Open vpetersson opened 4 years ago
Why are you sure it's a bug?
I used this script to check:
$ sudo sh spectre-meltdown-checker.sh
[...]
CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
* Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
* Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch: NO
* Kernel has mask_nospec64 (arm64): NO
> STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, STIBP: disabled, RSB filling)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: NO
* Kernel is compiled with IBPB support: YES
* IBPB enabled and active: NO
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
* Kernel supports RSB filling: YES
> STATUS: NOT VULNERABLE (Full retpoline is mitigating the vulnerability)
[...]
CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
* Mitigated according to the /sys interface: YES (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)
[...]
I've also upgraded the box fully:
$ sudo apt update -q && sudo apt upgrade
Hit:1 http://archive.ubuntu.com/ubuntu bionic InRelease
Get:2 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Get:3 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
Get:4 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Hit:5 https://packagecloud.io/wott/agent/ubuntu bionic InRelease
Fetched 252 kB in 2s (116 kB/s)
Reading package lists...
Building dependency tree...
Reading state information...
All packages are up to date.
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
linux-image-unsigned-4.15.0-55-generic linux-modules-4.15.0-55-generic
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
@vpetersson Please run agent with --debug
and post full output here.
Also are you running vagrant in some OS in Virtualbox or are you running vagrant on MacOS which uses Virtualbox?
Please run agent with --debug and post full output here.
https://gist.github.com/vpetersson/4c8b60c643c12f1e23cdf3e2000cf14b
Also are you running vagrant in some OS in Virtualbox or are you running vagrant on MacOS which uses Virtualbox?
I'm using Vagrant directly on macOS.
$ vagrant --version
Vagrant 2.2.6
@vpetersson Please post the result of
grep . /sys/devices/system/cpu/vulnerabilities/*
$ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Vulnerable
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion
/sys/devices/system/cpu/vulnerabilities/mds:Mitigation: Clear CPU buffers; SMT Host state unknown
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected
My gut-feeling is that this is a false positive because of the VirtualBox hypervisor.
@vpetersson Look at this:
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
It says "Vulnerable", meaning that either the mitigation failed to load or it is disabled.
I don't see any mention of CVE-2018-3639 in the output of the script you've used.
My gut-feeling is that this is a false positive because of the VirtualBox hypervisor.
Can't prove or disprove it until I try an actual exploit and see what it can do in this environment. Need at least a week of hardcore hacking.
There's even a related ticket and another one. And a stackexchange question.
VirtualBox 6.0.8 exposes the following mitigations (which can be enabled using VBoxManage modifyvm):
--mds-clear-on-vm-entry on
--l1d-flush-on-vm-entry on
--spec-ctrl on
--ibpb-on-vm-exit on
--ibpb-on-vm-entry on
https://security.stackexchange.com/questions/211265/virtualbox-spectre-v4
How to reproduce:
You will then get:
Reproduced on macOS 10.15.1 and VirtualBox 6.0.14 r133895 (Qt5.6.3)