Get the most out of your Centmin Mod LEMP stack
Become a Member

Security Intel Processor Flaw 'kernel memory leaking' [Spectre & Meltdown]

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jan 3, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Update: CentOS 6.x and 7.x have Linux Kernel related updates available for fixing some of these flaws. There maybe further updates later on so keep an eye on this thread or watch/subscribe for updates. After updating Kernels you will need to reboot your server.

    January 18, 2018 Update:

    Looks like new firmware and microcode updates are available on Redhat/CentOS 6/7 at least Red Hat Customer Portal

    Code (Text):
    yum list updates -q
    Updated Packages
    linux-firmware.noarch                                    20170606-58.gitc990aae.el7_4                                     updates
    microcode_ctl.x86_64                                     2:2.1-22.5.el7_4                                                 updates
    


    Yup update
    Code (Text):
    yum -y update
    


    CentOS 6
    Code (Text):
    yum list updates -q | tr -s ' '
    Updated Packages
    kernel.x86_64 2.6.32-696.18.7.el6 updates
    kernel-devel.x86_64 2.6.32-696.18.7.el6 updates
    kernel-firmware.noarch 2.6.32-696.18.7.el6 updates
    kernel-headers.x86_64 2.6.32-696.18.7.el6 updates
    

    CentOS 7
    Code (Text):
    yum list updates -q | tr -s ' '
    Updated Packages
    kernel.x86_64 3.10.0-693.11.6.el7 updates
    kernel-devel.x86_64 3.10.0-693.11.6.el7 updates
    kernel-headers.x86_64 3.10.0-693.11.6.el7 updates
    kernel-tools.x86_64 3.10.0-693.11.6.el7 updates
    kernel-tools-libs.x86_64 3.10.0-693.11.6.el7 updates
    linux-firmware.noarch 20170606-57.gitc990aae.el7 updates
    microcode_ctl.x86_64 2:2.1-22.2.el7 updates
    python-perf.x86_64 3.10.0-693.11.6.el7 updates
    

    If on dedicated servers instead of VPS, you may have additional yum updates for iwl****-firmware related packages.

    To check installed Kernel after reboot
    Code (Text):
    uname -r
    3.10.0-693.11.6.el7.x86_64
    


    Ouch not good for anyone using Intel processors as the fix may slow down Intel cpus by up to 30% :( Details 'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign


    AMD processors not affected though
    Update: officially called Meltdown and Spectre
     
    Last edited: Jan 5, 2018
  2. pamamolf

    pamamolf Premium Member Premium Member

    4,070
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    5:24 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    So a 64bit Cpu ( i think that most servers are using them) will be ok?

    Is there any list of the affected cpus?
     
  3. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    no Intel x86 refers to architecture so 32bit/64bit

    looks like all Intel cpus are affected.

    checked my i7 4790K OVH server has PCID look for pcid in flags line
    Code (Text):
    cat /proc/cpuinfo
    
    processor       : 7
    vendor_id       : GenuineIntel
    cpu family      : 6
    model           : 60
    model name      : Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz
    stepping        : 3
    microcode       : 0x17
    cpu MHz         : 4342.812
    cache size      : 8192 KB
    physical id     : 0
    siblings        : 8
    core id         : 3
    cpu cores       : 4
    apicid          : 7
    initial apicid  : 7
    fpu             : yes
    fpu_exception   : yes
    cpuid level     : 13
    wp              : yes
    flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm epb tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm xsaveopt dtherm ida arat pln pts
    bogomips        : 7981.54
    clflush size    : 64
    cache_alignment : 64
    address sizes   : 39 bits physical, 48 bits virtual
    power management:
    

    Code (Text):
    lscpu
    Architecture:          x86_64
    CPU op-mode(s):        32-bit, 64-bit
    Byte Order:            Little Endian
    CPU(s):                8
    On-line CPU(s) list:   0-7
    Thread(s) per core:    2
    Core(s) per socket:    4
    Socket(s):             1
    NUMA node(s):          1
    Vendor ID:             GenuineIntel
    CPU family:            6
    Model:                 60
    Model name:            Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz
    Stepping:              3
    CPU MHz:               4271.875
    CPU max MHz:           4400.0000
    CPU min MHz:           800.0000
    BogoMIPS:              7981.54
    Virtualization:        VT-x
    L1d cache:             32K
    L1i cache:             32K
    L2 cache:              256K
    L3 cache:              8192K
    NUMA node0 CPU(s):     0-7
    Flags:                 fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm epb tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm xsaveopt dtherm ida arat pln pts
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what PCID is explained in old article which also touched on the security issues were faced with on Intel cpus now SIMPLE IS BETTER: Improve Performance for Separating Kernel and User Address Space with Process-Context Identifiers (PCIDs)
     
  5. pamamolf

    pamamolf Premium Member Premium Member

    4,070
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    5:24 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    So a cpu that has PCID will not affected at all by this performance problem or it will but less?
     
  6. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    In theory PCID should reduce/lessen the performance drop but who knows.

    from kernel github repo commit for PCID x86/mm: Use/Fix PCID to optimize user/kernel switches · torvalds/linux@6fd166a · GitHub

    So PCID available from Intel Sandybridge onwards i.e. Intel E3-1200v1, E5-1600v1, E5-2600v1 series etc outlined at Sandy Bridge - Wikipedia
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    More info and benchmarks from folks at Phoronix.com
    AMD cpus don't have the bug but the Kernel fixes are treating AMD like Intel as having the bug !
    redis before and after kernel level fixes

    upload_2018-1-3_12-45-56.png
     
  8. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    oh from For Now At Least AMD CPUs Are Also Reported As "Insecure" - Phoronix

    you can disable kernel fixes too if you want to revert to previous performance at expense of security
     
  9. pamamolf

    pamamolf Premium Member Premium Member

    4,070
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    5:24 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    A bit more details for the exact command to use to disable it?

    Thank you
     
  10. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    not a command to run but you need to edit the kernel command-line parameter. Only do this if you know what you're doing !
     
  11. Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    3:24 PM
    1.9.x
    10.1.x
    It seems ARM Cpu's are also affected by this.
     
  12. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    woah that's alot of cpus !

    From Cloudlinux folks and KernelCare Intel CPU Bug - Meltdown and Spectre - KernelCare and CloudLinux

     
  13. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Here is the problem Meltdown and Spectre
     
  14. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Project Zero: Reading privileged memory with a side-channel

    From AMD An Update on AMD Processor Security | AMD

    upload_2018-1-4_14-39-57.png
     
  15. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Redhat and thus CentOS Kernel Side-Channel Attacks - CVE-2017-5754 CVE-2017-5753 CVE-2017-5715 - Red Hat Customer Portal

    alot of the recommended actions/fixes are listed as just pending.
     
  16. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Linode official response for Spectre and Meltdown vulnerabilities Linode Blog » CPU Vulnerabilities: Meltdown & Spectre

     
  17. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Cloud infrastructure vendors including AWS, Microsoft, Google, DigitalOcean and Rackspace begin responding to chip kernel vulnerability
    Cloud infrastructure vendors begin responding to chip kernel vulnerability

    for DigitalOcean
    A Message About Intel Security Findings

     
  18. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Kernel panic! What are Meltdown and Spectre, the bugs affecting nearly every computer and device?

     
  19. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Microsoft update
     
  20. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    A more frank assessment of Meltdown and Spectre particularly in relation to Intel cpus We translated Intel's crap attempt to spin its way out of CPU security bug PR nightmare

    on the kernel fixes and Kernel Page Table Isolation performance impact