Acer Travelmate 2410: Vulnerable to Meltdown (Linux 4.15.2-1)

[ghost]

The laptop is running openSUSE Tumbleweed, freshly updated a few minutes ago, rebooted and tested with the tool:

Spectre and Meltdown mitigation detection tool v0.34+

Checking for vulnerabilities on current system
Kernel is Linux 4.15.2-1-default #1 SMP Thu Feb 8 06:53:26 UTC 2018 (b34965a) i686
CPU is Intel(R) Celeron(R) M processor         1.50GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO 
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO 
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO 
    * CPU indicates STIBP capability:  YES 
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  YES 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
  * CPU microcode is known to cause stability problems:  NO  (model 13 stepping 8 ucode 0x20)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  YES 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 32 bits array_index_mask_nospec())
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO 
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO 
    * IBRS enabled for User space:  NO 
    * IBPB enabled:  NO 
* Mitigation 2
  * Kernel compiled with retpoline option:  YES 
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
* Kernel supports Page Table Isolation (PTI):  NO 
* PTI enabled and active:  NO 
* Running as a Xen PV DomU:  NO 
> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

On another system (i7-3770) which runs openSUSE Leap 42.3 with kernel 4.4.114-42 I get all the 3 tests NOT VULNERABLE:

Spectre and Meltdown mitigation detection tool v0.34+                                                                                                       

Checking for vulnerabilities on current system                                                                                                              
Kernel is Linux 4.4.114-42-default #1 SMP Tue Feb 6 10:58:10 UTC 2018 (b6ee9ae) x86_64                                                                      
CPU is Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz                                                                                                              

Hardware check                                                                                                                                              
* Hardware support (CPU microcode) for mitigation techniques                                                                                                
  * Indirect Branch Restricted Speculation (IBRS)                                                                                                           
    * SPEC_CTRL MSR is available:  NO                                                                                                                       
    * CPU indicates IBRS capability:  NO                                                                                                                    
  * Indirect Branch Prediction Barrier (IBPB)                                                                                                               
    * PRED_CMD MSR is available:  NO                                                                                                                        
    * CPU indicates IBPB capability:  NO                                                                                                                    
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO 
    * CPU indicates STIBP capability:  NO 
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
  * CPU microcode is known to cause stability problems:  NO  (model 58 stepping 9 ucode 0x1c)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  YES 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64 bits array_index_mask_nospec())
> STATUS:  NOT VULNERABLE  (Mitigation: Barriers)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO 
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO 
    * IBRS enabled for User space:  NO 
    * IBPB enabled:  NO 
* Mitigation 2
  * Kernel compiled with retpoline option:  YES 
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer

What is the reason for the discrepancy? Isn't newer kernel supposed to be better patch? And should I report anything to opensuse bugzilla?

[speed47]

This is because the first kernel you've tested is i686, not x86_64, and the PTI patch is not (yet?) available for i686 upstream (i.e. this is not an OpenSUSE issue, nobody has the patch for 32 bit kernels!)

[ghost]

Thanks for the info. Do you have any idea if patches for 32 bit kernels are planned?

[knweiss]

@anchev The latest patchset (and discussion): PTI support for x86_32

Don't miss this important comment from Andy Lutomirski (emphasis mine):

"One thing worth noting is that performance of this whole series is going to be abysmal due to the complete lack of 32-bit PCID. Maybe any kernel built with this option set that runs on a CPU that has the PCID bit set in CPUID should print a big fat warning like "WARNING: you are using 32-bit PTI on a 64-bit PCID-capable CPU. Your performance will increase dramatically if you switch to a 64-bit kernel."

[ghost]

Thanks @knweiss. Well, there is no option for a 32-bit CPU to use a 64-bit kernel anyway, so I was just interested to know if the 32-bit kernels will be patched too. I still can't find a definite yes or no in the links (some of the things explained there are fairly complex to me) but I hope I won't have to trash this old laptop :)

[knweiss]

@anchev There is this fix but it's gonna be slow. People running 32-bit kernels on 64-bit capable HW (for whatever reason) should therefore make the switch to a 64-bit kernel to get better performance. This is no option for you if your CPU is 32-bit only.

[speed47]

Closing to tidy up the issues list a bit, feel free to reopen if needed!

[ghost]

Thanks!