Skip to content
This repository has been archived by the owner on Oct 11, 2023. It is now read-only.

Kernel Side-Channel Attacks - CVE-2017-5754 CVE-2017-5753 CVE-2017-5715 #2206

Closed
niusmallnan opened this issue Jan 4, 2018 · 20 comments
Closed
Assignees
Milestone

Comments

@niusmallnan
Copy link
Contributor

https://googleprojectzero.blogspot.hk/2018/01/reading-privileged-memory-with-side.html

So far, there are three known variants of the issue:

  • Variant 1: bounds check bypass (CVE-2017-5753)
  • Variant 2: branch target injection (CVE-2017-5715)
  • Variant 3: rogue data cache load (CVE-2017-5754)
@niusmallnan niusmallnan added this to the v1.1.3 milestone Jan 4, 2018
@niusmallnan niusmallnan self-assigned this Jan 4, 2018
@mikemoate
Copy link

mikemoate commented Jan 4, 2018

Updated info from http://news.softpedia.com/news/linux-kernels-4-14-11-4-9-74-4-4-109-3-16-52-and-3-2-97-patch-meltdown-flaw-519215.shtml it looks like we should take kernel 4.9.74 to mitigate CVE-2017-5754 (aka Meltdown).

@albertdb
Copy link

albertdb commented Jan 4, 2018

Please, remember to backport to 1.0 LTS.

@ryansch
Copy link

ryansch commented Jan 4, 2018

@niusmallnan Any way we could get this before or in place of 1.1.3? I'd like a straight security patch release.

@janeczku
Copy link
Contributor

janeczku commented Jan 4, 2018

Looks like the mitigation for Meltdown (CVE-2017-5754) will land in 4.9.75 upstream: https://www.spinics.net/lists/kernel/msg2688700.html

@aemneina
Copy link
Contributor

aemneina commented Jan 5, 2018

@ryansch The intent is to have this go out with ROS 1.1.3.

@ryansch
Copy link

ryansch commented Jan 5, 2018

@aemneina Understood. Keep in mind that it increases the amount of new stuff I/we have to review alongside the security update before we can adopt the new version in production.

@aemneina
Copy link
Contributor

aemneina commented Jan 6, 2018

1.1.3 will only contain the kernel update. Sorry, I didn't make that clear. Shipping all the changes in the originally scoped 1.1.3 + cve fix would have slowed down the release of this important fix.

@ryansch
Copy link

ryansch commented Jan 6, 2018

Fantastic!

@niusmallnan niusmallnan removed this from the v1.2.0 milestone Jan 8, 2018
@albertdb
Copy link

albertdb commented Jan 8, 2018

Please please please, backport to 1.0.x LTS

@mikemoate
Copy link

mikemoate commented Jan 24, 2018

@niusmallnan Kernel 4.9.76 is now out and apparently has some more meltdown and spectre fixes http://news.softpedia.com/news/linux-kernels-4-14-13-4-9-76-and-4-4-111-bring-more-security-fixes-update-now-519321.shtml

@albertdb
Copy link

Again, please backport kernel upgrade to RancherOS 1.0.x LTS. Thanks!

@niusmallnan
Copy link
Contributor Author

niusmallnan commented Jan 24, 2018

@mikemoate
v1.1.3 has enabled KPTI with kernel 4.9.75.
v1.1.4 will use GCC(7.3) to compile the latest kernel for full Retpoline support. This can mitigate Spectre.

@albertdb
Copy link

@niusmallnan Will you forget those users who put their confidence in the 1.0.x LTS version? Jumping to 1.1.x is a no-go due to Docker 1.10 being unsupported, so please tell us your plans about it including the case in which there aren't any, so we can find alternatives. Thanks.

@niusmallnan
Copy link
Contributor Author

@albertdb
What're the problems if you upgrade to RancherOS v1.1.x?
If it is not required, there will not be a new 1.0.x version.

@albertdb
Copy link

albertdb commented Jan 24, 2018

@niusmallnan

The problem is this: #2056
Docker 1.10 support is a must for us at the moment.

Thank you.

@albertdb
Copy link

BTW, 1.0.x was announced as a Long Term Support and it was released less than a year ago.

@mikemoate
Copy link

@niusmallnan thanks and understood on the kernel versions, my mistake!

@niusmallnan
Copy link
Contributor Author

@albertdb
Oh, I see. Thanks your feedback.

If only for Docker 1.10 support, you can use any RancherOS version.
You can fork your own services and custom a repository.
Refer to the following:
http://rancher.com/docs/os/v1.0/en/system-services/custom-system-services/#service-development-and-testing
https://github.com/rancher/os-services/blob/master/index.yml

We will ship v1.0.5, both Meltdown and Spectre(var.2 ) fixes will be included.
Because indeed a small number of users need it.
But before that, let's wait for the GCC 7.3 release.

BTW, after v1.0.5, there will not be a new 1.0.x version.

@mikemoate
Copy link

Mitigations for CVE-2017-5753 (spectre_v1) are available in newer kernel releases. I think Kernel 4.9.81 (previous LTS) or Kernel 4.14.18 (current LTS) is needed.

Note #2361 will also require a kernel update, to even later versions, so solving that will address this.

@niusmallnan
Copy link
Contributor Author

Test with our latest release v1.4.0-rc1:

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO
* Checking count of LFENCE instructions following a jump in kernel...  NO  (only 6 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  YES
  * Currently enabled features
    * IBRS enabled for Kernel space:  UNKNOWN
    * IBRS enabled for User space:  UNKNOWN
    * IBPB enabled:  UNKNOWN
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Performance impact if PTI is enabled
  * CPU supports PCID:  YES  (performance degradation with PTI will be limited)
  * CPU supports INVPCID:  YES  (performance degradation with PTI will be limited)
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

Both Meltdown and Spectre have been addressed, It's a long journey.

@niusmallnan niusmallnan added this to the v1.4.0 milestone May 15, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

6 participants