[elrepo] Announcement: EL6 Updated kernel-ml Package Set [4.14.14-1]

Phil Perry phil at elrepo.org
Thu Jan 18 02:37:31 EST 2018 

On 18/01/18 06:02, nitnit1981 nitnit wrote:
> Hi Alan
> 
>         Looks like the compiler used has an issue. Can you please change 
> the packaging process to the new compiler .
> 
> 
> uname -r
> 
> 4.14.14-1.el6.elrepo.x86_64
> 
> sh ./spectre-meltdown-checker.sh
> 
> Spectre and Meltdown mitigation detection tool v0.24
> 
> Checking for vulnerabilities against live running kernel Linux 
> 4.14.14-1.el6.elrepo.x86_64 #1 SMP Wed Jan 17 14:39:23 EST 2018 x86_64
> 
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> 
> * *Checking count of LFENCE opcodes in kernel:  NO  (only 11 opcodes 
> found, should be >= 70)*
> 
>  > STATUS:  VULNERABLE  (heuristic to be improved when official patches 
> become available)
> 
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> 
> * Mitigation 1
> 
> *   Hardware (CPU microcode) support for mitigation:  YES
> 
> *   Kernel support for IBRS:  NO
> 
> *   IBRS enabled for Kernel space:  NO
> 
> *   IBRS enabled for User space:  NO
> 
> * Mitigation 2
> 
> *   Kernel compiled with retpoline option:  YES
> 
> * *  Kernel compiled with a retpoline-aware compiler:  NO*
> 

As the tool indicates, the compiler in RHEL does not currently support 
retpoline. These kernel packages are built on RHEL for RHEL. Updating 
the compiler may introduce a whole host of other issues so we won't be 
updating the compiler.

Support for retpoline was only added to GCC version 8 very recently 
(like a day or two ago), and there are rumours it could be backported to 
some earlier versions, but the version used on RHEL is a fair bit older 
so I have no idea if Red Hat intends to backport support or not at this 
point. If support is added, it will be used assuming that is the right 
thing to do.

>  > STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with 
> retpoline are needed to mitigate the vulnerability)
> 
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> 
> * Kernel supports Page Table Isolation (PTI):  YES
> 
> * PTI enabled and active:  YES
> 
>  > STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)
> 
> A false sense of security is worse than no security at all, see --disclaimer
> 
>

More information about the elrepo mailing list