Bug 22390

Summary: CVE-2017-5753 and CVE-2017-5715 still not addressed
Product: Mageia Reporter: Herbert Poetzl <herbert>
Component: SecurityAssignee: Kernel and Drivers maintainers <kernel>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: ghibomgx, herbert, marja11, tmb
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6TOO
Source RPM: kernel-4.14.13-1.mga6.src.rpm CVE:
Status comment: Addressed in current kernel update candidate
Bug Depends on: 22533    
Bug Blocks:    

Description Herbert Poetzl 2018-01-14 08:55:47 CET 
Description of problem:
CVE-2017-5753 and CVE-2017-5715 are not addressed by the kernel

Version-Release number of selected component (if applicable):
kernel-4.14.13-1.mga6.src.rpm


Spectre and Meltdown mitigation detection tool v0.29

Checking for vulnerabilities against running kernel Linux 4.14.13-desktop-1.mga6 #1 SMP Wed Jan 10 12:48:53 UTC 2018 x86_64
CPU is Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 23 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  YES 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
Comment 1 Thomas Backlund 2018-01-14 11:27:52 CET 
We know.
It's still being worked on upstream...

CC: (none) => tmb

Marja Van Waes 2018-01-15 08:53:27 CET

Whiteboard: (none) => MGA6TOO, MGA5TOO
Version: 6 => Cauldron
Assignee: bugsquad => kernel
CC: (none) => marja11

David Walser 2018-01-15 21:34:36 CET

Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO

David Walser 2018-02-02 18:35:52 CET

Depends on: (none) => 22454
Status comment: (none) => Addressed in current kernel update candidate

Comment 2 Thomas Backlund 2018-02-06 14:25:18 CET 
We are getting there...

With a retpoline-aware gcc (5.5.0-1 in mga6, 7.3.0-1 in cauldron) and 4.14.17-2 kernel:


CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64 bits array_index_mask_nospec())
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)


CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO 
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO 
    * IBRS enabled for User space:  NO 
    * IBPB enabled:  NO 
* Mitigation 2
  * Kernel compiled with retpoline option:  YES 
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
  * Retpoline enabled:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)


CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

Depends on: 22454 => 22533

Comment 3 Giuseppe Ghibò 2018-02-09 01:51:14 CET 
I get:

Kernel supports Page Table Isolation (PTI):  NO 

with 4.14.18-1.mga6 on 32bit i586 kernel. Is that CONFIG_PAGE_TABLE_ISOLATION is not supported on i586 arch or just missed?

CC: (none) => ghibomgx

Comment 4 Thomas Backlund 2018-02-09 08:02:57 CET 
There is no PTI on 32bit yet... there are some patches posted as RFC, but they still had some issues...
Comment 5 Thomas Backlund 2018-02-09 12:57:58 CET 
Interestingly Joerg Roedel just posted his new set for review on LKML..

It has grown from ~10 patches to 31 for now... :)
Comment 6 Thomas Backlund 2018-02-09 16:12:32 CET 
And I've now merged and pushed the pti for 32bit to cauldron as of  kernel-4.14.18-2.mga7 currently building
Comment 7 Thomas Backlund 2018-03-05 10:29:35 CET 
fixed as of:
http://advisories.mageia.org/MGASA-2018-0134.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 8 Herbert Poetzl 2018-03-05 11:34:27 CET 
Yay!

Thanks,
Herbert

CC: (none) => herbert