search

speed47 / spectre-meltdown-checker

Reptar, Downfall, Zenbleed, ZombieLoad, RIDL, Fallout, Foreshadow, Spectre, Meltdown vulnerability/mitigation checker for Linux & BSD
3.87k stars 476 forks source link

Spectre Next Generation vulnerabilities (Variant 3a / Variant 4) #189

Closed ghost closed 6 years ago

ghost commented 6 years ago

There seems to be a new family of related vulnerabilities. Unfortunately, I can only find a German source: https://www.heise.de/ct/artikel/Super-GAU-fuer-Intel-Weitere-Spectre-Luecken-im-Anflug-4039134.html.

orachas commented 6 years ago

Here is an English version: https://www.heise.de/ct/artikel/Exclusive-Spectre-NG-Multiple-new-Intel-CPU-flaws-revealed-several-serious-4040648.html

knweiss commented 6 years ago

Update: https://www.heise.de/security/meldung/Spectre-NG-Intel-verschiebt-die-ersten-Patches-koordinierte-Veroeffentlichung-aufgeschoben-4043790.html (German)

Brief summary: Intel postpones initial coordinated disclosure until May 21st. Next steps in July and August. New microcodes and more software patches will be required.

knweiss commented 6 years ago

Side note (in case you've missed it, too): Apart from Spectre-NG there is already a "new" Intel microcode update (20180425). It even includes Linux kernel patches and "ucode-with-caveats".

speed47 commented 6 years ago

The master branch has been updated with what's available for now (a new cpuid bit : SSBD, and a new ARCH_CAPABILITIES bit: SSBD_NO). Now waiting to see the kernel patches

speed47 commented 6 years ago

The master branch is now able to detect SSBD-aware kernels (to-be-stable patches posted on LKML last night)

Potato-Matic commented 6 years ago

While the script correctly detects that my K10 phenom CPU isn't vulnerable, it doesn't seem to detect/display why in a way that is entirely correct.

The script reports at the top of the output:

And for variant 4 reports: CVE-2018-3639 [speculative store bypass] aka 'Variant 4'

Full output of the script available at: https://pastebin.com/ypn4AhMy

As per http://opengrok.net/source/xref/linux/arch/x86/kernel/cpu/common.c#963 from https://www.reddit.com/r/Amd/comments/8l4p3b/amd_cpu_security_updates_speculative_store_bypass/dzeg4lo/ it seems that families 10h, 11h, and 12h are unaffected, as they do not contain a Dynamic Dependency Predictor (they predate it).

While it's true that the CPU cannot report that it is unaffected (for that AMD would have had to hire a psychic), it seems odd that the script would report this 10h CPU as initially vulnerable at the top, then give such a vague description at the bottom for the specifics. ("Not affected")

Contrast this with "IBP disabled" for variant 2 which correctly reports that the Indirect Branch Predictor has been disabled using a "non-architectural [chicken] bit" (though for that the script still reports that IBRS and IBPB are mitigating the issue, which is impossible as they don't exist without a microcode update).

It seems that the scripts output on on some older AMD CPUs could use a little bit of refinement.

EDIT: I suppose it seems conceivable to say "Not Affected" or "IBP Disabled" because that's the string of text the kernel reports, but it's definitely not terribly informative.

rrobgill commented 6 years ago

@Matthew-Bradley if you are able to, could you please try the code from my PR from yesterday ( # 202) on your system and post the results obtained. It added white-list style identification of variant 4 immunity from the linux kernel's recently added list of immune processors.

I have received results from it it on a 10h system, but not on one with the ssbd kernel fixes.

    * CPU indicates SSBD capability:  NO 
  * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO 
  * CPU microcode is known to cause stability problems:  NO  (model 0x2 family 0x10 stepping 0x3 ucode 0x10000c9 cpuid 0x100f23)
* CPU vulnerability to the speculative execution attack variants
* CPU vulnerability to the speculative execution attack variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  NO 
  * Vulnerable to Variant 3a:  NO 
  * Vulnerable to Variant 4:  NO 
* Kernel supports speculation store bypass:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)
Potato-Matic commented 6 years ago

Since the commit was pulled in (about 4 hours ago), here's a quick summary of the differences: 30c30 \< Vulnerable to Variant 4: NO --- > Vulnerable to Variant 4: YES 67c67 \< > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) --- > > STATUS: NOT VULNERABLE (Not affected)

Might be a little confusing which is which, but it now reports as not vulnerable to variant 4, and reports that the vendor has reported the CPU as non-vulnerable.

The full output: before: https://pastebin.com/ypn4AhMy after: https://pastebin.com/1Q9gDYaj

speed47 commented 6 years ago

As the issue seems fixed, I'm closing this. Feel free to reopen if needed!