22390 – CVE-2017-5753 and CVE-2017-5715 still not addressed

Bug 22390 - CVE-2017-5753 and CVE-2017-5715 still not addressed

Summary: CVE-2017-5753 and CVE-2017-5715 still not addressed

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	Kernel and Drivers maintainers
QA Contact:	Sec team

URL:
Whiteboard:	MGA6TOO
Keywords:

Depends on:	22533
Blocks:
	Show dependency tree / graph

Reported:	2018-01-14 08:55 CET by Herbert Poetzl
Modified:	2018-03-05 11:34 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	kernel-4.14.13-1.mga6.src.rpm
CVE:
Status comment:	Addressed in current kernel update candidate

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Herbert Poetzl 2018-01-14 08:55:47 CET

Description of problem:
CVE-2017-5753 and CVE-2017-5715 are not addressed by the kernel

Version-Release number of selected component (if applicable):
kernel-4.14.13-1.mga6.src.rpm


Spectre and Meltdown mitigation detection tool v0.29

Checking for vulnerabilities against running kernel Linux 4.14.13-desktop-1.mga6 #1 SMP Wed Jan 10 12:48:53 UTC 2018 x86_64
CPU is Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 23 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  YES 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

Comment 1 Thomas Backlund 2018-01-14 11:27:52 CET

We know.
It's still being worked on upstream...

CC: (none) => tmb

Marja Van Waes 2018-01-15 08:53:27 CET

Whiteboard: (none) => MGA6TOO, MGA5TOO
Version: 6 => Cauldron
Assignee: bugsquad => kernel
CC: (none) => marja11

David Walser 2018-01-15 21:34:36 CET

Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO

David Walser 2018-02-02 18:35:52 CET

Depends on: (none) => 22454
Status comment: (none) => Addressed in current kernel update candidate

Comment 2 Thomas Backlund 2018-02-06 14:25:18 CET

We are getting there...

With a retpoline-aware gcc (5.5.0-1 in mga6, 7.3.0-1 in cauldron) and 4.14.17-2 kernel:


CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64 bits array_index_mask_nospec())
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)


CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO 
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO 
    * IBRS enabled for User space:  NO 
    * IBPB enabled:  NO 
* Mitigation 2
  * Kernel compiled with retpoline option:  YES 
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
  * Retpoline enabled:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)


CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

Depends on: 22454 => 22533

Comment 3 Giuseppe Ghibò 2018-02-09 01:51:14 CET

I get:

Kernel supports Page Table Isolation (PTI):  NO 

with 4.14.18-1.mga6 on 32bit i586 kernel. Is that CONFIG_PAGE_TABLE_ISOLATION is not supported on i586 arch or just missed?

CC: (none) => ghibomgx

Comment 4 Thomas Backlund 2018-02-09 08:02:57 CET

There is no PTI on 32bit yet... there are some patches posted as RFC, but they still had some issues...

Comment 5 Thomas Backlund 2018-02-09 12:57:58 CET

Interestingly Joerg Roedel just posted his new set for review on LKML..

It has grown from ~10 patches to 31 for now... :)

Comment 6 Thomas Backlund 2018-02-09 16:12:32 CET

And I've now merged and pushed the pti for 32bit to cauldron as of  kernel-4.14.18-2.mga7 currently building

Comment 7 Thomas Backlund 2018-03-05 10:29:35 CET

fixed as of:
http://advisories.mageia.org/MGASA-2018-0134.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 8 Herbert Poetzl 2018-03-05 11:34:27 CET

Yay!

Thanks,
Herbert

CC: (none) => herbert

Note You need to log in before you can comment on or make changes to this bug.