[elrepo] kernel-lt and kernel-ml updates for Meltdown and Spectre

Wed Jan 10 17:10:43 EST 2018

On #Elrepo IRC at the moment, interesting to see my CPU + latest intel microcode download + latest elrepo kernel-ml is significantly more at-risk still:

~ [0] # uname -a
Linux nas 4.14.12-1.el7.elrepo.x86_64 #1 SMP Fri Jan 5 13:28:56 EST 2018 x86_64 x86_64 x86_64 GNU/Linux

~ [0] # dmesg | grep -i micro
[    0.000000] microcode: microcode updated early to revision 0x23, date = 2017-11-20
[    0.494508] microcode: sig=0x306c3, pf=0x2, revision=0x23
[    0.494918] microcode: Microcode Update Driver: v2.2.

~ [0] # ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.24

Checking for vulnerabilities against live running kernel Linux 4.14.12-1.el7.elrepo.x86_64 #1 SMP Fri Jan 5 13:28:56 EST 2018 x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO  (only 37 opcodes found, should be >= 70)
> STATUS:  VULNERABLE  (heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  YES
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

--
Sam McLeod
https://smcleod.net
https://twitter.com/s_mcleod

> On 11 Jan 2018, at 7:36 am, Phil Perry <phil at elrepo.org> wrote:
> 
> On 10/01/18 20:06, Phil Perry wrote:
>> A vulnerability checker script:
>> https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh 
> 
> On a fully updated RHEL7 system (kernel-3.10.0-693.11.6.el7.x86_64), and after applying the latest microcode update for my CPU from Intel:
> 
> # ./spectre-meltdown-checker.sh
> Spectre and Meltdown mitigation detection tool v0.24
> 
> Checking for vulnerabilities against live running kernel Linux 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Dec 28 14:23:39 EST 2017 x86_64
> 
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Checking count of LFENCE opcodes in kernel:  YES  (112 opcodes found, which is >= 70)
> > STATUS:  NOT VULNERABLE  (heuristic to be improved when official patches become available)
> 
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigation 1
> *   Hardware (CPU microcode) support for mitigation:  YES
> *   Kernel support for IBRS:  YES
> *   IBRS enabled for Kernel space:  YES
> *   IBRS enabled for User space:  NO
> * Mitigation 2
> *   Kernel compiled with retpoline option:  NO
> *   Kernel compiled with a retpoline-aware compiler:  NO
> > STATUS:  NOT VULNERABLE  (IBRS mitigates the vulnerability)
> 
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Kernel supports Page Table Isolation (PTI):  YES
> * PTI enabled and active:  YES
> > STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)
> 
> A false sense of security is worse than no security at all, see --disclaimer
> 
> 
> Before the microcode update, it was showing as vulnerable to CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> 
> 
> _______________________________________________
> elrepo mailing list
> elrepo at lists.elrepo.org
> http://lists.elrepo.org/mailman/listinfo/elrepo

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.elrepo.org/pipermail/elrepo/attachments/20180111/7eff41de/attachment-0001.html>