauthorized Disclosure of Kernel Memory
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3 ... 8, 9, 10 ... 21, 22, 23  Next  
This topic is locked: you cannot edit posts or make replies.    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7230
Location: almost Mile High in the USA

PostPosted: Mon Jan 08, 2018 4:54 am    Post subject: Reply with quote

BTW, whoever can change the topic from "Meltdown/Spectre: Kernel Memory Leaking":

memory leak sort of means something ("malloc without free").

private memory content leakage or unauthorized memory read may mean something else...

just saying (yeah, I hate this term too, but I think it's well deserved for this topic.)
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
gengreen
Tux's lil' helper
Tux's lil' helper


Joined: 23 Dec 2017
Posts: 84

PostPosted: Mon Jan 08, 2018 5:02 am    Post subject: Reply with quote

Last firmware 20171117_p20171215-r1

Code:
[    0.000000] microcode: microcode updated early to revision 0xba, date = 2017-04-09
[    2.692722] microcode: sig=0x506e3, pf=0x20, revision=0xba
[    2.692854] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba


Look better today, but still unable to known if I'm still vulnerable by meltdown

6 month they are aware of the problem and yet not capable to give a proper patch...
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5689
Location: Removed by Neddy

PostPosted: Mon Jan 08, 2018 7:49 am    Post subject: Reply with quote

gengreen wrote:
Last firmware 20171117_p20171215-r1

Code:
[    0.000000] microcode: microcode updated early to revision 0xba, date = 2017-04-09
[    2.692722] microcode: sig=0x506e3, pf=0x20, revision=0xba
[    2.692854] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba


Look better today, but still unable to known if I'm still vulnerable by meltdown

6 month they are aware of the problem and yet not capable to give a proper patch...

For meltdown you need a patched kernel (grep secure /proc/cpuinfo)
For spectre you need gcc,kernel patching plus microcode for intel (gcc + kernel only for amd)
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
Wallsandfences
Guru
Guru


Joined: 29 Mar 2010
Posts: 368

PostPosted: Mon Jan 08, 2018 8:15 am    Post subject: Reply with quote

What am I missing? There wasn't a new gcc in the last few days??
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5689
Location: Removed by Neddy

PostPosted: Mon Jan 08, 2018 9:46 am    Post subject: Reply with quote

Wallsandfences wrote:
What am I missing? There wasn't a new gcc in the last few days??
its not out yet... Spectre isn't resolved yet...
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43751
Location: 56N 3W

PostPosted: Mon Jan 08, 2018 10:14 am    Post subject: Reply with quote

That will be another
Code:
emerge -e @world
when the new gcc is out.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5689
Location: Removed by Neddy

PostPosted: Mon Jan 08, 2018 10:45 am    Post subject: Reply with quote

NeddySeagoon wrote:
That will be another
Code:
emerge -e @world
when the new gcc is out.
Will it? or will it just be the kernel? I would have thought it would just be the kernel that needs to be rebuild with the new speculative branching mitigation (ie poisoning it)
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
luiztux
n00b
n00b


Joined: 31 Aug 2015
Posts: 27
Location: /usr/portage/distfiles

PostPosted: Mon Jan 08, 2018 11:02 am    Post subject: Reply with quote

GCC 8 patch for Spectre...
Back to top
View user's profile Send private message
transsib
l33t
l33t


Joined: 26 Jul 2003
Posts: 869

PostPosted: Mon Jan 08, 2018 11:22 am    Post subject: Reply with quote

Got patched kernel and updated microcode
Code:
[    0.000000] microcode: microcode updated early to revision 0x22, date = 2017-01-27
[    0.000000] Linux version 4.14.11-gentoo-r2 (root@aldebaran) (gcc version 6.4.0 (Gentoo 6.4.0 p1.1)) #2 SMP Sun Jan 7 10:09:37 CET 2018


I still see this:
Code:
grep secure /proc/cpuinfo
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure


Or is the patch in 4.14.11-r2 not complete yet?
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5689
Location: Removed by Neddy

PostPosted: Mon Jan 08, 2018 11:24 am    Post subject: Reply with quote

transsib wrote:
Got patched kernel and updated microcode
Code:
[    0.000000] microcode: microcode updated early to revision 0x22, date = 2017-01-27
[    0.000000] Linux version 4.14.11-gentoo-r2 (root@aldebaran) (gcc version 6.4.0 (Gentoo 6.4.0 p1.1)) #2 SMP Sun Jan 7 10:09:37 CET 2018


I still see this:
Code:
grep secure /proc/cpuinfo
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure
bugs            : cpu_insecure


Or is the patch in 4.14.11-r2 not complete yet?
you will see that, that is just a verbose note that your CPU is classified as insecure. dmesg | grep -i isolation should indicate whether the page table isolation is loaded
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6294

PostPosted: Mon Jan 08, 2018 11:25 am    Post subject: Reply with quote

Naib wrote:
Will it? or will it just be the kernel?

Every program/library is vulnerable until recompiled with a gcc which has a corresponidng patch.
Back to top
View user's profile Send private message
PrSo
Tux's lil' helper
Tux's lil' helper


Joined: 01 Jun 2017
Posts: 129

PostPosted: Mon Jan 08, 2018 11:26 am    Post subject: Reply with quote

Naib wrote:
NeddySeagoon wrote:
That will be another
Code:
emerge -e @world
when the new gcc is out.
Will it? or will it just be the kernel? I would have thought it would just be the kernel that needs to be rebuild with the new speculative branching mitigation (ie poisoning it)


IMHO it is needed for Spectre v2 to recompile everything, but I am not sure about Spectre v1 tho:

https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html
Back to top
View user's profile Send private message
transpetaflops
Tux's lil' helper
Tux's lil' helper


Joined: 16 May 2005
Posts: 136

PostPosted: Mon Jan 08, 2018 11:47 am    Post subject: Reply with quote

gengreen wrote:
Last firmware 20171117_p20171215-r1

Code:
[    0.000000] microcode: microcode updated early to revision 0xba, date = 2017-04-09
[    2.692722] microcode: sig=0x506e3, pf=0x20, revision=0xba
[    2.692854] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba


Look better today, but still unable to known if I'm still vulnerable by meltdown

6 month they are aware of the problem and yet not capable to give a proper patch...


What is the source of these new microcode files? On Intel's website I can only find the original microcode file from 20171117 and none of the updated ones.
https://downloadcenter.intel.com/download/27337
Back to top
View user's profile Send private message
Wallsandfences
Guru
Guru


Joined: 29 Mar 2010
Posts: 368

PostPosted: Mon Jan 08, 2018 11:51 am    Post subject: Reply with quote

I can confirm that the microcode works on meltdown for skylake u/y

Code:
0x000406e3
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7167

PostPosted: Mon Jan 08, 2018 11:53 am    Post subject: Reply with quote

google guys:
- "hey, we had rumour krinn is about to switch to profile 17.0"
- "ok release spectre and meldown papers to delay him more!"
Back to top
View user's profile Send private message
Wallsandfences
Guru
Guru


Joined: 29 Mar 2010
Posts: 368

PostPosted: Mon Jan 08, 2018 12:12 pm    Post subject: Reply with quote

Wallsandfences wrote:
I can confirm that the microcode works on meltdown for skylake u/y

Code:
0x000406e3


Oops, on the next reboot it's gone. I can only speculate, since I updated my bios (intel nuc) and its revision is January the 3rd, that it got new microcode from bios now, skipping the early microcode patching.

R.
Back to top
View user's profile Send private message
PrSo
Tux's lil' helper
Tux's lil' helper


Joined: 01 Jun 2017
Posts: 129

PostPosted: Mon Jan 08, 2018 12:33 pm    Post subject: Reply with quote

This is another 3 in 1 meltdown-spectre mitigation checker:
https://github.com/speed47/spectre-meltdown-checker

It checks if any of the mitigations were applied.

On AMD apu , kernel 4.14.12-gentoo, without KPTI enabled in kernel config:

Code:
sh spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.13

Checking vulnerabilities against Linux 4.14.12-gentoo #1 SMP Sun Jan 7 17:54:49 CET 2018 x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places:  NO  (only 23 opcodes found, should be >= 70)
> STATUS:  VULNERABLE

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpolines:  NO
> STATUS:  NOT VULNERABLE  (your CPU is not vulnerable as per the vendor)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO
* PTI enabled and active:  NO
> STATUS:  NOT VULNERABLE  (your CPU is not vulnerable as per the vendor)
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7167

PostPosted: Mon Jan 08, 2018 12:36 pm    Post subject: Reply with quote

latest microcode will be mark stable in a few, you can get it there if you don't want wait :
https://gitweb.gentoo.org/repo/gentoo.git/plain/sys-firmware/intel-microcode/intel-microcode-20171117_p20171215-r1.ebuild?id=fe65cc7bc14f41f05bb9c41f7318f280a1a31b5e
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5689
Location: Removed by Neddy

PostPosted: Mon Jan 08, 2018 12:41 pm    Post subject: Reply with quote

krinn wrote:
latest microcode will be mark stable in a few, you can get it there if you don't want wait :
https://gitweb.gentoo.org/repo/gentoo.git/plain/sys-firmware/intel-microcode/intel-microcode-20171117_p20171215-r1.ebuild?id=fe65cc7bc14f41f05bb9c41f7318f280a1a31b5e
Thats not new enough. That is Intels microcode from nov 2017... they have not made avail microcode for spectre ( well maybe to vendors for BIOS updates)
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7167

PostPosted: Mon Jan 08, 2018 12:44 pm    Post subject: Reply with quote

it's all we have for now, and i didn't myself check, but it's possible that a nov2017 update is indeed the fix.
spectre has been release to public jan2018, it doesn't mean intel has discover the issue that day :)
and "not quiet sure", but i think devs have find and report the flaw in feb or march 2017.

at least from https://wiki.gentoo.org/wiki/Project:Security/Vulnerabilities/Meltdown_and_Spectre
Quote:
cpu:Haswell cpuid: 000306C3 rev need: 0x23


and i have
Quote:
>cpuid -1 | grep serial | tail -n1 | awk '{print $4}' | cut -d\- -f1,2 | sed 's/-//g'
000306C3
>iucode_tool -S -l /lib/firmware/intel-ucode/*
049/001: sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5689
Location: Removed by Neddy

PostPosted: Mon Jan 08, 2018 1:01 pm    Post subject: Reply with quote

Except...

Intel's PR release on 4th Jan: https://newsroom.intel.com/news-releases/intel-issues-updates-protect-systems-security-exploits/
Quote:
Intel has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years. In addition, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services.


Now the nov2017 update may have covered "products introduced within the past five years" as the press statement didn't actually state when that occured
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
mike155
Veteran
Veteran


Joined: 17 Sep 2010
Posts: 1529
Location: Frankfurt, Germany

PostPosted: Mon Jan 08, 2018 1:20 pm    Post subject: Reply with quote

PrSo wrote:
This is another 3 in 1 meltdown-spectre mitigation checker:
https://github.com/speed47/spectre-meltdown-checker

This tool is pretty good! Thanks for sharing this. I'm especially glad it's only a shell script - and not a sophisticated C program. So I can see easily what it does.

I just executed it on a newly updated RHEL 7 server. It looks like they already have implemented LFENCE and IBRS in the kernel - here is the output:
Code:
Spectre and Meltdown mitigation detection tool v0.13

Checking vulnerabilities against Linux 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Dec 28 14:23:39 EST 2017 x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places:  YES  (112 opcodes found, which is >= 70)
> STATUS:  NOT VULNERABLE

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO
*   Kernel support for IBRS:  YES
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpolines:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)


Last edited by mike155 on Mon Jan 08, 2018 1:32 pm; edited 3 times in total
Back to top
View user's profile Send private message
transsib
l33t
l33t


Joined: 26 Jul 2003
Posts: 869

PostPosted: Mon Jan 08, 2018 1:23 pm    Post subject: Reply with quote

Quote:
( well maybe to vendors for BIOS updates)

not holding breath; no UEFI update available since 2015 for this system (ASUS).
Broadwell systems have had updates only this year though.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5913

PostPosted: Mon Jan 08, 2018 1:27 pm    Post subject: Reply with quote

PrSo wrote:
This is another 3 in 1 meltdown-spectre mitigation checker:
https://github.com/speed47/spectre-meltdown-checker

It checks if any of the mitigations were applied.

On AMD apu , kernel 4.14.12-gentoo, without KPTI enabled in kernel config:

Code:
sh spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.13

Checking vulnerabilities against Linux 4.14.12-gentoo #1 SMP Sun Jan 7 17:54:49 CET 2018 x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places:  NO  (only 23 opcodes found, should be >= 70)
> STATUS:  VULNERABLE

I wonder if that's a side effect of Gentoo kernels not compiling in thousands of useless drivers. Maybe we're fine there.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Mon Jan 08, 2018 1:47 pm    Post subject: Reply with quote

Add Snapdragon SoC to the list: Qualcomm Joins The CPU Affected List.
Back to top
View user's profile Send private message
Display posts from previous:   
This topic is locked: you cannot edit posts or make replies.    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Goto page Previous  1, 2, 3 ... 8, 9, 10 ... 21, 22, 23  Next
Page 9 of 23

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum