Description of problem: CVE-2017-5753 and CVE-2017-5715 are not addressed by the kernel Version-Release number of selected component (if applicable): kernel-4.14.13-1.mga6.src.rpm Spectre and Meltdown mitigation detection tool v0.29 Checking for vulnerabilities against running kernel Linux 4.14.13-desktop-1.mga6 #1 SMP Wed Jan 10 12:48:53 UTC 2018 x86_64 CPU is Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' * Checking count of LFENCE opcodes in kernel: NO > STATUS: VULNERABLE (only 23 opcodes found, should be >= 70, heuristic to be improved when official patches become available) CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' * Mitigation 1 * Hardware (CPU microcode) support for mitigation: YES * Kernel support for IBRS: NO * IBRS enabled for Kernel space: NO * IBRS enabled for User space: NO * Mitigation 2 * Kernel compiled with retpoline option: NO * Kernel compiled with a retpoline-aware compiler: NO > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability) CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3' * Kernel supports Page Table Isolation (PTI): YES * PTI enabled and active: YES > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability) A false sense of security is worse than no security at all, see --disclaimer
We know. It's still being worked on upstream...
CC: (none) => tmb
Whiteboard: (none) => MGA6TOO, MGA5TOOVersion: 6 => CauldronAssignee: bugsquad => kernelCC: (none) => marja11
Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO
Depends on: (none) => 22454Status comment: (none) => Addressed in current kernel update candidate
We are getting there... With a retpoline-aware gcc (5.5.0-1 in mga6, 7.3.0-1 in cauldron) and 4.14.17-2 kernel: CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' * Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active) * Kernel has array_index_mask_nospec: YES (1 occurence(s) found of 64 bits array_index_mask_nospec()) > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization) CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' * Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active) * Mitigation 1 * Kernel is compiled with IBRS/IBPB support: NO * Currently enabled features * IBRS enabled for Kernel space: NO * IBRS enabled for User space: NO * IBPB enabled: NO * Mitigation 2 * Kernel compiled with retpoline option: YES * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation) * Retpoline enabled: NO > STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline) CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3' * Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active) * Kernel supports Page Table Isolation (PTI): YES * PTI enabled and active: YES * Running as a Xen PV DomU: NO > STATUS: NOT VULNERABLE (Mitigation: PTI)
Depends on: 22454 => 22533
I get: Kernel supports Page Table Isolation (PTI): NO with 4.14.18-1.mga6 on 32bit i586 kernel. Is that CONFIG_PAGE_TABLE_ISOLATION is not supported on i586 arch or just missed?
CC: (none) => ghibomgx
There is no PTI on 32bit yet... there are some patches posted as RFC, but they still had some issues...
Interestingly Joerg Roedel just posted his new set for review on LKML.. It has grown from ~10 patches to 31 for now... :)
And I've now merged and pushed the pti for 32bit to cauldron as of kernel-4.14.18-2.mga7 currently building
fixed as of: http://advisories.mageia.org/MGASA-2018-0134.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Yay! Thanks, Herbert
CC: (none) => herbert