SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What is the current status of mitigation in Slackware? Based on the best information I can find is this seems to be getting "mitigated" by vendor patches.
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec: YES (1 occurence(s) found of 64 bits array_index_mask_nospec())
> STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: NO
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
* Retpoline enabled: NO
> STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)
or wait. Slackware's patched kernel version should available soon (or it is already). Although it seems (from different posts) that 32bit kernel is a bit slow?
ah i think i was mistaken in thinking the -current kernel had been patched against spectre.
going back through my emails of the security list it looks like only 14.2 got patched. if this is the case when will -current see a patched kernel?
Fri Jan 26 03:46:16 UTC 2018
a/kernel-firmware-20180118_2a713be-noarch-1.txz: Upgraded.
a/kernel-generic-4.14.15-x86_64-1.txz: Upgraded.
a/kernel-huge-4.14.15-x86_64-1.txz: Upgraded.
a/kernel-modules-4.14.15-x86_64-1.txz: Upgraded.
ap/itstool-2.0.4-x86_64-2.txz: Rebuilt.
Fixed a memory exhaustion crash bug. Thanks to Stuart Winter.
d/gcc-7.3.0-x86_64-1.txz: Upgraded.
This compiler supports -mindirect-branch=thunk-extern, allowing full
mitigation of Spectre v2 in the kernel (when CONFIG_RETPOLINE is used).
d/gcc-brig-7.3.0-x86_64-1.txz: Upgraded.
d/gcc-g++-7.3.0-x86_64-1.txz: Upgraded.
d/gcc-gfortran-7.3.0-x86_64-1.txz: Upgraded.
d/gcc-gnat-7.3.0-x86_64-1.txz: Upgraded.
d/gcc-go-7.3.0-x86_64-1.txz: Upgraded.
d/gcc-objc-7.3.0-x86_64-1.txz: Upgraded.
d/kernel-headers-4.14.15-x86-1.txz: Upgraded.
k/kernel-source-4.14.15-noarch-1.txz: Upgraded.
.config changes (thanks to ivandi):
-CIFS_DEBUG2 n
-CIFS_DEBUG_DUMP_KEYS n
CIFS_DEBUG y -> n
CIFS_UPCALL n -> y
CIFS_XATTR n -> y
NFS_V4_1 n -> y
+CIFS_ACL y
+CIFS_POSIX y
+NFS_V4_1_IMPLEMENTATION_ID_DOMAIN "kernel.org"
+NFS_V4_1_MIGRATION n
+NFS_V4_2 n
+PNFS_BLOCK y
+PNFS_FILE_LAYOUT y
+PNFS_FLEXFILE_LAYOUT m
+SUNRPC_BACKCHANNEL y
n/curl-7.58.0-x86_64-2.txz: Rebuilt.
Recompiled using --with-libssh2, which is evidently no longer a default
option. Thanks to Markus Wiesner.
xap/mozilla-thunderbird-52.6.0-x86_64-1.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/52.6.0/releasenotes/
(* Security fix *)
isolinux/initrd.img: Rebuilt.
kernels/*: Upgraded.
usb-and-pxe-installers/usbboot.img: Rebuilt.
ah i think i was mistaken in thinking the -current kernel had been patched against spectre.
going back through my emails of the security list it looks like only 14.2 got patched. if this is the case when will -current see a patched kernel?
this is on an up-to-date current installation with the same tool you used
Code:
# ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.34+
Checking for vulnerabilities on current system
Kernel is Linux 4.14.18 #1 SMP Thu Feb 8 12:48:42 CST 2018 x86_64
CPU is Intel Xeon E312xx (Sandy Bridge)
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: NO
* CPU indicates IBRS capability: NO
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: NO
* CPU indicates IBPB capability: NO
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: NO
* CPU indicates STIBP capability: NO
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU microcode is known to cause stability problems: NO (model 42 stepping 1 ucode 0x1)
* CPU vulnerability to the three speculative execution attacks variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec: YES (1 occurence(s) found of 64 bits array_index_mask_nospec())
> STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: NO
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
> STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)
A false sense of security is worse than no security at all, see --disclaimer
this is the results of my core2quad with 4.14.17 using spectre-meltdown-checker.sh note the vulnerability to spectre1
also in the change logs 14.2 is the only one that mentions a spectre fix
Quote:
root@slackware:~# sh ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.30
Checking for vulnerabilities against running kernel Linux 4.14.17 #2 SMP Sat Feb 3 19:50:47 CST 2018 x86_64
CPU is Intel(R) Core(TM)2 Quad CPU Q8300 @ 2.50GHz
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking whether we're safe according to the /sys interface: NO (kernel confirms your system is vulnerable)
> STATUS: VULNERABLE (Vulnerable)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Checking whether we're safe according to the /sys interface: YES (kernel confirms that the mitigation is active)
> STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Checking whether we're safe according to the /sys interface: YES (kernel confirms that the mitigation is active)
> STATUS: NOT VULNERABLE (Mitigation: PTI)
A false sense of security is worse than no security at all, see --disclaimer
Last edited by wigums; 02-14-2018 at 12:51 PM.
Reason: forgot stuff
[19:49:52 --> root in SA00086_Linux]$ sh spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.31
Checking for vulnerabilities against running kernel Linux 4.9.81_po1 #1 SMP Wed Feb 14 19:41:01 CET 2018 x86_64
CPU is Intel(R) Pentium(R) CPU G3420 @ 3.20GHz
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking whether we're safe according to the /sys interface: YES (kernel confirms that the mitigation is active)
> STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Checking whether we're safe according to the /sys interface: YES (kernel confirms that the mitigation is active)
> STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Checking whether we're safe according to the /sys interface: YES (kernel confirms that the mitigation is active)
> STATUS: NOT VULNERABLE (Mitigation: PTI)
A false sense of security is worse than no security at all, see --disclaimer
Distribution: VM Host: Slackware-current, VM Guests: Artix, Venom, antiX, Gentoo, FreeBSD, OpenBSD, OpenIndiana
Posts: 1,008
Rep:
Quote:
Originally Posted by wigums
this is the results of my core2quad with 4.14.17 using spectre-meltdown-checker.sh note the vulnerability to spectre1
also in the change logs 14.2 is the only one that mentions a spectre fix
protection from Spectre1 starts from 4.14.18/4.15.2 if you get sources from kernel.org.
Maybe Slackware kernels earlier than the above may be patched but release date of patched kernels corresponds (more or less) to the release of 4.14.18/4.15.2
and it was supposed to be so beautiful, it came out as always
I'm very interested in this, since I'm in the small category of users whose CPUs are apparently invulnerable. Note:
Code:
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable)
* Kernel has array_index_mask_nospec: NO
* Checking count of LFENCE instructions following a jump in kernel... NO (only 0 jump-then-lfence instructions found, should be >= 30 (heuristic))
STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: NO
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
* Retpoline enabled: YES
STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable)
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
* Running as a Xen PV DomU: NO
STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
A false sense of security is worse than no security at all, see --disclaimer
I will try the Spectre Attack Example and report back. Esp seeing as I'm on 32bit, we are a way away from full mitigation for those on 4.4.115.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
