Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Meltdown and Spectre patches

Off-Topic discussions about science, technology, and non Debian specific topics.
Message
Author
n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Meltdown and Spectre patches

#1 Post by n_hologram »

UPDATE:
Since the release of Meltdown and Spectre, several varieties of Debian kernels have been updated, but only amd64 processors are verifiably mitigating meltdown, and spectre remains altogether unfixed. The intent of this thread was originally to start a conversation about deterring these two particular exploits.

It is my personal belief that, in a digitally-networked world where technology vendors sell innovation as the consumer product at the cost of neglecting security, understanding the technology to which you give personal, sensitive information will not truly sustain itself as a corporate product (antivirus software, hardware/software vendors' proprietary mechanisms supported only by their own word); but, rather, will become a deep, and probably intrusive, personal responsibility.

Thank you to everyone who contributed solutions and findings. Here are some highlights of the thread thus far.

Meltdown (CVE-2017-5754)
Mainstream linux 4.14.11 (and above) features KPTI/PTI (its name has changed since last week) to mitigate against Meltdown; on older kernels, this had to be patched/backported, and few kernels (if any) are still in the works.

A profound ambiguity still surrounds the status of mitigating 32-bit processors: namely, is it even possible? News has been spreading about Linux's patches, and most websites will say a simple update/upgrade will install the patched kernel. Unfortunately, KPTI/PTI depends on a 64-bit Linux build*, and therefore, 32-bit processors (i686/pae) lack any clear mitigations against Meltdown. (This can also be verified by looking at the kernel source: make menuconifg [and search for page_table_isolation]. I'm still researching this, along with a few users here and on the MX forum, so please post your findings if something is discovered or can be better explained.) Therefore, the currently-accepted solutions of "just upgrade your system/kernel" are, as far as we know, currently moot for x86/32-bit.
Update: I reached out to the patch developer, and he confirmed that 32-bit is vulnerable.

The only way to verify if PTI is active on your system is to, as root, find it through dmesg: grepping strings like page, table, isolation, or pti (the string depends on the kernel and distro).

The effects of KPTI, although quantifiable**, are mostly unnoticeable on most desktop systems. They are more prevalent when it comes to heavy file transfer, like on servers.

Spectre (CVE-2017-{5715,5753})
As of right now, Spectre lingers unmitigated: "Spectre is harder to exploit than Meltdown, but it is also harder to mitigate." Several browsers (ie, Firefox 57, -esr, palemoon, and opera) have implemented (or never required) their own deterrents. As with any security precautions, disabling or filtering javascript is recommended, along with avoiding suspicious sites and untrusted downloads (like "cool_screensaver.bin").

Looking Forward
Spectre and Meltdown Attacks Against Microprocessors
Bruce Schneier wrote: These aren't normal software vulnerabilities, where a patch fixes the problem and everyone can move on. These vulnerabilities are in the fundamentals of how the microprocessor operates...
It's a much bigger problem for cloud vendors; the performance hit will be expensive, but I expect that they'll figure out some clever way of detecting and blocking the attacks. All in all, as bad as Spectre and Meltdown are, I think we got lucky.
But more are coming, and they'll be worse. 2018 will be the year of microprocessor vulnerabilities, and it's going to be a wild ride.
Further Reading
Summary of the patch status for Meltdown / Spectre
spectre-meltdown-checker (Github), bash script
Spectre and Meltdown Proof-of-Concept


* Author's note: I speculate the reason it cannot run on 32-bit is because the patch "is 64bit only, as 32bit needs the TSS mapped RW." However, I lack the knowledge to verify this. If this is correct, though, it would be appreciated if kernel maintainers would just say, "your 32-bit system is still vulnerable," because a simple Google search reveals how many outlets are claiming it is patched, versus how many are (not) acknowledging that it is impossible -- in particular, 32-bit systems are completely ignored from the conversations. I would rather be wrong about this statement than falsely believe that I am running a mitigated kernel. Thank you, ritanik, for the link to the patches page.
** Internal references: dd testing reports from stevepusser and links shared by Wheelerof4te
________________________________________________
ORIGINAL POST

If any of this information is in error or outdated, please let me know.

The security tracker claims that there is a patched stretch kernel (4.9.65-3+deb9u2) to avoid meltdown, but as of this post, the packages page (along with apt-cache policy) suggests that the current version is at 4.9.65-3+deb9u1, with jessie-backport version at 4.9.65-3+deb9u1~bpo8+1 (the same thing). At the time of this posting, it appears that there is no patch for Spectre.

In the meantime, what is the best course of action for users, just short of burning all of our technology and burying our money in the ground?

Unrelated: is there any information on how effective grsecurity might be for preventing this exploit?

Meltdown:
-fixed version: 4.9.65-3+deb9u2 (stretch)
https://security-tracker.debian.org/tra ... -2017-5754

Spectre:
-fixed version: none
https://security-tracker.debian.org/tra ... -2017-5753
Last edited by n_hologram on 2018-02-26 16:20, edited 14 times in total.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Meltdown and Spectre patches

#2 Post by stevepusser »

You could run this before the update to see what you get before and after, reported on the MX forums:

Code: Select all

 sandy bridge core i5
dd if=/dev/zero of=/tmp/testfile bs=512 count=5000000

4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23)

Code: Select all
...2,45611 s, 1,0 GB/s


4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04)

Code: Select all
4,0773 s, 628 MB/s
Close to 40% degradation...I wonder if they turned off KPTI for AMD processors like the Liquorix kernel (enabled) and Arch did--checking--can't find it, but Debian may implement in another way. AMD users need to report tests.
MX Linux packager and developer

n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: Meltdown and Spectre patches

#3 Post by n_hologram »

I will certainly do so -- when Jessie is updated. :)

My stretch VM let me upgrade to 4.9.65-3+deb9u2, but the package webpage (as of now) has been down since I checked yesterday, something about an internal server error, so that threw me off. It's also pretty confusing when the spectrum of information ranges from distro security reports, and down to potential misinformation with articles like this, which report Spectre as solved following a simple update/upgrade/shutdown -r 0 -- how interesting that they beat the Debian security tracker to this finding.

In the meantime, just for funsies, I booted up a linux-libre 4.14.11 kernel, just to see if I could test whether or not KPTI is enabled, since that's supposedly a default feature on the 4.14.11 kernel and purportedly one way to mitigate Meltdown (both claims according to this article along with the github page below). Several ways to test it (ie, grepping dmesg) report nothing, but this one yielded some results:

Code: Select all

# grep cpu_insecure /proc/cpuinfo && echo "patched :)" || echo "unpatched :("
bugs		: cpu_insecure
[ ... ]
patched :)
Is KPTI the main thing that was patched in 4.9.65-3+deb9u2, or did the patch focus on something else?

Also a fun read:
https://github.com/hannob/meltdownspectre-patches
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Meltdown and Spectre patches

#4 Post by stevepusser »

Debian added about fifty separate patches to the 4.9 kernel to add kpti, so it's probably quite difficult to change them for the 3.16 kernel. They probably went for the stable release first. They also addressed many other issues in the update.

This is what I get on the Liquorix 4.14.-11 kernel after rebuilding it with kpti enabled for Stretch:

Intel Core i5-6200U

Booted with "nopti":

Code: Select all

2560000000 bytes (2.6 GB, 2.4 GiB) copied, 11.0231 s, 232 MB/s
Standard boot:

Code: Select all

2560000000 bytes (2.6 GB, 2.4 GiB) copied, 12.0607 s, 212 MB/s
There is the same Liquorix kernel for Jessie in my repo, too.
MX Linux packager and developer

PeterB
Posts: 122
Joined: 2010-10-03 16:53
Has thanked: 1 time
Been thanked: 2 times

Re: Meltdown and Spectre patches

#5 Post by PeterB »

There is a Firefox fix for Spectre. Need version >= 57.0.4
https://www.mozilla.org/en-US/security/ ... sa2018-01/

AMD processors apparently not susceptible to Meltdown, so their users don't need the Meltdown kernel patch.

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Meltdown and Spectre patches

#6 Post by stevepusser »

The version in Liquorix turns it off for AMD processors, apparently. I can't check that, though.
MX Linux packager and developer

User avatar
bester69
Posts: 2072
Joined: 2015-04-02 13:15
Has thanked: 24 times
Been thanked: 14 times

Re: Meltdown and Spectre patches

#7 Post by bester69 »

I wont patch it if i lose some perfomance, Anyway i've never locked my own door house and Ive got more chances to be hitted by a car. So lets chill out!! :)
bester69 wrote:STOP 2030 globalists demons, keep the fight for humanity freedom against NWO...

Wheelerof4te
Posts: 1454
Joined: 2015-08-30 20:14

Re: Meltdown and Spectre patches

#8 Post by Wheelerof4te »

bester69 does not need security updates. He runs his OS in a VM.
Oh, wait...

rinatik
Posts: 7
Joined: 2018-01-06 16:43

Re: Meltdown and Spectre patches

#9 Post by rinatik »

KPTI depends on [x86_64] https://git.kernel.org/pub/scm/linux/ke ... 7c8080a9bf

Code: Select all

+	nopti		[X86-64] Disable kernel page table isolation
+
 ...

+	pti=		[X86_64]
+			Control user/kernel address space isolation:
+			on - enable
+			off - disable
+			auto - default setting
+
Both are working in protected mode so

I wonder why we do not see i686 kernel KPTI?

User avatar
bester69
Posts: 2072
Joined: 2015-04-02 13:15
Has thanked: 24 times
Been thanked: 14 times

Re: Meltdown and Spectre patches

#10 Post by bester69 »

http://www.zdnet.com/article/how-linux- ... d-spectre/
The good news is that these require an attacker to have local access to the targeted system. The bad news is they could still be exploited by an ordinary user on a vulnerable computer running JavaScript code from what appeared to be an innocuous web page. This poisoned code could then read any and all data in memory.
Reading that, as a regular user I woundt care very much about those holes..we usually move on trusted sites, furthermore i dont see any reason to be a targeted system, and once you close the browser, the imaginary attack would be interrupted..
bester69 wrote:STOP 2030 globalists demons, keep the fight for humanity freedom against NWO...

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Meltdown and Spectre patches

#11 Post by Head_on_a_Stick »

bester69 wrote:Reading that, as a regular user I woundt care very much about those holes
That is a very ignorant statement: if the KTPI patch is not applied to your system then an accidentally-opened browser pop-up tab could let an attacker read every keystroke that you make, as well as any passwords stored in your keyring.

See https://misc0110.net/web/files/keystroke_js.pdf for a practical example.
deadbang

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Meltdown and Spectre patches

#12 Post by bw123 »

definitley slower on my old workhorse using stevepusser's test, but not exactly awful.

Code: Select all

model name      : AMD Sempron(tm) Processor 3200+
Mem:           1751          31        1645           2          75        1608

booted to single user mode

dd if=/dev/zero of=/tmp/testfile bs=512 count=2500000 && sleep3 && rm /tmp/testfile

---
Linux hostname 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3 (2017-12-03) x86_64 GNU/Linux
ten tests 1.3GB copied, range 11-13sec 100-108 MB/s
---
Linux hostname 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux
ten tests 1.3GB copied, range 12-14sec 91-104 MB/s

resigned by AI ChatGPT

n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: Meltdown and Spectre patches

#13 Post by n_hologram »

rinatik wrote:KPTI depends on [x86_64] https://git.kernel.org/pub/scm/linux/ke ... 7c8080a9bf ( ... )

Both are working in protected mode so

I wonder why we do not see i686 kernel KPTI?
Lol, wait, so 686 kernels are just completely vulnerable?
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Meltdown and Spectre patches

#14 Post by stevepusser »

bw123 wrote:definitley slower on my old workhorse using stevepusser's test, but not exactly awful.

Code: Select all

model name      : AMD Sempron(tm) Processor 3200+
Mem:           1751          31        1645           2          75        1608

booted to single user mode

dd if=/dev/zero of=/tmp/testfile bs=512 count=2500000 && sleep3 && rm /tmp/testfile

---
Linux hostname 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3 (2017-12-03) x86_64 GNU/Linux
ten tests 1.3GB copied, range 11-13sec 100-108 MB/s
---
Linux hostname 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux
ten tests 1.3GB copied, range 12-14sec 91-104 MB/s

Since the majority opinion is leaning toward that AMD processors aren't exploitable, you could boot with one of the flags to turn off kpti. Liquorix kernels don't seem to enable it for AMD at all, based on what I saw in the 4.14-11 patch.

Still no patches are available for Jessie's 3.16 kernel, or any of Ubuntu's releases.
MX Linux packager and developer

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Meltdown and Spectre patches

#15 Post by bw123 »

stevepusser wrote: Since the majority opinion is leaning toward that AMD processors aren't exploitable, you could boot with one of the flags to turn off kpti. Liquorix kernels don't seem to enable it for AMD at all, based on what I saw in the 4.14-11 patch.

Still no patches are available for Jessie's 3.16 kernel, or any of Ubuntu's releases.
Thanks stevepusser I will check again with the kernel flag after running this one like it is for a few days. I am kind of old to chase after 3 or 9 % I have been using the 4.13 backport on this machine, and the performance is about the same.

It's not a network machine at all. The only time it is connected is to update the sources.list I use it to run a TV and a crt, play tunes, do some graphics and bookkeeping and stuff.

Not really a big deal if it's a couple seconds slower, but I have been wishing I found one of the socket 939 athlon processors for it before they all got gone. Maybe one day...
resigned by AI ChatGPT

n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: Meltdown and Spectre patches

#16 Post by n_hologram »

stevepusser wrote:Since the majority opinion is leaning toward that AMD processors aren't exploitable, you could boot with one of the flags to turn off kpti. Liquorix kernels don't seem to enable it for AMD at all, based on what I saw in the 4.14-11 patch.
https://www.phoronix.com/scan.php?page= ... le-x86-PTI
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Meltdown and Spectre patches

#17 Post by Head_on_a_Stick »

stevepusser wrote:the majority opinion is leaning toward that AMD processors aren't exploitable
CVEs 2017-57{15,53} ("Spectre") still affect _all_ processor types that don't begin with S* and the KTPI patch provides only _partial_ protection for CVE-2017-5754 ("Meltdown").

AMD assures us that it's processors are not susceptible to CVE-2017-5754 but they would say that, wouldn't they? :mrgreen:
deadbang

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Meltdown and Spectre patches

#18 Post by bw123 »

Head_on_a_Stick wrote:
stevepusser wrote:the majority opinion is leaning toward that AMD processors aren't exploitable
CVEs 2017-57{15,53} ("Spectre") still affect _all_ processor types that don't begin with S* and the KTPI patch provides only _partial_ protection for CVE-2017-5754 ("Meltdown").

AMD assures us that it's processors are not susceptible to CVE-2017-5754 but they would say that, wouldn't they? :mrgreen:
I read another blurb somewhere or other that some of the atom processors might be exempt from one issue or the other. I have one of those on my netbook that I use online, so if anybody runs across any actual info that hasn't signed any non-disclosures or retaineded an attorney, or sells clicks as news, let me know...
resigned by AI ChatGPT

User avatar
bester69
Posts: 2072
Joined: 2015-04-02 13:15
Has thanked: 24 times
Been thanked: 14 times

Re: Meltdown and Spectre patches

#19 Post by bester69 »

Head_on_a_Stick wrote:
bester69 wrote:Reading that, as a regular user I woundt care very much about those holes
That is a very ignorant statement: if the KTPI patch is not applied to your system then an accidentally-opened browser pop-up tab could let an attacker read every keystroke that you make, as well as any passwords stored in your keyring.

See https://misc0110.net/web/files/keystroke_js.pdf for a practical example.
Then , I guess, there will be thousands of victims in world before than me, I will be pending just in case there is some news about hundreds of users being stolen becouse of Meltdown and spectre, so I put myself in a hurry and decide to patch. This sounds like 2000 effect to me, As for regular users its all an exageration, regular home users dont receive extrange vistants in the night since 2005 or so for Windows (around Win7 kernel) and ever for linux in real life. Its all about common sense.
bester69 wrote:STOP 2030 globalists demons, keep the fight for humanity freedom against NWO...

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Meltdown and Spectre patches

#20 Post by dilberts_left_nut »

@bester69
This is a technical thread about this issue - not about whether you feel it's necessary or not.
Please refrain from any further OT comments.
AdrianTM wrote:There's no hacker in my grandma...

Post Reply