Meltdown and Spectre patches

If it doesn't relate to Debian, but you still want to share it, please do it here

Meltdown and Spectre patches

Postby n_hologram » 2018-01-04 21:16

UPDATE:
Since the release of Meltdown and Spectre, several varieties of Debian kernels have been updated, but only amd64 processors are verifiably mitigating meltdown, and spectre remains altogether unfixed. The intent of this thread was originally to start a conversation about deterring these two particular exploits.

It is my personal belief that, in a digitally-networked world where technology vendors sell innovation as the consumer product at the cost of neglecting security, understanding the technology to which you give personal, sensitive information will not truly sustain itself as a corporate product (antivirus software, hardware/software vendors' proprietary mechanisms supported only by their own word); but, rather, will become a deep, and probably intrusive, personal responsibility.

Thank you to everyone who contributed solutions and findings. Here are some highlights of the thread thus far.

Meltdown (CVE-2017-5754)
Mainstream linux 4.14.11 (and above) features KPTI/PTI (its name has changed since last week) to mitigate against Meltdown; on older kernels, this had to be patched/backported, and few kernels (if any) are still in the works.

A profound ambiguity still surrounds the status of mitigating 32-bit processors: namely, is it even possible? News has been spreading about Linux's patches, and most websites will say a simple update/upgrade will install the patched kernel. Unfortunately, KPTI/PTI depends on a 64-bit Linux build*, and therefore, 32-bit processors (i686/pae) lack any clear mitigations against Meltdown. (This can also be verified by looking at the kernel source: make menuconifg [and search for page_table_isolation]. I'm still researching this, along with a few users here and on the MX forum, so please post your findings if something is discovered or can be better explained.) Therefore, the currently-accepted solutions of "just upgrade your system/kernel" are, as far as we know, currently moot for x86/32-bit.
Update: I reached out to the patch developer, and he confirmed that 32-bit is vulnerable.

The only way to verify if PTI is active on your system is to, as root, find it through dmesg: grepping strings like page, table, isolation, or pti (the string depends on the kernel and distro).

The effects of KPTI, although quantifiable**, are mostly unnoticeable on most desktop systems. They are more prevalent when it comes to heavy file transfer, like on servers.

Spectre (CVE-2017-{5715,5753})
As of right now, Spectre lingers unmitigated: "Spectre is harder to exploit than Meltdown, but it is also harder to mitigate." Several browsers (ie, Firefox 57, -esr, palemoon, and opera) have implemented (or never required) their own deterrents. As with any security precautions, disabling or filtering javascript is recommended, along with avoiding suspicious sites and untrusted downloads (like "cool_screensaver.bin").

Looking Forward
Spectre and Meltdown Attacks Against Microprocessors
Bruce Schneier wrote:These aren't normal software vulnerabilities, where a patch fixes the problem and everyone can move on. These vulnerabilities are in the fundamentals of how the microprocessor operates...
It's a much bigger problem for cloud vendors; the performance hit will be expensive, but I expect that they'll figure out some clever way of detecting and blocking the attacks. All in all, as bad as Spectre and Meltdown are, I think we got lucky.
But more are coming, and they'll be worse. 2018 will be the year of microprocessor vulnerabilities, and it's going to be a wild ride.


Further Reading
Summary of the patch status for Meltdown / Spectre
spectre-meltdown-checker (Github), bash script
Spectre and Meltdown Proof-of-Concept


* Author's note: I speculate the reason it cannot run on 32-bit is because the patch "is 64bit only, as 32bit needs the TSS mapped RW." However, I lack the knowledge to verify this. If this is correct, though, it would be appreciated if kernel maintainers would just say, "your 32-bit system is still vulnerable," because a simple Google search reveals how many outlets are claiming it is patched, versus how many are (not) acknowledging that it is impossible -- in particular, 32-bit systems are completely ignored from the conversations. I would rather be wrong about this statement than falsely believe that I am running a mitigated kernel. Thank you, ritanik, for the link to the patches page.
** Internal references: dd testing reports from stevepusser and links shared by Wheelerof4te
________________________________________________
ORIGINAL POST

If any of this information is in error or outdated, please let me know.

The security tracker claims that there is a patched stretch kernel (4.9.65-3+deb9u2) to avoid meltdown, but as of this post, the packages page (along with apt-cache policy) suggests that the current version is at 4.9.65-3+deb9u1, with jessie-backport version at 4.9.65-3+deb9u1~bpo8+1 (the same thing). At the time of this posting, it appears that there is no patch for Spectre.

In the meantime, what is the best course of action for users, just short of burning all of our technology and burying our money in the ground?

Unrelated: is there any information on how effective grsecurity might be for preventing this exploit?

Meltdown:
-fixed version: 4.9.65-3+deb9u2 (stretch)
https://security-tracker.debian.org/tra ... -2017-5754

Spectre:
-fixed version: none
https://security-tracker.debian.org/tra ... -2017-5753
Last edited by n_hologram on 2018-02-26 16:20, edited 14 times in total.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing

the crunkbong project: scripts, operating system, the list goes on...
n_hologram
 
Posts: 438
Joined: 2013-06-16 00:10

Re: Meltdown and Spectre patches

Postby stevepusser » 2018-01-05 02:13

You could run this before the update to see what you get before and after, reported on the MX forums:
Code: Select all
 sandy bridge core i5
dd if=/dev/zero of=/tmp/testfile bs=512 count=5000000

4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23)

Code: Select all
...2,45611 s, 1,0 GB/s


4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04)

Code: Select all
4,0773 s, 628 MB/s


Close to 40% degradation...I wonder if they turned off KPTI for AMD processors like the Liquorix kernel (enabled) and Arch did--checking--can't find it, but Debian may implement in another way. AMD users need to report tests.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: Quod Libet 4.2.0, Pale Moon 28.2.0, wine-staging 3.20, GIMP 2.10.8, Liquorix kernel 4.18-22, Midori 6.0
User avatar
stevepusser
 
Posts: 10129
Joined: 2009-10-06 05:53

Re: Meltdown and Spectre patches

Postby n_hologram » 2018-01-05 12:49

I will certainly do so -- when Jessie is updated. :)

My stretch VM let me upgrade to 4.9.65-3+deb9u2, but the package webpage (as of now) has been down since I checked yesterday, something about an internal server error, so that threw me off. It's also pretty confusing when the spectrum of information ranges from distro security reports, and down to potential misinformation with articles like this, which report Spectre as solved following a simple update/upgrade/shutdown -r 0 -- how interesting that they beat the Debian security tracker to this finding.

In the meantime, just for funsies, I booted up a linux-libre 4.14.11 kernel, just to see if I could test whether or not KPTI is enabled, since that's supposedly a default feature on the 4.14.11 kernel and purportedly one way to mitigate Meltdown (both claims according to this article along with the github page below). Several ways to test it (ie, grepping dmesg) report nothing, but this one yielded some results:
Code: Select all
# grep cpu_insecure /proc/cpuinfo && echo "patched :)" || echo "unpatched :("
bugs      : cpu_insecure
[ ... ]
patched :)


Is KPTI the main thing that was patched in 4.9.65-3+deb9u2, or did the patch focus on something else?

Also a fun read:
https://github.com/hannob/meltdownspectre-patches
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing

the crunkbong project: scripts, operating system, the list goes on...
n_hologram
 
Posts: 438
Joined: 2013-06-16 00:10

Re: Meltdown and Spectre patches

Postby stevepusser » 2018-01-05 17:42

Debian added about fifty separate patches to the 4.9 kernel to add kpti, so it's probably quite difficult to change them for the 3.16 kernel. They probably went for the stable release first. They also addressed many other issues in the update.

This is what I get on the Liquorix 4.14.-11 kernel after rebuilding it with kpti enabled for Stretch:

Intel Core i5-6200U

Booted with "nopti":
Code: Select all
2560000000 bytes (2.6 GB, 2.4 GiB) copied, 11.0231 s, 232 MB/s


Standard boot:
Code: Select all
2560000000 bytes (2.6 GB, 2.4 GiB) copied, 12.0607 s, 212 MB/s


There is the same Liquorix kernel for Jessie in my repo, too.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: Quod Libet 4.2.0, Pale Moon 28.2.0, wine-staging 3.20, GIMP 2.10.8, Liquorix kernel 4.18-22, Midori 6.0
User avatar
stevepusser
 
Posts: 10129
Joined: 2009-10-06 05:53

Re: Meltdown and Spectre patches

Postby PeterB » 2018-01-05 20:29

There is a Firefox fix for Spectre. Need version >= 57.0.4
https://www.mozilla.org/en-US/security/ ... sa2018-01/

AMD processors apparently not susceptible to Meltdown, so their users don't need the Meltdown kernel patch.
PeterB
 
Posts: 110
Joined: 2010-10-03 16:53

Re: Meltdown and Spectre patches

Postby stevepusser » 2018-01-06 00:04

The version in Liquorix turns it off for AMD processors, apparently. I can't check that, though.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: Quod Libet 4.2.0, Pale Moon 28.2.0, wine-staging 3.20, GIMP 2.10.8, Liquorix kernel 4.18-22, Midori 6.0
User avatar
stevepusser
 
Posts: 10129
Joined: 2009-10-06 05:53

Re: Meltdown and Spectre patches

Postby bester69 » 2018-01-06 11:14

I wont patch it if i lose some perfomance, Anyway i've never locked my own door house and Ive got more chances to be hitted by a car. So lets chill out!! :)
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
User avatar
bester69
 
Posts: 1210
Joined: 2015-04-02 13:15

Re: Meltdown and Spectre patches

Postby Wheelerof4te » 2018-01-06 11:39

bester69 does not need security updates. He runs his OS in a VM.
Oh, wait...
User avatar
Wheelerof4te
 
Posts: 1134
Joined: 2015-08-30 20:14

Re: Meltdown and Spectre patches

Postby rinatik » 2018-01-06 16:51

KPTI depends on [x86_64] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5aa90a84589282b87666f92b6c3c917c8080a9bf

Code: Select all
+   nopti      [X86-64] Disable kernel page table isolation
+
 ...

+   pti=      [X86_64]
+         Control user/kernel address space isolation:
+         on - enable
+         off - disable
+         auto - default setting
+


Both are working in protected mode so

I wonder why we do not see i686 kernel KPTI?
rinatik
 
Posts: 7
Joined: 2018-01-06 16:43

Re: Meltdown and Spectre patches

Postby bester69 » 2018-01-06 17:16

http://www.zdnet.com/article/how-linux- ... d-spectre/
The good news is that these require an attacker to have local access to the targeted system. The bad news is they could still be exploited by an ordinary user on a vulnerable computer running JavaScript code from what appeared to be an innocuous web page. This poisoned code could then read any and all data in memory.

Reading that, as a regular user I woundt care very much about those holes..we usually move on trusted sites, furthermore i dont see any reason to be a targeted system, and once you close the browser, the imaginary attack would be interrupted..
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
User avatar
bester69
 
Posts: 1210
Joined: 2015-04-02 13:15

Re: Meltdown and Spectre patches

Postby Head_on_a_Stick » 2018-01-06 17:31

bester69 wrote:Reading that, as a regular user I woundt care very much about those holes

That is a very ignorant statement: if the KTPI patch is not applied to your system then an accidentally-opened browser pop-up tab could let an attacker read every keystroke that you make, as well as any passwords stored in your keyring.

See https://misc0110.net/web/files/keystroke_js.pdf for a practical example.
I suffer from depression and may lash out occasionally, try not to take it personally.
User avatar
Head_on_a_Stick
 
Posts: 8170
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Meltdown and Spectre patches

Postby bw123 » 2018-01-06 17:36

definitley slower on my old workhorse using stevepusser's test, but not exactly awful.
Code: Select all
model name      : AMD Sempron(tm) Processor 3200+
Mem:           1751          31        1645           2          75        1608

booted to single user mode

dd if=/dev/zero of=/tmp/testfile bs=512 count=2500000 && sleep3 && rm /tmp/testfile

---
Linux hostname 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3 (2017-12-03) x86_64 GNU/Linux
ten tests 1.3GB copied, range 11-13sec 100-108 MB/s
---
Linux hostname 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux
ten tests 1.3GB copied, range 12-14sec 91-104 MB/s

User avatar
bw123
 
Posts: 3524
Joined: 2011-05-09 06:02
Location: TN_USA

Re: Meltdown and Spectre patches

Postby n_hologram » 2018-01-06 19:03

rinatik wrote:KPTI depends on [x86_64] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5aa90a84589282b87666f92b6c3c917c8080a9bf ( ... )

Both are working in protected mode so

I wonder why we do not see i686 kernel KPTI?


Lol, wait, so 686 kernels are just completely vulnerable?
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing

the crunkbong project: scripts, operating system, the list goes on...
n_hologram
 
Posts: 438
Joined: 2013-06-16 00:10

Re: Meltdown and Spectre patches

Postby stevepusser » 2018-01-06 19:11

bw123 wrote:definitley slower on my old workhorse using stevepusser's test, but not exactly awful.
Code: Select all
model name      : AMD Sempron(tm) Processor 3200+
Mem:           1751          31        1645           2          75        1608

booted to single user mode

dd if=/dev/zero of=/tmp/testfile bs=512 count=2500000 && sleep3 && rm /tmp/testfile

---
Linux hostname 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3 (2017-12-03) x86_64 GNU/Linux
ten tests 1.3GB copied, range 11-13sec 100-108 MB/s
---
Linux hostname 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux
ten tests 1.3GB copied, range 12-14sec 91-104 MB/s



Since the majority opinion is leaning toward that AMD processors aren't exploitable, you could boot with one of the flags to turn off kpti. Liquorix kernels don't seem to enable it for AMD at all, based on what I saw in the 4.14-11 patch.

Still no patches are available for Jessie's 3.16 kernel, or any of Ubuntu's releases.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: Quod Libet 4.2.0, Pale Moon 28.2.0, wine-staging 3.20, GIMP 2.10.8, Liquorix kernel 4.18-22, Midori 6.0
User avatar
stevepusser
 
Posts: 10129
Joined: 2009-10-06 05:53

Re: Meltdown and Spectre patches

Postby bw123 » 2018-01-06 19:21

stevepusser wrote:Since the majority opinion is leaning toward that AMD processors aren't exploitable, you could boot with one of the flags to turn off kpti. Liquorix kernels don't seem to enable it for AMD at all, based on what I saw in the 4.14-11 patch.

Still no patches are available for Jessie's 3.16 kernel, or any of Ubuntu's releases.


Thanks stevepusser I will check again with the kernel flag after running this one like it is for a few days. I am kind of old to chase after 3 or 9 % I have been using the 4.13 backport on this machine, and the performance is about the same.

It's not a network machine at all. The only time it is connected is to update the sources.list I use it to run a TV and a crt, play tunes, do some graphics and bookkeeping and stuff.

Not really a big deal if it's a couple seconds slower, but I have been wishing I found one of the socket 939 athlon processors for it before they all got gone. Maybe one day...
User avatar
bw123
 
Posts: 3524
Joined: 2011-05-09 06:02
Location: TN_USA

Next

Return to Offtopic

Who is online

Users browsing this forum: No registered users and 3 guests

fashionable