Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 643228

Summary: [TRACKER] kernel: Meltdown and Spectre - A flaw in modern processors (CVE-2017-{5715,5753,5754})
Product: Gentoo Security Reporter: Arisu Tachibana <alicef>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: ab4bd, alexander, arthur, bertrand, can.ecodo.nu.n.o+bugs.gentoo, enribnt, gentoo-bugs, gentoo-bugzilla, hjckr, hydrapolic, jasmin+gentoo, kernel, laurent, luke, mail, main.haarp, marius.brehler+gentoo, mark, mentalstring, mike, netbox253, pacho, paul, remy, soprwa, tb, trekie, tsmksubc
Priority: Normal Keywords: Tracker
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://wiki.gentoo.org/wiki/Project:Security/Vulnerabilities/Meltdown_and_Spectre
See Also: https://bugs.gentoo.org/show_bug.cgi?id=642320
https://github.com/gentoo/gentoo/pull/6821
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 643342, 643340, 643344, 644304, 644306, 644662, 644664    
Bug Blocks:    

Comment 1 Arisu Tachibana Gentoo Infrastructure gentoo-dev 2018-01-03 14:28:28 UTC
amd not affected:
https://lkml.org/lkml/2017/12/27/2
Comment 2 Michael Hofmann 2018-01-04 00:32:11 UTC
There are 2 different types of bugs:
https://spectreattack.com
"Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown."
"In particular, we have verified Spectre on Intel, AMD, and ARM processors."
Comment 3 kfm 2018-01-04 00:39:24 UTC
Relevant CVEs:

[CVE-2017-5753] bounds check bypass 
[CVE-2017-5715] branch target injection 
[CVE-2017-5754] rogue data cache load

Of these, the first two concern Spectre and the last concerns Meltdown.
Comment 5 Arisu Tachibana Gentoo Infrastructure gentoo-dev 2018-01-04 14:56:05 UTC
workaround as now
https://github.com/torvalds/linux/commit/00a5ae218d57741088068799b810416ac249a9ce
Comment 6 Kilian 2018-01-04 18:17:17 UTC
Please consider that bug 643204 blocks the stabilization of kernel 4.14.11 for users of nvidia-drivers.
Comment 7 Stefano 2018-01-06 10:49:16 UTC
(In reply to Kilian from comment #6)
> Please consider that bug 643204 blocks the stabilization of kernel 4.14.11
> for users of nvidia-drivers.

The bugs have all already been weaponized to be simply usable from remote (javascript code in browsers in some cases).

Putting the patched kernel in stable has just become very urgent.
Comment 8 Ben 2018-01-08 02:41:06 UTC
I don't know if anyone has any ties to upstream, but currently KPTI cannot be enabled, as far as I know, for 32-bit x86 (4.14.12-gentoo).  It almost seems that no one looks at x86 32-bit anymore and worries most about 64-bit.  What can be done for 32-bit machines at this time?

One thing I was also wondering about is whether 32-bit PAE also mitigates the issue because kernel and other process pages live on a different PAE address space, forcing cache flush when switching between user<->kernel space?  I'm just guessing here and as there's no current PoC for 32-bit I don't have a way to test.  Other than having a machine that I cannot enable PAE upon, I think this is an acceptable workaround if it indeed masks the problem.
Comment 9 Thomas Beutin 2018-01-08 08:05:20 UTC
(In reply to Ben from comment #8)
> I don't know if anyone has any ties to upstream, but currently KPTI cannot
> be enabled, as far as I know, for 32-bit x86 (4.14.12-gentoo).  It almost
> seems that no one looks at x86 32-bit anymore and worries most about 64-bit.
> What can be done for 32-bit machines at this time?

At least Patrik Voelkerding from Slackware and sone other guys does:
https://www.linuxquestions.org/questions/slackware-14/strange-behavior-with-kernel-4-14-x-4175618207/
Comment 10 kfm 2018-01-08 11:43:06 UTC
(In reply to Ben from comment #8)
> I don't know if anyone has any ties to upstream, but currently KPTI cannot
> be enabled, as far as I know, for 32-bit x86 (4.14.12-gentoo).  It almost
> seems that no one looks at x86 32-bit anymore and worries most about 64-bit.
> What can be done for 32-bit machines at this time?

Unfortunately, the only answer right now appears to be to become a grsecurity customer:-

https://twitter.com/grsecurity/status/949499167700865024
https://twitter.com/grsecurity/status/949794658720337920

Otherwise, we can only hope that someone is inclined to work on porting the KPTI patches in the near term. If this does not happen, then it could be the end of IA-32 as a credible platform. I don't see what Gentoo could do in such a case other than to urge affected users to migrate to amd64 in the published GLSAs. In the meantime, I would humbly recommend that every practical effort is made to inform i686 arch users that upgrading gentoo-sources will not mitigate CVE-2017-5715.
Comment 11 kfm 2018-01-08 12:20:41 UTC
My apologies. I meant, of course, to reference CVE-2017-5754 in the preceding comment.

Additionally, I wish to present something else for consideration. The KAISER patchset was originally intended to harden the implementation of KASLR in the Linux kernel [1] [2]. It was hastily re-purposed to address Meltdown, and re-branded as KPTI in the process. Later, Thomas Lendacky submitted a patch that prevents KPTI from being activated by default for AMD processors - a patch that gentoo-sources is now carrying. AMD's pretext is that their processors are not affected by Meltdown.

My concern over this situation is that it may put AMD processors at a disadvantage in lieu of the security issue that KAISER was originally intended to protect against. That is, KASLR may be unnecessarily weakened on AMD processors, by default. Indeed, the "Practical Timing Side Channel Attacks Against Kernel Space ASLR" whitepaper [3] specifically tested their attacks on AMD processors, which were found to be affected.

Assuming that I'm correct, AMD users who enable both CONFIG_RANDOMIZE_BASE and CONFIG_PAGE_TABLE_ISOLATION will need to explicitly pass "pti=on" as a kernel option in order to harden KASLR, whereas Intel users will not. I realise that this is a less pressing concern then attending to Meltdown, but it struck me as being worthy of mention.

[1] https://kernelnewbies.org/Linux_3.14#Kernel_address_space_randomization
[2] https://lwn.net/Articles/738975/
[3] https://www.ieee-security.org/TC/SP2013/papers/4977a191.pdf
Comment 12 Larry the Git Cow gentoo-dev 2018-01-10 21:06:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5e03d21f4c2e4d15288156a6f79a13ba924a11e6

commit 5e03d21f4c2e4d15288156a6f79a13ba924a11e6
Author:     kuzetsa <kuzetsa@gmail.com>
AuthorDate: 2018-01-10 17:27:17 +0000
Commit:     Göktürk Yüksek <gokturk@gentoo.org>
CommitDate: 2018-01-10 20:57:04 +0000

    sys-kernel/ck-sources: remove 4.13.x branch (EOL)
    
    corrupts bios, lack of meltdown / spectre fixes
    
    Bug: https://bugs.gentoo.org/642026
    Bug: https://bugs.gentoo.org/643228
    Package-Manager: Portage-2.3.13, Repoman-2.3.3

 sys-kernel/ck-sources/Manifest                     |  7 ---
 sys-kernel/ck-sources/ck-sources-4.13.16-r1.ebuild | 64 ----------------------
 2 files changed, 71 deletions(-)}
Comment 13 John (EBo) David 2018-01-11 04:32:58 UTC
can anyone make recommendations regarding replacement kernels?  The only three Gentoo kernels not masked out on amd64 machines are 4.9.72, 4.9.49, and 4.4.87.  
All revisions >4.14.8 are masked out.  It seems a little excessive dropping back 5 to 10 major revisions, and I am still not sure if they contain the proper patch sets.  Thanks...
Comment 14 John (EBo) David 2018-01-11 04:38:52 UTC
sorry.  I just found recommendations here: https://wiki.gentoo.org/wiki/Project:Security/Vulnerabilities/Meltdown_and_Spectre

I will use one of the recommended unstable kernels.
Comment 15 Stefan Schmid 2018-01-16 15:17:34 UTC
Please add a new stabilization request to the dependency for the coming GCC 7.3 with Retopline-Patches.

https://www.phoronix.com/scan.php?page=news_item&px=GCC-7-Gets-Retpolines
Comment 16 kfm 2018-02-07 04:14:16 UTC
Also, for anyone confused by the various techniques that have been devised to counter CVE-2017-5715 specifically, this post by David Woodhouse sheds considerable light on the matter, rather unlike Linus' widely publicised ranting up-thread:

https://lkml.org/lkml/2018/1/22/598
Comment 17 kfm 2018-08-15 02:41:47 UTC
At last, PTI support for x86 (32-bit) has landed:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eac341194426ba7ead3444923b9eba491ae4feeb

I have not personally verified but this should be in 4.18.
Comment 18 NATTkA bot gentoo-dev 2020-04-10 08:31:21 UTC
Unable to check for sanity:

> no match for package: x11-drivers/nvidia-drivers-390.12
Comment 19 NATTkA bot gentoo-dev 2020-04-12 19:31:06 UTC
Unable to check for sanity:

> dependent bug #644026 has errors
Comment 20 NATTkA bot gentoo-dev 2020-04-13 14:41:47 UTC
Resetting sanity check; package list is empty or all packages are done.