Not vulnerable

[lovesegfault]

When I run this I get output like such

looking for linux_proc_banner in /proc/kallsyms
cached = 75, uncached = 451, threshold 183
read ffffffffa2c00060 = 20
read ffffffffa2c00061 = 20
read ffffffffa2c00062 = 20
read ffffffffa2c00063 = 43 C
read ffffffffa2c00064 = 20
read ffffffffa2c00065 = 20
read ffffffffa2c00066 = 20
read ffffffffa2c00067 = 20
read ffffffffa2c00068 = 20
read ffffffffa2c00069 = 20
read ffffffffa2c0006a = 20
read ffffffffa2c0006b = 20
read ffffffffa2c0006c = 20
read ffffffffa2c0006d = 20
read ffffffffa2c0006e = 20
read ffffffffa2c0006f = 20
NOT VULNERABLE

What does this mean? I'm fairly sure my CPU is vulnerable.

[paboldin]

What CPU do you have?

This code is just a PoC and a bad one, it might miss something.

[lovesegfault]

This is the output of lscpu

Architecture:        x86_64
CPU op-mode(s):      32-bit, 64-bit
Byte Order:          Little Endian
CPU(s):              8
On-line CPU(s) list: 0-7
Thread(s) per core:  2
Core(s) per socket:  4
Socket(s):           1
NUMA node(s):        1
Vendor ID:           GenuineIntel
CPU family:          6
Model:               58
Model name:          Intel(R) Core(TM) i7-3720QM CPU @ 2.60GHz
Stepping:            9
CPU MHz:             2591.367
CPU max MHz:         3600.0000
CPU min MHz:         1200.0000
BogoMIPS:            5184.68
Virtualization:      VT-x
L1d cache:           32K
L1i cache:           32K
L2 cache:            256K
L3 cache:            6144K
NUMA node0 CPU(s):   0-7
Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm cpuid_fault epb pti tpr_shadow vnmi flexpriority ept vpid fsgsbase smep erms xsaveopt dtherm ida arat pln pts

[g00nix]

It properly displays vulnerability on debian before kernel update:

root@debian:~/tmp/meltdown-exploit# ./run.sh 
looking for linux_proc_banner in /proc/kallsyms
cached = 35, uncached = 362, threshold 112
read ffffffff82a00060 = 25 %
read ffffffff82a00061 = 73 s
read ffffffff82a00062 = 20  
read ffffffff82a00063 = 76 v
read ffffffff82a00064 = 65 e
read ffffffff82a00065 = 72 r
read ffffffff82a00066 = 73 s
read ffffffff82a00067 = 69 i
read ffffffff82a00068 = 6f o
read ffffffff82a00069 = 6e n
read ffffffff82a0006a = 20  
read ffffffff82a0006b = 25 %
read ffffffff82a0006c = 73 s
read ffffffff82a0006d = 20  
read ffffffff82a0006e = 28 (
read ffffffff82a0006f = 64 d
VULNERABLE
VULNERABLE ON
4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) unknown
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 94
model name	: Intel Core Processor (Skylake)
stepping	: 3
microcode	: 0x1
cpu MHz		: 4008.012
cache size	: 16384 KB
physical id	: 0
root@debian:~/tmp/meltdown-exploit# apt update; apt dist-upgrade -y; reboot
Get:1 http://security.debian.org/debian-security stretch/updates InRelease [63.0 kB]
Ign:2 http://ftp.ro.debian.org/debian stretch InRelease                    
Get:3 http://ftp.ro.debian.org/debian stretch-updates InRelease [91.0 kB]  
Get:4 http://security.debian.org/debian-security stretch/updates/main Sources [103 kB]
Hit:5 http://ftp.ro.debian.org/debian stretch Release             
Get:6 http://security.debian.org/debian-security stretch/updates/main amd64 Packages [256 kB]
Get:8 http://security.debian.org/debian-security stretch/updates/main Translation-en [113 kB]
Fetched 627 kB in 0s (954 kB/s)                                 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
  linux-image-4.9.0-5-amd64
The following packages will be upgraded:
  linux-image-amd64 linux-libc-dev
2 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 40.1 MB of archives.
After this operation, 190 MB of additional disk space will be used.
Get:2 http://security.debian.org/debian-security stretch/updates/main amd64 linux-image-amd64 amd64 4.9+80+deb9u3 [6,994 B]
Get:1 http://security-cdn.debian.org stretch/updates/main amd64 linux-image-4.9.0-5-amd64 amd64 4.9.65-3+deb9u2 [38.8 MB]
Get:3 http://security-cdn.debian.org stretch/updates/main amd64 linux-libc-dev amd64 4.9.65-3+deb9u2 [1,299 kB]                                                                                                   
Fetched 40.1 MB in 9s (4,273 kB/s)                                                                                                                                                                                
Selecting previously unselected package linux-image-4.9.0-5-amd64.
(Reading database ... 34554 files and directories currently installed.)
Preparing to unpack .../linux-image-4.9.0-5-amd64_4.9.65-3+deb9u2_amd64.deb ...
Unpacking linux-image-4.9.0-5-amd64 (4.9.65-3+deb9u2) ...
Preparing to unpack .../linux-image-amd64_4.9+80+deb9u3_amd64.deb ...
Unpacking linux-image-amd64 (4.9+80+deb9u3) over (4.9+80+deb9u2) ...
Preparing to unpack .../linux-libc-dev_4.9.65-3+deb9u2_amd64.deb ...
Unpacking linux-libc-dev:amd64 (4.9.65-3+deb9u2) over (4.9.65-3+deb9u1) ...
Setting up linux-libc-dev:amd64 (4.9.65-3+deb9u2) ...
Setting up linux-image-4.9.0-5-amd64 (4.9.65-3+deb9u2) ...
I: /vmlinuz.old is now a symlink to boot/vmlinuz-4.9.0-4-amd64
I: /initrd.img.old is now a symlink to boot/initrd.img-4.9.0-4-amd64
I: /vmlinuz is now a symlink to boot/vmlinuz-4.9.0-5-amd64
I: /initrd.img is now a symlink to boot/initrd.img-4.9.0-5-amd64
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-4.9.0-5-amd64
/etc/kernel/postinst.d/zz-update-grub:
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-4.9.0-5-amd64
Found initrd image: /boot/initrd.img-4.9.0-5-amd64
Found linux image: /boot/vmlinuz-4.9.0-4-amd64
Found initrd image: /boot/initrd.img-4.9.0-4-amd64
Found linux image: /boot/vmlinuz-4.9.0-3-amd64
Found initrd image: /boot/initrd.img-4.9.0-3-amd64
done
Setting up linux-image-amd64 (4.9+80+deb9u3) ...
Connection to 192.168.122.200 closed by remote host.
Connection to 192.168.122.200 closed.
gunix@finaldeb:~$ ssh root@192.168.122.200 
^C
gunix@finaldeb:~$ ssh root@192.168.122.200 
^C
gunix@finaldeb:~$ ssh root@192.168.122.200 
Linux debian 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Jan  6 03:32:04 2018 from 192.168.122.1
root@debian:~# cd tmp/meltdown-exploit/
root@debian:~/tmp/meltdown-exploit# ls
Makefile  meltdown  meltdown.c  meltdown.o  README.md  run.sh
root@debian:~/tmp/meltdown-exploit# ./run.sh 
looking for linux_proc_banner in /proc/kallsyms
cached = 35, uncached = 352, threshold 111
read ffffffffaaa00060 = 20  
read ffffffffaaa00061 = 20  
read ffffffffaaa00062 = 20  
read ffffffffaaa00063 = 20  
read ffffffffaaa00064 = 20  
read ffffffffaaa00065 = 20  
read ffffffffaaa00066 = 20  
read ffffffffaaa00067 = 20  
read ffffffffaaa00068 = 20  
read ffffffffaaa00069 = 20  
read ffffffffaaa0006a = 20  
read ffffffffaaa0006b = 20  
read ffffffffaaa0006c = 20  
read ffffffffaaa0006d = 20  
read ffffffffaaa0006e = 20  
read ffffffffaaa0006f = 20  
NOT VULNERABLE

[lovesegfault]

Hmm, I am running the 4.14.11-1-zen kernel currently (Zen patchset). I wonder if KAISER/KPTI has already been enabled.

[paboldin]

@bemeurer it was. reboot with nokpti and try again.

[ghost]

Not vulnerable as expected. Running on unpatched kernel.

processor : 0
vendor_id : AuthenticAMD
cpu family : 21
model : 2
model name : AMD FX-8370 Eight-Core Processor
stepping : 0
cpu MHz : 4013.000
cache size : 8192 KB
physical id : 0
siblings : 8

[porzione]

NOT VULNERABLE
Arch Linux 4.14.12-1-zen ZEN SMP PREEMPT Fri Jan 5 18:19:09 UTC 2018 x86_64
vendor_id : GenuineIntel
cpu family : 6
model : 58
model name : Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz
stepping : 9

[pm-cz]

@paboldin: maybe it would be a good idea to create an issue listing non-vulnerable CPU reports as well for future reference?

[paboldin]

Do one please, im traveling. Also lets referenece them in the run script.

[porzione]

NOT VULNERABLE
Arch Linux 4.14.12-1-zen ZEN SMP PREEMPT Fri Jan 5 18:19:09 UTC 2018 x86_64 GNU/Linux
vendor_id : GenuineIntel
cpu family : 6
model : 58
model name : Intel(R) Core(TM) i5-3230M CPU @ 2.60GHz
stepping : 9
microcode : 0x1c

[paboldin]

Also here: #22