Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Meltdown/Spectre: Unauthorized Disclosure of Kernel Memory
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3 ... 21, 22, 23  Next  
This topic is locked: you cannot edit posts or make replies.    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
luiztux
n00b
n00b


Joined: 31 Aug 2015
Posts: 27
Location: /usr/portage/distfiles

PostPosted: Wed Jan 03, 2018 4:05 pm    Post subject: Meltdown/Spectre: Unauthorized Disclosure of Kernel Memory Reply with quote

ADMIN EDIT: Please see Project:Security/Vulnerabilities/Meltdown and Spectre for details. --pjp


Hey guys, did you see this?

https://lkml.org/lkml/2017/12/4/709

https://www.google.com.br/amp/s/amp.reddit.com/r/sysadmin/comments/7nl8r0/intel_bug_incoming/
Back to top
View user's profile Send private message
Fitzcarraldo
Advocate
Advocate


Joined: 30 Aug 2008
Posts: 2052
Location: United Kingdom

PostPosted: Wed Jan 03, 2018 4:29 pm    Post subject: Major security flaw found in Intel processors Reply with quote

Happened to see this article in today's Guardian (UK) newspaper:

https://www.theguardian.com/technology/2018/jan/03/major-security-flaw-found-intel-processors-computers-windows-mac-os-linux

Haven't looked around yet. Anyone know anything more, and when firmware updates -- I assume Intel will be fixing this via firmware updates -- will be available?
_________________
Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC systemd-utils[udev] elogind KDE on both.

My blog
Back to top
View user's profile Send private message
Myu
Apprentice
Apprentice


Joined: 22 Oct 2014
Posts: 164
Location: Belgium

PostPosted: Wed Jan 03, 2018 5:17 pm    Post subject: Reply with quote

Not fixable by microcode 8O

Linux 4.14.11 contains the KPTI (Kernel page table isolation) patch developped by Intel which incurs a performance hit (between 5 and 50%) to all Intel CPU users under certain workloads (syscalls will be slower)

https://www.reddit.com/r/sysadmin/comments/7nl8r0/intel_bug_incoming/

I'm not that old so this is the biggest mess I've ever seen in the IT world I guess

For reference, the kernel config option seems to be CONFIG_PAGE_TABLE_ISOLATION=y

Edit : there it is, I am on 4.14.11 ...*sigh*

Code:
cat /proc/cpuinfo | grep -i insecure
bugs      : cpu_insecure
bugs      : cpu_insecure
bugs      : cpu_insecure
bugs      : cpu_insecure
bugs      : cpu_insecure
bugs      : cpu_insecure
bugs      : cpu_insecure
bugs      : cpu_insecure


Also, nvidia-drivers-387.34 doesn't compile anymore with 4.14.11

Code:
FATAL: modpost: GPL-incompatible module nvidia.ko uses GPL-only symbol 'cpu_tlbstate'
make[3]: *** [/usr/src/linux-4.14.11-gentoo/scripts/Makefile.modpost:92: __modpost] Error 1

_________________
Gentoo stable with bits of ~amd64 // Xfce 4.13 + Compiz Reloaded.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 9824
Location: almost Mile High in the USA

PostPosted: Wed Jan 03, 2018 7:53 pm    Post subject: Reply with quote

Lots of conflicting info out there, I think the "leak" is not a leak but accidental pseudo-privilege escalation which could result in information leakage. This is somewhat bad... however I hope I can continue to run it the way it has been running as an option for "internal" servers.

Sounds like this affects certain CPUs and perhaps only the Core-X CPUs, unsure about P4 or older.

On the bright side, from the sound of it, if you're using 32-bit and PAE, you won't see a performance hit...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6227
Location: Room 101

PostPosted: Wed Jan 03, 2018 8:11 pm    Post subject: Reply with quote

Fitzcarraldo ...

more detailed information on packetstorm (though the actual exploit remains undisclosed).

best ... khay
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Wed Jan 03, 2018 8:35 pm    Post subject: Reply with quote

Watch out when updating your kernel if you have an AMD chip. Once you enable PAGE_TABLE_ISOLATION via make oldconfig you can;t turn it off with make menuconfig.

I wondered why my Athlon II was suddenly really slow launching X. I had to reboout with 4.14-10-r1 and update it again to 4.14.11 to choose "n" instead of "y" in make oldconfig.

Unless someone knows that this is needed for AMD too. Other sources on the web say this is for Intel only not AMD. But I'd like to hear it from our kernel experts.
Back to top
View user's profile Send private message
Watcom
n00b
n00b


Joined: 12 Apr 2006
Posts: 21

PostPosted: Wed Jan 03, 2018 9:36 pm    Post subject: Reply with quote

Apparently it affects every Intel CPU from the Pentium Pro onwards. Excluding the Pentium MMX which was released after the Pentium Pro in 1997.

AMD claims their CPUs are not affected, though we can only be sure after they disclose the actual bug details.

It looks quite serious though:
https://twitter.com/brainsmoke/status/948561799875502080
Back to top
View user's profile Send private message
PrSo
Tux's lil' helper
Tux's lil' helper


Joined: 01 Jun 2017
Posts: 136

PostPosted: Wed Jan 03, 2018 10:12 pm    Post subject: Reply with quote

In the meantime:
https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

and

https://phoronix.com/scan.php?page=news_item&px=Linux-Tip-Git-Disable-x86-PTI


Last edited by PrSo on Wed Jan 03, 2018 10:17 pm; edited 1 time in total
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Wed Jan 03, 2018 10:17 pm    Post subject: Reply with quote

PrSo wrote:
In the meantime:
https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

P.R. damage control.
Back to top
View user's profile Send private message
PrSo
Tux's lil' helper
Tux's lil' helper


Joined: 01 Jun 2017
Posts: 136

PostPosted: Wed Jan 03, 2018 10:23 pm    Post subject: Reply with quote

Tony0945 wrote:
PrSo wrote:
In the meantime:
https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

P.R. damage control.


exactly:

http://www.nasdaq.com/symbol/intc
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Wed Jan 03, 2018 10:29 pm    Post subject: Reply with quote

It would be really neat if they fixed the bug with gcc 6.4 and recent kernels. The combination of this bug and the backported kernels is really unfortunate right now.
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 6065
Location: Removed by Neddy

PostPosted: Wed Jan 03, 2018 10:32 pm    Post subject: Reply with quote

PrSo wrote:
In the meantime:
https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

and

https://phoronix.com/scan.php?page=news_item&px=Linux-Tip-Git-Disable-x86-PTI


https://www.barrons.com/articles/amd-says-near-zero-risk-to-its-chips-1515016135

AMD Says ‘Near Zero Risk’ to Its Chips



I am playing around with rc6 to see the impact when running some large simulation BUT I am not seeing any significant degradation

Quote:
uname -a && cat /proc/cmdline

Linux fluidmotion 4.15.0-rc6 #1 SMP PREEMPT Wed Jan 3 16:07:25 GMT 2018 x86_64 AMD Ryzen 5 1600 Six-Core Processor AuthenticAMD GNU/Linux

BOOT_IMAGE=/vmlinuz-4.15.0-rc6 root=/dev/nvme0n1p2 ro video=uvesafb:1280x1024-32,mtrr:3,ywrap quiet splash libata.force=6.0 rootfstype=ext4 elevator=noop processor.max_cstate=5 pti=on


cat /proc/cpuinfo
...
bugs : sysret_ss_attrs null_seg cpu_insecure

so as expected bugs = cpu_insecure when pti=on is set YET...



uname -a && cat /proc/cmdline

Linux fluidmotion 4.15.0-rc6 #1 SMP PREEMPT Wed Jan 3 16:07:25 GMT 2018 x86_64 AMD Ryzen 5 1600 Six-Core Processor AuthenticAMD GNU/Linux

BOOT_IMAGE=/vmlinuz-4.15.0-rc6 root=/dev/nvme0n1p2 ro video=uvesafb:1280x1024-32,mtrr:3,ywrap quiet splash libata.force=6.0 rootfstype=ext4 elevator=noop processor.max_cstate=5 pti=off


cat /proc/cpuinfo
....
bugs : sysret_ss_attrs null_seg cpu_insecure



with pti=off the bug is still declared, its like it isn't being turned off in my test...

_________________
Quote:
Removed by Chiitoo
Back to top
View user's profile Send private message
PrSo
Tux's lil' helper
Tux's lil' helper


Joined: 01 Jun 2017
Posts: 136

PostPosted: Wed Jan 03, 2018 10:58 pm    Post subject: Reply with quote

@Naib
agreed.

IMHO I dont think that AMD devs are lying or hiding something.
Tom Lendacky is an architect in the CPU software group on AMD and I think he knows what his statement means.

My netbook has AMD cpu, kernel 4.14.11 from repo.

I turned PTI in kernel config off, and applied patch from LKML through

Code:
/etc/portage/patches/sys-kernel/gentoo-sources/


lscpu or cat /proc/cpuinfo does not show any comment that my cpu is bugged.
Back to top
View user's profile Send private message
Zephyrus
Apprentice
Apprentice


Joined: 01 Sep 2004
Posts: 204

PostPosted: Wed Jan 03, 2018 11:29 pm    Post subject: Reply with quote

It seems that the details have now been publicly published, see for instance https://meltdownattack.com/ and https://googleprojectzero.blogspot.de/2018/01/reading-privileged-memory-with-side.html .
Back to top
View user's profile Send private message
Atom2
Apprentice
Apprentice


Joined: 01 Aug 2011
Posts: 185

PostPosted: Wed Jan 03, 2018 11:37 pm    Post subject: Reply with quote

I have just received the following Xen Security Advisory by E-Mail. In a nutshell there are three types of vulnerabilities listed, two of which are relevant for both AMD and Intel.

The third vulnerability is an Intel only issue, but, under Xen, is only relevant for 64 bit PV guests. Xen PVH and HVM guests are not affected by the third issue.

At the moment, there is no confirmed information available whether ARM is vulnerable or not.

Quote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Xen Security Advisory XSA-254

Information leak via side effects of speculative execution

ISSUE DESCRIPTION
=================

Processors give the illusion of a sequence of instructions executed
one-by-one. However, in order to most efficiently use cpu resources,
modern superscalar processors actually begin executing many
instructions in parallel. In cases where instructions depend on the
result of previous instructions or checks which have not yet
completed, execution happens based on guesses about what the outcome
will be. If the guess is correct, execution has been sped up. If the
guess is incorrect, partially-executed instructions are cancelled and
architectural state changes (to registers, memory, and so on)
reverted; but the whole process is no slower than if no guess had been
made at all. This is sometimes called "speculative execution".

Unfortunately, although architectural state is rolled back, there are
other side effects, such as changes to TLB or cache state, which are
not rolled back. These side effects can subsequently be detected by
an attacker to determine information about what happened during the
speculative execution phase. If an attacker can cause speculative
execution to access sensitive memory areas, they may be able to infer
what that sensitive memory contained.

Furthermore, these guesses can often be 'poisoned', such that attacker
can cause logic to reliably 'guess' the way the attacker chooses.
This advisory discusses three ways to cause speculative execution to
access sensitive memory areas (named here according to the
discoverer's naming scheme):

SP1, "Bounds-check bypass": Poison the branch predictor, such that
operating system or hypervisor code is speculatively executed past
boundary and security checks. This would allow an attacker to, for
instance, cause speculative code in the normal hypercall / emulation
path to execute with wild array indexes.

SP2, "Branch Target Injection": Poison the branch predictor.
Well-abstracted code often involves calling function pointers via
indirect branches; reading these function pointers may involve a
(slow) memory access, so the CPU attempts to guess where indirect
branches will lead. Poisoning this enables an attacker to
speculatively branch to any code that exists in the hypervisor.

SP3, "Rogue Data Load": On some processors, certain pagetable
permission checks only happen when the instruction is retired;
effectively meaning that speculative execution is not subject to
pagetable permission checks. On such processors, an attacker can
speculatively execute arbitrary code in userspace with, effectively,
the highest privilege level.

More information is available here:
https://meltdownattack.com/
https://spectreattack.com/

Additional Xen-specific background:

64-bit Xen hypervisors on systems with less than 5TiB of RAM map all
of physical RAM, so code speculatively executed in a hypervisor
context can read all of system RAM.

When running PV guests, the guest and the hypervisor share the address
space; guest kernels run in a lower privilege level, and Xen runs in
the highest privilege level. (HVM and PVH guests run in a separate
address space to the hypervisor.) However, only 64-bit PV guests can
generate addresses large enough to point to hypervisor memory.

IMPACT
======

Xen guests may be able to infer the contents of arbitrary host memory,
including memory assigned to other guests.

An attacker's choice of code to speculatively execute (and thus the
ease of extracting useful information) goes up with the numbers. For
SP1, or SP2 on systems where SMEP (supervisor mode execute protection)
is enabled: an attacker is limited to windows of code after bound
checks of user-supplied indexes. For SP2 without SMEP, or SP3, an
attacker can write arbitrary code to speculatively execute.

NOTE ON TIMING
==============

This vulnerability was originally scheduled to be made public on 9
January. It was accelerated at the request of the discloser due to
one of the issues being made public.

VULNERABLE SYSTEMS
==================

Systems running all versions of Xen are affected.

For SP1 and SP2, both Intel and AMD are vulnerable.

For SP3, only Intel processors are vulnerable. Furthermore, only
64-bit PV guests can exploit SP3 against Xen. PVH and 32-bit PV
guests cannot exploit SP3.

We believe that ARM is affected, but unfortunately due to the
accelerated schedule, we haven't been able to get concrete input from
ARM. We are asking ARM and will publish more information when it is
available.

MITIGATION
==========

There is no mitigation for SP1 and SP2.

SP3 can be mitigated by running guests in HVM or PVH mode.

For guests with legacy PV kernels which cannot be run in HVM mode, we
have developed a "shim" hypervisor that allows PV guests to run in PVH
mode. Unfortunately, due to the accelerated schedule, this is not yet
ready to release. We expect to have it ready for 4.10, as well as PVH
backports to 4.9 and 4.8, available over the next few days.

RESOLUTION
==========

There is no available resolution for SP1 or SP3.

We are working on patches which mitigate SP2 but these are not
currently available. Given that the vulnerabilities are now public,
these will be developed and published in public, initially via
xen-devel.

When we have useful information we will send an update.

NOTE ON LACK OF EMBARGO
=======================

The timetable and process were set by the discloser.

After the intensive initial response period for these vulnerabilities
is over, we will prepare and publish a full timeline, as we have done
in a handful of other cases of significant public interest where we
saw opportunities for process improvement.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJaTVlQAAoJEIP+FMlX6CvZRIkH/3LGBnVPE6/4eBYwUTAZZ1bC
+PLMLiUpSZuSwxbKrt80Tuu8hXBWPvf9bTL5gwEg0IGbypLmehoRc1Xj1Ra+9U2h
PVcmyoP2rcgENSqGKqv8CKHI0xt1QqXK0hF2L7q370+3crgNAx79T+nJf11SAsnA
m3MUvi7eDm1BUf4sIYlePkVcSbxcyjcejGKr/aAwo4Ku3aInO0lgapb8kjYiMKME
wgQ9oOVLuSvkTwcOCTnJaMF3FkpFATq6VpmtbRDNkeSd8yrF3d9C/GAoPwoMt6oY
zLNBs77T5LfrQtLJ62aOeXmPcu3vZOZlTH89+1IBLef4Gs5eqD5rTfKcTc8AaPE=
=70SF
-----END PGP SIGNATURE-----


Regards Atom2
Back to top
View user's profile Send private message
PrSo
Tux's lil' helper
Tux's lil' helper


Joined: 01 Jun 2017
Posts: 136

PostPosted: Wed Jan 03, 2018 11:47 pm    Post subject: Reply with quote

https://spectreattack.com/spectre.pdf

"Unlike Meltdown, the Spectre attack works on non-Intel processors, including AMD and ARM processors. Furthermore the KAISER patch, which has been widely applied as a mitigation to Meltdown attack, deos not protect against Spectre."
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3520

PostPosted: Wed Jan 03, 2018 11:54 pm    Post subject: Reply with quote

So at the moment there is no protection for Spectre? Has anyone contacted James Bond?
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22639

PostPosted: Wed Jan 03, 2018 11:59 pm    Post subject: Reply with quote

Myu: as I understand it, the initial iteration declares effectively all x86 CPUs to be affected, without trying to determine false positives. Some may not be impacted, although the speculation suggests that if you are on an Intel chip from within recent memory, you are impacted. An AMD employee asserts on LKML that AMD is unaffected. I have not seen any independent confirmation or refutation of that assertion.
Back to top
View user's profile Send private message
Ralphred
l33t
l33t


Joined: 31 Dec 2013
Posts: 653

PostPosted: Thu Jan 04, 2018 12:03 am    Post subject: Reply with quote

Hu wrote:
I have not seen any independent confirmation or refutation of that assertion.

There is a statement from AMD floating around which, at this time, says "we aren't committing to anything yet, but expect something by the end of the day" and something about waiting for researchers before commenting officially.
Back to top
View user's profile Send private message
Ralphred
l33t
l33t


Joined: 31 Dec 2013
Posts: 653

PostPosted: Thu Jan 04, 2018 12:07 am    Post subject: Reply with quote

1clue wrote:
It would be really neat if they fixed the bug with gcc 6.4 and recent kernels. The combination of this bug and the backported kernels is really unfortunate right now.

I appreciate anecdotal evidence is mostly useless, but just built 4.14.11 with 6.4 and it's working fine, nothing funky other than the ~amd64 for the kernel in package.use
Back to top
View user's profile Send private message
mike155
Advocate
Advocate


Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany

PostPosted: Thu Jan 04, 2018 12:09 am    Post subject: Reply with quote

There are 2 different types of bugs: https://spectreattack.com/

The site provides scientific papers with details.
Back to top
View user's profile Send private message
KAMIKAZE_
Guru
Guru


Joined: 09 Oct 2003
Posts: 309
Location: Riga, Latvia

PostPosted: Thu Jan 04, 2018 2:50 am    Post subject: Reply with quote

Thanks, Intel, now I've made my decision: going AMD Ryzen Threadripper.
_________________
-=[powered by Gentoo]=-
Back to top
View user's profile Send private message
barophobia
Apprentice
Apprentice


Joined: 27 Apr 2004
Posts: 229
Location: somewhere

PostPosted: Thu Jan 04, 2018 4:46 am    Post subject: Reply with quote

Quote:
Thanks, Intel, now I've made my decision: going AMD Ryzen Threadripper.


AMD, Intel and ARM are all effected by the spectre attack. Different attack but still scary as hell.
_________________
An apple is an apple unless you say it is not an apple!
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 9824
Location: almost Mile High in the USA

PostPosted: Thu Jan 04, 2018 5:36 am    Post subject: Reply with quote

I need to dig up my ia64 box...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6920

PostPosted: Thu Jan 04, 2018 9:23 am    Post subject: Reply with quote

They say there's no workaround, but there is: don't run arbitrary code off the network!

This is basic security! Everyone should have NoScript/uMatrix plus an adblocker at a bare minimum after Rowhammer.
Back to top
View user's profile Send private message
Display posts from previous:   
This topic is locked: you cannot edit posts or make replies.    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Goto page 1, 2, 3 ... 21, 22, 23  Next
Page 1 of 23

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum