Re: CVE-2017-5715
Hi, On Wed, Mar 23, 2022 at 11:17:41PM +0200, Georgi Naplatanov wrote: > On 3/23/22 22:43, Leandro Cunha wrote: > > Hi, > > > > On Wed, Mar 23, 2022 at 2:33 PM Georgi Naplatanov wrote: > >> > >> On 3/23/22 18:35, piorunz wrote: > >>> On 23/03/2022 15:41, Leandro Cunha wrote: > >>> > Please, take into consideration what is in the link and you can > consult through > it about CVE: https://security-tracker.debian.org/tracker/CVE-2017-5715 > >>> > >>> Leandro, > >>> I've been on this website before I posted with spectre-meltdown-checker > >>> results. I have vulnerable status just like author of this topic. I am > >>> on intel-microcode 3.20210608.2, and by the look of it, this bug > >>> supposed to be fixed in: > >>> > >>> "intel-microcode: Some microcode updates to partially adress > >>> CVE-2017-5715 included in 3.20171215.1 > >>> Further updates in 3.20180312.1" > >>> > >>> So my version of microcode is 3-4 years newer than that. > >>> > >>> Is it microcode problem, or spectre-meltdown-checker displaying wrong > >>> information, or something else entirely? > >>> > >> > >> I want to mention that on the same computer with kernel Debian 5.10.92-2 > >> > >> spectre-meltdown-checker > >> > >> reports that the system is not vulnerable to CVE-2017-5715 > >> > >> Kind regards > >> Georgi > >> > > > > This script is reporting an already patched CVE as vulnerable. > > > Are you sure this behavior on 5.10.103-1 is not some kind of regression? > What is the evidence that vulnerability is still fixed? See: https://github.com/speed47/spectre-meltdown-checker/issues/420 (Background of this is https://www.vusec.net/projects/bhi-spectre-bhb/). Regards, Salvatore
Re: CVE-2017-5715
On 3/23/22 22:43, Leandro Cunha wrote: > Hi, > > On Wed, Mar 23, 2022 at 2:33 PM Georgi Naplatanov wrote: >> >> On 3/23/22 18:35, piorunz wrote: >>> On 23/03/2022 15:41, Leandro Cunha wrote: >>> Please, take into consideration what is in the link and you can consult through it about CVE: https://security-tracker.debian.org/tracker/CVE-2017-5715 >>> >>> Leandro, >>> I've been on this website before I posted with spectre-meltdown-checker >>> results. I have vulnerable status just like author of this topic. I am >>> on intel-microcode 3.20210608.2, and by the look of it, this bug >>> supposed to be fixed in: >>> >>> "intel-microcode: Some microcode updates to partially adress >>> CVE-2017-5715 included in 3.20171215.1 >>> Further updates in 3.20180312.1" >>> >>> So my version of microcode is 3-4 years newer than that. >>> >>> Is it microcode problem, or spectre-meltdown-checker displaying wrong >>> information, or something else entirely? >>> >> >> I want to mention that on the same computer with kernel Debian 5.10.92-2 >> >> spectre-meltdown-checker >> >> reports that the system is not vulnerable to CVE-2017-5715 >> >> Kind regards >> Georgi >> > > This script is reporting an already patched CVE as vulnerable. Are you sure this behavior on 5.10.103-1 is not some kind of regression? What is the evidence that vulnerability is still fixed? Kind regards Georgi
Re: CVE-2017-5715
Hi, On Wed, Mar 23, 2022 at 2:33 PM Georgi Naplatanov wrote: > > On 3/23/22 18:35, piorunz wrote: > > On 23/03/2022 15:41, Leandro Cunha wrote: > > > >> Please, take into consideration what is in the link and you can > >> consult through > >> it about CVE: https://security-tracker.debian.org/tracker/CVE-2017-5715 > > > > Leandro, > > I've been on this website before I posted with spectre-meltdown-checker > > results. I have vulnerable status just like author of this topic. I am > > on intel-microcode 3.20210608.2, and by the look of it, this bug > > supposed to be fixed in: > > > > "intel-microcode: Some microcode updates to partially adress > > CVE-2017-5715 included in 3.20171215.1 > > Further updates in 3.20180312.1" > > > > So my version of microcode is 3-4 years newer than that. > > > > Is it microcode problem, or spectre-meltdown-checker displaying wrong > > information, or something else entirely? > > > > I want to mention that on the same computer with kernel Debian 5.10.92-2 > > spectre-meltdown-checker > > reports that the system is not vulnerable to CVE-2017-5715 > > Kind regards > Georgi > This script is reporting an already patched CVE as vulnerable. Just rule that out and see the link below for more information on DSA and DLA. I hope it helped with that. CVE-2017-5715: https://security-tracker.debian.org/tracker/CVE-2017-5715 -- Cheers, Leandro Cunha Software Engineer and Debian Contributor
Re: CVE-2017-5715
On 3/23/22 18:35, piorunz wrote: > On 23/03/2022 15:41, Leandro Cunha wrote: > >> Please, take into consideration what is in the link and you can >> consult through >> it about CVE: https://security-tracker.debian.org/tracker/CVE-2017-5715 > > Leandro, > I've been on this website before I posted with spectre-meltdown-checker > results. I have vulnerable status just like author of this topic. I am > on intel-microcode 3.20210608.2, and by the look of it, this bug > supposed to be fixed in: > > "intel-microcode: Some microcode updates to partially adress > CVE-2017-5715 included in 3.20171215.1 > Further updates in 3.20180312.1" > > So my version of microcode is 3-4 years newer than that. > > Is it microcode problem, or spectre-meltdown-checker displaying wrong > information, or something else entirely? > I want to mention that on the same computer with kernel Debian 5.10.92-2 spectre-meltdown-checker reports that the system is not vulnerable to CVE-2017-5715 Kind regards Georgi
Re: CVE-2017-5715
On 23/03/2022 15:41, Leandro Cunha wrote: Please, take into consideration what is in the link and you can consult through it about CVE: https://security-tracker.debian.org/tracker/CVE-2017-5715 Leandro, I've been on this website before I posted with spectre-meltdown-checker results. I have vulnerable status just like author of this topic. I am on intel-microcode 3.20210608.2, and by the look of it, this bug supposed to be fixed in: "intel-microcode: Some microcode updates to partially adress CVE-2017-5715 included in 3.20171215.1 Further updates in 3.20180312.1" So my version of microcode is 3-4 years newer than that. Is it microcode problem, or spectre-meltdown-checker displaying wrong information, or something else entirely? -- With kindest regards, Piotr. ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/ ⠈⠳⣄
Re: CVE-2017-5715
On 3/23/22 17:41, Leandro Cunha wrote: > Hi, > > On Wed, Mar 23, 2022 at 11:47 AM Georgi Naplatanov wrote: >> >> On 3/23/22 15:58, piorunz wrote: >>> On 12/03/2022 09:48, Georgi Naplatanov wrote: >>> spectre-meltdown-checker script reports that my system is vulnerable to CVE-2017-5715. My CPU is Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz Is this normal? In the past all checks from spectre-meltdown-checker were green (my system was not vulnerable). >>> >>> Is your vulnerability shown as follows? >>> >>> CVE-2017-5715 aka 'Spectre Variant 2, branch target injection' >>> * Mitigated according to the /sys interface: YES (Mitigation: >>> Retpolines, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling) >>> * Mitigation 1 >>> * Kernel is compiled with IBRS support: YES >>> * IBRS enabled and active: YES (for firmware code only) >>> * Kernel is compiled with IBPB support: YES >>> * IBPB enabled and active: YES >>> * Mitigation 2 >>> * Kernel has branch predictor hardening (arm): NO >>> * Kernel compiled with retpoline option: YES >>> * Kernel supports RSB filling: YES STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RSB filling, is >>> needed to mitigate the vulnerability) >>> >> >> Yes, it seems the same but to avoid possible confusion/mistake I'm >> pasting the output below: >> >> >> CVE-2017-5715 aka 'Spectre Variant 2, branch target injection' >> * Mitigated according to the /sys interface: YES (Mitigation: >> Retpolines, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling) >> * Mitigation 1 >> * Kernel is compiled with IBRS support: YES >> * IBRS enabled and active: YES (for firmware code only) >> * Kernel is compiled with IBPB support: YES >> * IBPB enabled and active: YES >> * Mitigation 2 >> * Kernel has branch predictor hardening (arm): NO >> * Kernel compiled with retpoline option: YES >> * Kernel supports RSB filling: YES >>> STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RSB filling, is >> needed to mitigate the vulnerability) >> > > Please, take into consideration what is in the link and you can consult > through > it about CVE: https://security-tracker.debian.org/tracker/CVE-2017-5715 > Hey Leandro, I'm using kernel 5.10.103-1 and intel-microcode 3.20210608.2 but spectre-meltdown-checker reports that my system is vulnerable. Could you clarify what you meant? Kind regards Georgi
Re: CVE-2017-5715
Hi, On Wed, Mar 23, 2022 at 11:47 AM Georgi Naplatanov wrote: > > On 3/23/22 15:58, piorunz wrote: > > On 12/03/2022 09:48, Georgi Naplatanov wrote: > > > >> spectre-meltdown-checker script reports that my system is vulnerable to > >> CVE-2017-5715. My CPU is Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz > >> > >> Is this normal? > >> > >> In the past all checks from spectre-meltdown-checker were green (my > >> system was not vulnerable). > > > > Is your vulnerability shown as follows? > > > > CVE-2017-5715 aka 'Spectre Variant 2, branch target injection' > > * Mitigated according to the /sys interface: YES (Mitigation: > > Retpolines, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling) > > * Mitigation 1 > > * Kernel is compiled with IBRS support: YES > > * IBRS enabled and active: YES (for firmware code only) > > * Kernel is compiled with IBPB support: YES > > * IBPB enabled and active: YES > > * Mitigation 2 > > * Kernel has branch predictor hardening (arm): NO > > * Kernel compiled with retpoline option: YES > > * Kernel supports RSB filling: YES > >> STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RSB filling, is > > needed to mitigate the vulnerability) > > > > Yes, it seems the same but to avoid possible confusion/mistake I'm > pasting the output below: > > > CVE-2017-5715 aka 'Spectre Variant 2, branch target injection' > * Mitigated according to the /sys interface: YES (Mitigation: > Retpolines, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling) > * Mitigation 1 > * Kernel is compiled with IBRS support: YES > * IBRS enabled and active: YES (for firmware code only) > * Kernel is compiled with IBPB support: YES > * IBPB enabled and active: YES > * Mitigation 2 > * Kernel has branch predictor hardening (arm): NO > * Kernel compiled with retpoline option: YES > * Kernel supports RSB filling: YES > > STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RSB filling, is > needed to mitigate the vulnerability) > Please, take into consideration what is in the link and you can consult through it about CVE: https://security-tracker.debian.org/tracker/CVE-2017-5715 -- Cheers, Leandro Cunha Software Engineer and Debian Contributor⠀⠀⠀
Re: CVE-2017-5715
On 3/23/22 15:58, piorunz wrote: > On 12/03/2022 09:48, Georgi Naplatanov wrote: > >> spectre-meltdown-checker script reports that my system is vulnerable to >> CVE-2017-5715. My CPU is Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz >> >> Is this normal? >> >> In the past all checks from spectre-meltdown-checker were green (my >> system was not vulnerable). > > Is your vulnerability shown as follows? > > CVE-2017-5715 aka 'Spectre Variant 2, branch target injection' > * Mitigated according to the /sys interface: YES (Mitigation: > Retpolines, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling) > * Mitigation 1 > * Kernel is compiled with IBRS support: YES > * IBRS enabled and active: YES (for firmware code only) > * Kernel is compiled with IBPB support: YES > * IBPB enabled and active: YES > * Mitigation 2 > * Kernel has branch predictor hardening (arm): NO > * Kernel compiled with retpoline option: YES > * Kernel supports RSB filling: YES >> STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RSB filling, is > needed to mitigate the vulnerability) > Yes, it seems the same but to avoid possible confusion/mistake I'm pasting the output below: CVE-2017-5715 aka 'Spectre Variant 2, branch target injection' * Mitigated according to the /sys interface: YES (Mitigation: Retpolines, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling) * Mitigation 1 * Kernel is compiled with IBRS support: YES * IBRS enabled and active: YES (for firmware code only) * Kernel is compiled with IBPB support: YES * IBPB enabled and active: YES * Mitigation 2 * Kernel has branch predictor hardening (arm): NO * Kernel compiled with retpoline option: YES * Kernel supports RSB filling: YES > STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RSB filling, is needed to mitigate the vulnerability)
Re: CVE-2017-5715
On 12/03/2022 09:48, Georgi Naplatanov wrote: spectre-meltdown-checker script reports that my system is vulnerable to CVE-2017-5715. My CPU is Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz Is this normal? In the past all checks from spectre-meltdown-checker were green (my system was not vulnerable). Is your vulnerability shown as follows? CVE-2017-5715 aka 'Spectre Variant 2, branch target injection' * Mitigated according to the /sys interface: YES (Mitigation: Retpolines, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling) * Mitigation 1 * Kernel is compiled with IBRS support: YES * IBRS enabled and active: YES (for firmware code only) * Kernel is compiled with IBPB support: YES * IBPB enabled and active: YES * Mitigation 2 * Kernel has branch predictor hardening (arm): NO * Kernel compiled with retpoline option: YES * Kernel supports RSB filling: YES > STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RSB filling, is needed to mitigate the vulnerability) -- With kindest regards, Piotr. ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/ ⠈⠳⣄