Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Meltdown/Spectre: Unauthorized Disclosure of Kernel Memory
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5 ... 21, 22, 23  Next  
This topic is locked: you cannot edit posts or make replies.    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5699
Location: Removed by Neddy

PostPosted: Fri Jan 05, 2018 12:50 am    Post subject: Reply with quote

I just tried it on my patched BUT disabled system...


Code:

 ./a.out
Putting 'The Magic Words are Squeamish Ossifrage.' in memory
Reading 40 bytes:
Reading at malicious_x = 0xffffffffffdfee18... Success: 0x54=’T’ score=2
Reading at malicious_x = 0xffffffffffdfee19... Success: 0x68=’h’ score=2
Reading at malicious_x = 0xffffffffffdfee1a... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfee1b... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfee1c... Success: 0x4D=’M’ score=2
Reading at malicious_x = 0xffffffffffdfee1d... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfee1e... Success: 0x67=’g’ score=2
Reading at malicious_x = 0xffffffffffdfee1f... Success: 0x69=’i’ score=2
Reading at malicious_x = 0xffffffffffdfee20... Success: 0x63=’c’ score=2
Reading at malicious_x = 0xffffffffffdfee21... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfee22... Success: 0x57=’W’ score=2
Reading at malicious_x = 0xffffffffffdfee23... Success: 0x6F=’o’ score=2
Reading at malicious_x = 0xffffffffffdfee24... Success: 0x72=’r’ score=2
Reading at malicious_x = 0xffffffffffdfee25... Success: 0x64=’d’ score=2
Reading at malicious_x = 0xffffffffffdfee26... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfee27... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfee28... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfee29... Success: 0x72=’r’ score=2
Reading at malicious_x = 0xffffffffffdfee2a... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfee2b... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfee2c... Success: 0x53=’S’ score=2
Reading at malicious_x = 0xffffffffffdfee2d... Success: 0x71=’q’ score=2
Reading at malicious_x = 0xffffffffffdfee2e... Success: 0x75=’u’ score=2
Reading at malicious_x = 0xffffffffffdfee2f... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfee30... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfee31... Success: 0x6D=’m’ score=2
Reading at malicious_x = 0xffffffffffdfee32... Success: 0x69=’i’ score=2
Reading at malicious_x = 0xffffffffffdfee33... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfee34... Success: 0x68=’h’ score=2
Reading at malicious_x = 0xffffffffffdfee35... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfee36... Success: 0x4F=’O’ score=2
Reading at malicious_x = 0xffffffffffdfee37... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfee38... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfee39... Success: 0x69=’i’ score=2
Reading at malicious_x = 0xffffffffffdfee3a... Success: 0x66=’f’ score=2
Reading at malicious_x = 0xffffffffffdfee3b... Success: 0x72=’r’ score=2
Reading at malicious_x = 0xffffffffffdfee3c... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfee3d... Success: 0x67=’g’ score=2
Reading at malicious_x = 0xffffffffffdfee3e... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfee3f... Success: 0x2E=’.’ score=2


This is a Ryzen setup and AMD states that this arch is susceptible to variant 1
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king


Last edited by Naib on Fri Jan 05, 2018 12:55 am; edited 1 time in total
Back to top
View user's profile Send private message
gengreen
Tux's lil' helper
Tux's lil' helper


Joined: 23 Dec 2017
Posts: 84

PostPosted: Fri Jan 05, 2018 12:51 am    Post subject: Reply with quote

kajzer wrote:
gengreen wrote:
https://paste.pound-python.org/show/X9OyOjgzkEMCgOKMTwTc/


Interesting, so the code actually works. On patched or non-patched system?
I just had to try it and on the same machine I have another gentoo installation that hasn't been updated in awhile (couple of months) , and I get the same result (zsh: illegal hardware instruction ./a.out), thought maybe it's zsh so I tried to execute in bash but I got the same thing. Maybe I'm doing something wrong, I've compiled the source with "gcc Source.c"


Unpatched

(I'm reinstall Gentoo from scratch with musl / minimal / hardened at this moment...)
Back to top
View user's profile Send private message
kajzer
Guru
Guru


Joined: 27 Nov 2014
Posts: 484

PostPosted: Fri Jan 05, 2018 12:55 am    Post subject: Reply with quote

Well, I just realized that there is only a patch for Meltdown , for Spectre there's no cure at the moment and this test is for Spectre.
It's all so confusing :)

Still... I have to figure out why it's not working on my machine (which is good , I guess :) )
Back to top
View user's profile Send private message
gengreen
Tux's lil' helper
Tux's lil' helper


Joined: 23 Dec 2017
Posts: 84

PostPosted: Fri Jan 05, 2018 12:57 am    Post subject: Reply with quote

kajzer wrote:
Well, I just realized that there is only a patch for Meltdown , for Spectre there's no cure at the moment and this test is for Spectre.
It's all so confusing :)

Still... I have to figure out why it's not working on my machine (which is good , I guess :) )


Indeed, cpu of your machine ?
Back to top
View user's profile Send private message
kajzer
Guru
Guru


Joined: 27 Nov 2014
Posts: 484

PostPosted: Fri Jan 05, 2018 12:59 am    Post subject: Reply with quote

gengreen wrote:
kajzer wrote:
Well, I just realized that there is only a patch for Meltdown , for Spectre there's no cure at the moment and this test is for Spectre.
It's all so confusing :)

Still... I have to figure out why it's not working on my machine (which is good , I guess :) )


Indeed, cpu of your machine ?


Old dual core.
I'm on 17.1 profile and gcc 7.2.0, if that matters in this case.
Edit: actually that doesn't matter since on that other gentoo installation I don't have that, profile there is 13 and gcc is 5.4.0 I think.


Last edited by kajzer on Fri Jan 05, 2018 1:03 am; edited 1 time in total
Back to top
View user's profile Send private message
gengreen
Tux's lil' helper
Tux's lil' helper


Joined: 23 Dec 2017
Posts: 84

PostPosted: Fri Jan 05, 2018 1:03 am    Post subject: Reply with quote

kajzer wrote:
gengreen wrote:
kajzer wrote:
Well, I just realized that there is only a patch for Meltdown , for Spectre there's no cure at the moment and this test is for Spectre.
It's all so confusing :)

Still... I have to figure out why it's not working on my machine (which is good , I guess :) )


Indeed, cpu of your machine ?


Old dual core.
I'm on 17.1 profile and gcc 7.2.0, if that matters in this case.


can you show the output of a cat
Quote:
/proc/cpuinfo
?

How did you build Spectre.c ?
Back to top
View user's profile Send private message
kajzer
Guru
Guru


Joined: 27 Nov 2014
Posts: 484

PostPosted: Fri Jan 05, 2018 1:07 am    Post subject: Reply with quote

gengreen wrote:
can you show the output of a cat /proc/cpuinfo?


Code:
$ cat /proc/cpuinfo                                                                                                                                                                                                       
processor   : 0
vendor_id   : GenuineIntel
cpu family   : 6
model      : 15
model name   : Intel(R) Pentium(R) Dual  CPU  E2180  @ 2.00GHz
stepping   : 13
microcode   : 0xa4
cpu MHz      : 1200.000
cache size   : 1024 KB
physical id   : 0
siblings   : 2
core id      : 0
cpu cores   : 2
apicid      : 0
initial apicid   : 0
fpu      : yes
fpu_exception   : yes
cpuid level   : 10
wp      : yes
flags      : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good nopl cpuid aperfmperf pni dtes64 monitor ds_cpl est tm2 ssse3 cx16 xtpr pdcm lahf_lm pti dtherm
bugs      : cpu_insecure
bogomips   : 4784.78
clflush size   : 64
cache_alignment   : 64
address sizes   : 36 bits physical, 48 bits virtual
power management:

processor   : 1
vendor_id   : GenuineIntel
cpu family   : 6
model      : 15
model name   : Intel(R) Pentium(R) Dual  CPU  E2180  @ 2.00GHz
stepping   : 13
microcode   : 0xa4
cpu MHz      : 1200.000
cache size   : 1024 KB
physical id   : 0
siblings   : 2
core id      : 1
cpu cores   : 2
apicid      : 1
initial apicid   : 1
fpu      : yes
fpu_exception   : yes
cpuid level   : 10
wp      : yes
flags      : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good nopl cpuid aperfmperf pni dtes64 monitor ds_cpl est tm2 ssse3 cx16 xtpr pdcm lahf_lm pti dtherm
bugs      : cpu_insecure
bogomips   : 4784.78
clflush size   : 64
cache_alignment   : 64
address sizes   : 36 bits physical, 48 bits virtual
power management:


As I said before, I compiled the source with "gcc Source.c"
Now that I think of it I didn't compile on that other partition the source, just executed it, which might be the problem, I'll try it later.

Edit: I compiled it with gcc 6.4.0 and it was the same result, so I guess Spectre isn't working on old Intel CPUs, or maybe this PoC isn't, hard to tell.


Last edited by kajzer on Fri Jan 05, 2018 1:38 am; edited 1 time in total
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7251
Location: almost Mile High in the USA

PostPosted: Fri Jan 05, 2018 1:16 am    Post subject: Reply with quote

The PoC seems not to be clean for generic x86 as it uses clflush and rdtsc, so watch out for those older machines...
Also seems to be problems with my rdtsc on qemu KVM, so that bombs out.

Works scarily fine on 64-bit on an i7.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1715

PostPosted: Fri Jan 05, 2018 1:26 am    Post subject: Reply with quote

Well, I complied it on my AMD A10-7850k (APU) system, and it appears to not be vulnerable to this issue.
Note: I did not do anything special to compile it, beyond a straight gcc Source.c using gcc-7.2.0.
Code:
ct85711@Oate ~/tmp/spectre-attack $ ./a.out
Putting 'The Magic Words are Squeamish Ossifrage.' in memory
Reading 40 bytes:
Reading at malicious_x = 0xffffffffffdfedd8... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedd9... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedda... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeddb... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeddc... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeddd... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedde... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeddf... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfede0... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfede1... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfede2... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfede3... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfede4... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfede5... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfede6... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfede7... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfede8... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfede9... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedea... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedeb... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedec... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfeded... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedee... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedef... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedf0... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedf1... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedf2... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedf3... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedf4... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedf5... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedf6... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedf7... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedf8... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedf9... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedfa... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedfb... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedfc... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedfd... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedfe... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfedff... Success: 0xFF=’?’ score=0

ct85711@Oate ~/tmp/spectre-attack $ cat /proc/cpuinfo
processor       : 0
vendor_id       : AuthenticAMD
cpu family      : 21
model           : 48
model name      : AMD A10-7850K Radeon R7, 12 Compute Cores 4C+8G
stepping        : 1
microcode       : 0x6003104
cpu MHz         : 3700.000
cache size      : 2048 KB
...
Back to top
View user's profile Send private message
nokilli
Apprentice
Apprentice


Joined: 25 Feb 2004
Posts: 195

PostPosted: Fri Jan 05, 2018 2:54 am    Post subject: Reply with quote

And I was all set to go all-in on Ethereum and its web3 stuff. Dapps, if you weren't aware, are highly javascript-dependent and of course, are dealing with passphrases and private keys for which loss offers little hope of recovery.

There are some of us who were waiting to see what the powers-that-be response to crypto would be. It is known that these same people have for long worked hard to subvert the security of our computer systems and for their own gain. Now we see a very conveniently-timed reveal of just such a subversion. Total market cap of crypto recently crossed $.75T USD.
_________________
Today is the first day of the rest of your Gentoo installation.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14270

PostPosted: Fri Jan 05, 2018 3:28 am    Post subject: Reply with quote

greyspoke wrote:
So if AMD and ARM are affected by spectre, does that mean it exposes a flaw in the instruction set they are implementing? Or is there some shared code with a flaw in it?
Neither. The flaw is a design flaw in how the CPU optimizes evaluation of its native instruction set. The ISA is fine in the abstract, which is why CPUs as different as IA32/x86_64/ARM can all have a problem.
yamabiko wrote:
Is it possible to provide a patch for the current stable gentoo-sources? Manually patching it on 4.9.72 gives me an hunk fail.
Maybe, but given the invasiveness of the changes, you really want the backport to be done by somebody who has been heavily involved in the Linux kernel memory management subsystem. Some patches can be backported by anybody competent to read and write C. In my opinion, these patches are not in that category, because they deal with very complicated and subtle logic in a core kernel component. It's not enough to make the patches apply cleanly. The backport maintainer also needs to know that any prerequisite changes have been backported, and those may have been included in 4.10/4.11/4.12/4.13 kernels by other people for other purposes, and thus not marked for backporting as part of this series.
1clue wrote:
Ralphred wrote:
1clue wrote:
It would be really neat if they fixed the bug with gcc 6.4 and recent kernels. The combination of this bug and the backported kernels is really unfortunate right now.

I appreciate anecdotal evidence is mostly useless, but just built 4.14.11 with 6.4 and it's working fine, nothing funky other than the ~amd64 for the kernel in package.use
I would be happy as a clam with that, except my attempt panics inside the first second of boot. No logs written.
As a wild guess, since neither of you posted any details to confirm or refute this, Ralphred is on a non-hardened gcc and 1clue is on a hardened gcc. As discussed in another thread, the solution (if this guess is accurate) is to use a non-hardened gcc, to include -fno-stack-check, or to upgrade to a kernel that includes -fno-stack-check automatically.
sligo wrote:
Watcom wrote:
So as you can see not running untrusted code goes a long way in preventing Spectre attacks.
Does that include Javascript?
Although the browsers attempt to sandbox Javascript, clever researchers keep identifying novel ways to do things that the Javascript sandbox really ought not allow, so I would say yes, it includes not running Javascript from untrusted hosts.
Back to top
View user's profile Send private message
Ronaldlees
n00b
n00b


Joined: 14 Dec 2017
Posts: 10

PostPosted: Fri Jan 05, 2018 3:29 am    Post subject: Reply with quote

kajzer wrote:
Well, I just realized that there is only a patch for Meltdown , for Spectre there's no cure at the moment and this test is for Spectre.
It's all so confusing :)

Still... I have to figure out why it's not working on my machine (which is good , I guess :) )


They're working on a (full?partial? - don't really know) "fix" for spectre:

https://support.google.com/faqs/answer/7625886

Basically it's a compiler re-do.
Back to top
View user's profile Send private message
gengreen
Tux's lil' helper
Tux's lil' helper


Joined: 23 Dec 2017
Posts: 84

PostPosted: Fri Jan 05, 2018 6:55 am    Post subject: Reply with quote

A question remain and need some expert on this domain to give a proper answer since I haven't the sufficient knowledge in the low programming level :

This is not first time that their hardware are compromised :

- https://www.techrepublic.com/article/is-the-intel-management-engine-a-backdoor/
- http://news.softpedia.com/news/intel-x86-cpus-come-with-a-secret-backdoor-that-nobody-can-touch-or-disable-505347.shtml

Intel is a very big corporate and have probably multi billion of dollars, I don't get how this kind of bug can be a mistake. They have an unlimited (almost) budget, skilled dev / worker to make a product of quality.

From intel

Quote:
Is this a bug in Intel hardware or processor design?


Quote:
No. This is not a bug or a flaw in Intel products. These new exploits leverage data about the proper operation of processing techniques common to modern computing platforms...


So they are saying that their product aren't responsable but it is because new exploits have just appear like some disease in certain country, a natural meteorology disaster or an experimental medicine...

We are talking about technology , purely made by human from the scratch, so typically anything resulting from the tech cannot give some unexpected result, anything can be calculated, or known since we known how the thing work at 100 %.

All this said, the question is

Is this new flaw was purely a mistake or made by purpose ?


Last edited by gengreen on Fri Jan 05, 2018 7:10 am; edited 1 time in total
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7251
Location: almost Mile High in the USA

PostPosted: Fri Jan 05, 2018 7:01 am    Post subject: Reply with quote

Should I be glad I haven't

emerge -e @world

on all my machines yet (after a new compiler is available)? Sounds like this will be needed again to work around spectre?
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
nokilli
Apprentice
Apprentice


Joined: 25 Feb 2004
Posts: 195

PostPosted: Fri Jan 05, 2018 7:46 am    Post subject: Reply with quote

gengreen wrote:
Is this new flaw was purely a mistake or made by purpose ?

We should probably move this line of inquiry over to Off the Wall. Until then, look at the timing. Did Intel move their design to another country at about the same time this flaw we introduced? Has that country seen other incidents of misuse of American proprietary technology realized when corporations move their design work there? Microsomething, I think, is a very notable example. There is actually a long list of misdeeds along these lines but then too there is a taboo against discussing such things at work here that is very effective and which I don't believe many of you fully appreciate.
_________________
Today is the first day of the rest of your Gentoo installation.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7251
Location: almost Mile High in the USA

PostPosted: Fri Jan 05, 2018 8:06 am    Post subject: Reply with quote

They say that this was a problem ever since the ppro in 1994; I still have a ppro but unsure how to hack the code to test it as the PoC uses rdtsc and clflush which aren't supported by this old processor. I suspect the problem still exists but harder to ensure the code actually "worked" versus side effect of a context swap or interrupt which could invalidate the slurped data. (Anyone got this to work on a Core2, I can't seem to get rdtsc to work on my core2 machines.)

Incidentally, disabling rdtsc probably would make it harder to swipe data though it does NOT fix the problem as the problem still manifests without it.

Now the question I do have... Anyone with an Alpha and could test this, I'm curious... They say that ia64 does not have this problem (VLIW...)

[Edit] It seems rdtsc should have been available since the Pentium; so perhaps need to figure out why it's showing up as an invalid instruction...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Aiken
Apprentice
Apprentice


Joined: 22 Jan 2003
Posts: 223
Location: Toowoomba/Australia

PostPosted: Fri Jan 05, 2018 8:40 am    Post subject: Reply with quote

eccerr0r wrote:
(Anyone got this to work on a Core2, I can't seem to get rdtsc to work on my core2 machines.)
.
.
Now the question I do have... Anyone with an Alpha and could test this, I'm curious... They say that ia64 does not have this problem (VLIW...)


Do you mean rdtcs or rdtscp? C2d does have rdtsc but seems not to have rdtscp.

Awhile back I had something using __asm__ volatile ("rdtsc" : "=A" (x)); which works on c2d. If I change that to rdtscp I get Illegal Instruction. The spectre code works on my i7 7700k and i5 2500k. On both c2d and a celeron 550 both give illegal instruction on the rdtscp.

I have an 433MHz alpha that started life with nt4 but the big question, what safe place has it been put in.

edit: I changed the rdtscp to rdtsc. It runs but with the machine idle nothing found. Start running some 100% cpu processes and spectre starts finding characters but nothing like as accurate as the unmodified code on the i5 and i7. The c2d is a e8500 @ 3.16GHz.
_________________
Beware the grue.
Back to top
View user's profile Send private message
PrSo
Tux's lil' helper
Tux's lil' helper


Joined: 01 Jun 2017
Posts: 130

PostPosted: Fri Jan 05, 2018 9:00 am    Post subject: Reply with quote

Naib wrote:
I just tried it on my patched BUT disabled system...


Code:

 ./a.out
Putting 'The Magic Words are Squeamish Ossifrage.' in memory
Reading 40 bytes:
Reading at malicious_x = 0xffffffffffdfee18... Success: 0x54=’T’ score=2
Reading at malicious_x = 0xffffffffffdfee19... Success: 0x68=’h’ score=2
Reading at malicious_x = 0xffffffffffdfee1a... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfee1b... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfee1c... Success: 0x4D=’M’ score=2
Reading at malicious_x = 0xffffffffffdfee1d... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfee1e... Success: 0x67=’g’ score=2
Reading at malicious_x = 0xffffffffffdfee1f... Success: 0x69=’i’ score=2
Reading at malicious_x = 0xffffffffffdfee20... Success: 0x63=’c’ score=2
Reading at malicious_x = 0xffffffffffdfee21... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfee22... Success: 0x57=’W’ score=2
Reading at malicious_x = 0xffffffffffdfee23... Success: 0x6F=’o’ score=2
Reading at malicious_x = 0xffffffffffdfee24... Success: 0x72=’r’ score=2
Reading at malicious_x = 0xffffffffffdfee25... Success: 0x64=’d’ score=2
Reading at malicious_x = 0xffffffffffdfee26... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfee27... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfee28... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfee29... Success: 0x72=’r’ score=2
Reading at malicious_x = 0xffffffffffdfee2a... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfee2b... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfee2c... Success: 0x53=’S’ score=2
Reading at malicious_x = 0xffffffffffdfee2d... Success: 0x71=’q’ score=2
Reading at malicious_x = 0xffffffffffdfee2e... Success: 0x75=’u’ score=2
Reading at malicious_x = 0xffffffffffdfee2f... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfee30... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfee31... Success: 0x6D=’m’ score=2
Reading at malicious_x = 0xffffffffffdfee32... Success: 0x69=’i’ score=2
Reading at malicious_x = 0xffffffffffdfee33... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfee34... Success: 0x68=’h’ score=2
Reading at malicious_x = 0xffffffffffdfee35... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfee36... Success: 0x4F=’O’ score=2
Reading at malicious_x = 0xffffffffffdfee37... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfee38... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfee39... Success: 0x69=’i’ score=2
Reading at malicious_x = 0xffffffffffdfee3a... Success: 0x66=’f’ score=2
Reading at malicious_x = 0xffffffffffdfee3b... Success: 0x72=’r’ score=2
Reading at malicious_x = 0xffffffffffdfee3c... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfee3d... Success: 0x67=’g’ score=2
Reading at malicious_x = 0xffffffffffdfee3e... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfee3f... Success: 0x2E=’.’ score=2


This is a Ryzen setup and AMD states that this arch is susceptible to variant 1


Same situation here, PTI disabled in kernel config, and with patch from amd disabling marking AMD cpu as insecure applied.

APU a6-6310

Did you try to execute this code after magical amd microcode 17h update?
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7193

PostPosted: Fri Jan 05, 2018 9:19 am    Post subject: Reply with quote

Interresting, to read it you have to flush the cpu cache, but it's an sse2 instruction.
https://software.intel.com/en-us/cpp-compiler-18.0-developer-guide-and-reference-cacheability-support-intrinsics

So unability to use _mm_clflush doesn't protect from it, but avoid the cache flush and so avoid it.
on my affect core2 running x86 it couldn't flush its cache.
Code:
LC_ALL="C" ./a.out
Putting 'The Magic Words are Squeamish Ossifrage.' in memory
Reading 40 bytes:
Instruction non permise


Look at that :)
Code:
LANG="C" gcc  spectre.c -march=i686
In file included from /usr/lib/gcc/i686-pc-linux-gnu/5.4.0/include/xmmintrin.h:1249:0,
                 from /usr/lib/gcc/i686-pc-linux-gnu/5.4.0/include/x86intrin.h:31,
                 from spectre.c:8:
spectre.c: In function 'readMemoryByte':
/usr/lib/gcc/i686-pc-linux-gnu/5.4.0/include/emmintrin.h:1479:1: error: inlining failed in call to always_inline '_mm_clflush': target specific option mismatch
 _mm_clflush (void const *__A)
 ^
spectre.c:57:4: error: called from here
    _mm_clflush(&array2[i * 512]); /* intrinsic for clflush instruction */
    ^
In file included from /usr/lib/gcc/i686-pc-linux-gnu/5.4.0/include/xmmintrin.h:1249:0,
                 from /usr/lib/gcc/i686-pc-linux-gnu/5.4.0/include/x86intrin.h:31,
                 from spectre.c:8:
/usr/lib/gcc/i686-pc-linux-gnu/5.4.0/include/emmintrin.h:1479:1: error: inlining failed in call to always_inline '_mm_clflush': target specific option mismatch
 _mm_clflush (void const *__A)
 ^
spectre.c:63:4: error: called from here
    _mm_clflush(&array1_size);


Code:

LANG="C" gcc  spectre.c -march=core2 && echo "good"
good


Dunno if we have another way to flush cpu cache, but disabling sse2 for now, disallow _mm_clflush
2nd problem: how to disallow an sse2 ready cpu from using sse2 at runtime :)
Back to top
View user's profile Send private message
Watcom
n00b
n00b


Joined: 12 Apr 2006
Posts: 20

PostPosted: Fri Jan 05, 2018 10:19 am    Post subject: Reply with quote

You can flush (evict) the cache by reading from a large array. It's less convenient, but still possible. It's actually described in the paper.
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7193

PostPosted: Fri Jan 05, 2018 10:29 am    Post subject: Reply with quote

I knew it wasn't that easy, else it would had been made already :)

anyone also notice that pie made it worst?
when using the test program with -pie -fpie i get higher score (the program count backward, the higher the score, the fastest it has find the info), without pie i nearly always get a 2 score.
that's just for oddity, because as long as score is >0 you're doom.
(however i'm using pie with gcc 5.4, which might not be as good as 6.4)
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5956

PostPosted: Fri Jan 05, 2018 10:58 am    Post subject: Reply with quote

roki942 wrote:
Came across these:
"We translated Intel's crap attempt to spin its way out of CPU security bug PR nightmare" http://www.theregister.co.uk/2018/01/04/intel_meltdown_spectre_bugs_the_registers_annotations/
"Azure VMs borked following Meltdown patch, er, meltdown" https://www.theregister.co.uk/2018/01/04/azure_vms_down_following_meltdown_patch/

Quote:
The preferred phrase at present is "coordinated disclosure." "Responsible disclosure" suggests the media and security researchers have been irresponsible for reporting on this issue before Intel was ready to go public. Once we get into assigning blame, that invites terms like "responsible microarchitecture design" or "responsible sales of processors known to contain vulnerabilities" or "responsible handling of security disclosures made last June."

:lol:

https://marc.info/?l=openbsd-misc&m=118296441702631&w=2 also worth noting - OBSD called out the state of Intel's garbage QA years before things like Poulsbo, xf86-video-intel becoming abandonware, all their network card bricking fiascos, defective BIOSes, Haswell TSX, hyperthreading data leaks, this, or next week's news.
Back to top
View user's profile Send private message
JuNix
Apprentice
Apprentice


Joined: 05 Mar 2003
Posts: 216
Location: Sheffield

PostPosted: Fri Jan 05, 2018 11:00 am    Post subject: Reply with quote

I have some interesting results for my Gentoo Xen HVM

I updated my system to 4.14.11-gentoo-r2 and the PoC code produces this

Code:
johnh@flatline ~ $ gcc Source.c -o plap
johnh@flatline ~ $ ./plap
Putting 'The Magic Words are Squeamish Ossifrage.' in memory
Reading 40 bytes:
Reading at malicious_x = 0xffffffffffdfee68... Success: 0x54=’T’ score=2
Reading at malicious_x = 0xffffffffffdfee69... Success: 0x68=’h’ score=2
Reading at malicious_x = 0xffffffffffdfee6a... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfee6b... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfee6c... Success: 0x4D=’M’ score=2
Reading at malicious_x = 0xffffffffffdfee6d... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfee6e... Success: 0x67=’g’ score=2
Reading at malicious_x = 0xffffffffffdfee6f... Success: 0x69=’i’ score=2
Reading at malicious_x = 0xffffffffffdfee70... Success: 0x63=’c’ score=2
Reading at malicious_x = 0xffffffffffdfee71... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfee72... Success: 0x57=’W’ score=2
Reading at malicious_x = 0xffffffffffdfee73... Success: 0x6F=’o’ score=2
Reading at malicious_x = 0xffffffffffdfee74... Success: 0x72=’r’ score=2
Reading at malicious_x = 0xffffffffffdfee75... Success: 0x64=’d’ score=2
Reading at malicious_x = 0xffffffffffdfee76... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfee77... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfee78... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfee79... Success: 0x72=’r’ score=2
Reading at malicious_x = 0xffffffffffdfee7a... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfee7b... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfee7c... Success: 0x53=’S’ score=2
Reading at malicious_x = 0xffffffffffdfee7d... Success: 0x71=’q’ score=2
Reading at malicious_x = 0xffffffffffdfee7e... Success: 0x75=’u’ score=2
Reading at malicious_x = 0xffffffffffdfee7f... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfee80... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfee81... Success: 0x6D=’m’ score=2
Reading at malicious_x = 0xffffffffffdfee82... Success: 0x69=’i’ score=2
Reading at malicious_x = 0xffffffffffdfee83... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfee84... Success: 0x68=’h’ score=2
Reading at malicious_x = 0xffffffffffdfee85... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfee86... Success: 0x4F=’O’ score=2
Reading at malicious_x = 0xffffffffffdfee87... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfee88... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfee89... Success: 0x69=’i’ score=2
Reading at malicious_x = 0xffffffffffdfee8a... Success: 0x66=’f’ score=2
Reading at malicious_x = 0xffffffffffdfee8b... Success: 0x72=’r’ score=2
Reading at malicious_x = 0xffffffffffdfee8c... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfee8d... Success: 0x67=’g’ score=2
Reading at malicious_x = 0xffffffffffdfee8e... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfee8f... Success: 0x2E=’.’ score=2


which is an interesting result

Code:
johnh@flatline ~ $ dmesg|grep -i isola
[    0.000000] Kernel/User page tables isolation: enabled
johnh@flatline ~ $ grep ISOLA /usr/src/linux/.config
CONFIG_PAGE_TABLE_ISOLATION=y
johnh@flatline ~ $ uname -a
Linux flatline 4.14.11-gentoo-r2 #1 SMP PREEMPT Fri Jan 5 10:41:42 GMT 2018 x86_64 Intel(R) Core(TM) i7-4790T CPU @ 2.70GHz GenuineIntel GNU/Linux
johnh@flatline ~ $ grep -i secure /proc/cpuinfo
bugs      : cpu_insecure
bugs      : cpu_insecure


Code:
johnh@flatline ~ $ cat /proc/cpuinfo
processor   : 0
vendor_id   : GenuineIntel
cpu family   : 6
model      : 60
model name   : Intel(R) Core(TM) i7-4790T CPU @ 2.70GHz
stepping   : 3
microcode   : 0x1d
cpu MHz      : 2699.836
cache size   : 8192 KB
physical id   : 0
siblings   : 2
core id      : 0
cpu cores   : 2
apicid      : 0
initial apicid   : 0
fpu      : yes
fpu_exception   : yes
cpuid level   : 13
wp      : yes
flags      : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush acpi mmx fxsr sse sse2 ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm cpuid_fault invpcid_single pti fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid xsaveopt
bugs      : cpu_insecure
bogomips   : 5399.98
clflush size   : 64
cache_alignment   : 64
address sizes   : 39 bits physical, 48 bits virtual
power management:

processor   : 1
vendor_id   : GenuineIntel
cpu family   : 6
model      : 60
model name   : Intel(R) Core(TM) i7-4790T CPU @ 2.70GHz
stepping   : 3
microcode   : 0x1d
cpu MHz      : 2699.836
cache size   : 8192 KB
physical id   : 0
siblings   : 2
core id      : 1
cpu cores   : 2
apicid      : 2
initial apicid   : 2
fpu      : yes
fpu_exception   : yes
cpuid level   : 13
wp      : yes
flags      : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush acpi mmx fxsr sse sse2 ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm cpuid_fault invpcid_single pti fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid xsaveopt
bugs      : cpu_insecure
bogomips   : 5399.98
clflush size   : 64
cache_alignment   : 64
address sizes   : 39 bits physical, 48 bits virtual
power management:


So, Xen hardware virtual machines need more than a local kernel fix, they need the actual Hypervisor code patched as well? Interesting......
Back to top
View user's profile Send private message
yamabiko
n00b
n00b


Joined: 22 Jul 2017
Posts: 10

PostPosted: Fri Jan 05, 2018 11:06 am    Post subject: Reply with quote

JuNix wrote:
I have some interesting results for my Gentoo Xen HVM

I updated my system to 4.14.11-gentoo-r2 and the PoC code produces this

So, Xen hardware virtual machines need more than a local kernel fix, they need the actual Hypervisor code patched as well? Interesting......

The patch is for Meltdown, not Spectre.

Is there a PoC that works on older processors?
Both https://github.com/Eugnis/spectre-attack/ and https://github.com/gkaindl/meltdown-poc (only for OSX ?) are not working on my core2.
Back to top
View user's profile Send private message
Atom2
Apprentice
Apprentice


Joined: 01 Aug 2011
Posts: 185

PostPosted: Fri Jan 05, 2018 12:15 pm    Post subject: Reply with quote

JuNix,
JuNix wrote:
I have some interesting results for my Gentoo Xen HVM

I updated my system to 4.14.11-gentoo-r2 and the PoC code produces this

[snip]

So, Xen hardware virtual machines need more than a local kernel fix, they need the actual Hypervisor code patched as well? Interesting......
I don't think this proves anything with regards to XEN. My understanding is that HVM domUs (and 32 bit PV domUs) under XEN are not able to access data from (or in other words: data that exclusively belongs to) the hypervisor/dom0 or any other domU running under the hypervisor - and that's what XEN is and should be held accountable for.

In my view you can't hold XEN responsible for what is happening inside any domU guest. XEN just needs to make sure that nothing from one domU spills over to any other domU/the dom0 or that no single domU does have access to data from any other domU/the dom0.

Albeit XEN only provides a virtual machine environment for other systems to run inside which should be fully encapsulated from the hypervisor/dom0 and all other virtual machine environments running on the same hardware.

What's happening within any such XEN provided virtual machine environment is completely up to the operating system running therein. I would even go one step further and proclaim that XEN would be grossly wrong if it interfered with what's solely happening inside any of its domUs.

Regards Atom2
Back to top
View user's profile Send private message
Display posts from previous:   
This topic is locked: you cannot edit posts or make replies.    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Goto page Previous  1, 2, 3, 4, 5 ... 21, 22, 23  Next
Page 4 of 23

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum