Contents
Summary
In January 2018, security researchers announced a new class of side channel attacks that impact most processors, including processors from Intel, AMD, ARM, IBM, and MIPS. The attack allows malicious userspace processes to read kernel memory and malicious code in guests to read hypervisor memory.
To address the issue in Debian, updates to the kernel, processor microcode, hypervisor, and various other userspace packages will be needed. These updates are being announced in Debian Security Announcements and Debian LTS Announcements as they become available.
There are three separate vulnerabilities involved:
CVE-2017-5753 Spectre Variant 1, Bounds Check Bypass
CVE-2017-5715 Spectre Variant 2, Branch Target Injection
CVE-2017-5754 Meltdown Variant 3, Rogue Data Cache Load
The Spectre and Meltdown vulnerabilities have varying impacts in different environments, and the mitigations available can be difficult to understand.
This article will be updated periodically with new information as it becomes available, until the issues have been resolved.
Current Status
Kernel updates have been shipped for Debian stable/stretch and later.
The gcc compiler toolchain was updated in Debian buster/unstable (gcc 7.3), stretch (gcc 6) through DSA-4121 and jessie (gcc 4.9) through DSA-4117. No archive rebuild is planned at this point so user-space fixes (particularly for Spectre v1) vary according to the affected binary package, as the fix is basically per-program. The compiler updates were still required to provide fixes for the Linux kernel.
Spectre Variant 2 can be exploited both locally (within the same OS) and through the virtualization guest boundary. Fixes require CPU microcode/firmware to activate. Subscribers are advised to contact their hardware OEM to receive the appropriate microcode/firmware for their processor. In particular, qemu and other hypervisors need to pass through certain CPU features to allow guest operating systems to correctly configuration mitigation mechanisms.
64-bit PC (amd64)
AMD processors are believed not to be affected by Meltdown, and no mitigation is applied to them by default.
Release |
Linux version |
Spectre 1 |
Spectre 2 |
Meltdown |
Jessie/oldoldstable |
3.16 |
|||
Stretch/oldstable |
4.9 |
|||
Buster/stable |
4.19 |
4.15.4-1 and later |
4.14.17-1 and later |
4.14.13-1 and later |
testing/unstable |
4.19+ |
4.15.4-1 and later |
4.14.17-1 and later |
4.14.13-1 and later |
Caveats:
- Spectre 2 might not be fixable without firmware updates, which must come from hardware vendors.
32-bit PC (i386)
The recommended mitigation for Meltdown for i386 users running jessie or stretch is to enable amd64 as an additional architecture (see Multiarch/HOWTO) and install a 64-bit kernel.
AMD processors are believed not to be affected by Meltdown.
Release |
Linux version |
Spectre 1 |
Spectre 2 |
Meltdown |
Jessie/oldoldstable |
3.16 |
not fixed |
||
Stretch/oldstable |
4.9 |
not fixed |
||
Buster/stable |
4.19 |
4.15.4-1 and later |
4.14.17-1 and later |
4.19 and later, 686-pae flavour only |
testing/unstable |
4.19+ |
4.15.4-1 and later |
4.14.17-1 and later |
4.19 and later, 686-pae flavour only |
Caveats:
- Spectre 2 might not be fixable without firmware updates, which must come from hardware vendors.
64-bit ARM (arm64)
A small number of ARM Cortex-A cores are known to be affected by Meltdown, as are Cavium ThunderX 2 and Qualcomm Falkor. All ARM Cortex-A, Cavium ThunderX and Qualcomm Falkor cores are affected by Spectre. It is not known whether other vendors' cores are affected by these issues.
Work is in progress to backport Meltdown patches to arm64.
Release |
Linux version |
Spectre 1 |
Spectre 2 |
Meltdown |
Stretch/oldstable |
4.9 |
not fixed |
not fixed |
|
Buster/stable |
4.19 |
4.15.4-1 and later |
not fixed |
4.16~rc5-1~exp1 and later |
testing/unstable |
4.19+ |
4.15.4-1 and later |
not fixed |
4.16~rc5-1~exp1 and later |
32-bit ARM (armel, armhf)
No 32-bit ARM Cortex-A cores are known to be affected by Meltdown. All ARM Cortex-A cores are affected by Spectre. It is not known whether Intel XScale or Marvell Sheeva cores are affected by these issues, but it seems unlikely.
Release |
Linux version |
Spectre 1 |
Spectre 2 |
Meltdown |
Jessie/oldoldstable |
3.16 |
not fixed |
not fixed |
not affected |
Stretch/oldstable |
4.9 |
not fixed |
not affected |
|
Buster/stable |
4.19 |
4.15.4-1 and later |
4.18 and later |
not affected |
testing/unstable |
4.19+ |
4.15.4-1 and later |
4.18 and later |
not affected |
Caveats:
- 32-bit kernels running on some 64-bit ARM cores will be affected by Meltdown
PowerPC (powerpc, ppc64el)
Release |
Linux version |
Spectre 1 |
Spectre 2 |
Meltdown |
Stretch/oldstable |
4.9 |
not fixed |
||
Buster/stable |
4.19 |
4.15.4-1 and later |
not fixed |
4.14.17-1 and later |
testing/unstable |
4.19+ |
4.15.4-1 and later |
not fixed |
4.14.17-1 and later |
Caveats:
- Meltdown is mitigated on IBM POWER 7, 8 and 9 processors but might affect some older processors
System z (s390x)
Limited public information is available for this architecture.
Release |
Linux version |
Spectre 1 |
Spectre 2 |
Meltdown |
Stretch/oldstable |
4.9 |
4.9.110-1 and later |
not affected |
|
Buster/stable |
4.19 |
4.15.4-1 and later |
4.17~rc7-1~exp1 and later |
not affected |
testing/unstable |
4.19+ |
4.15.4-1 and later |
4.17~rc7-1~exp1 and later |
not affected |
MIPS (mips, mipsel, mips64el)
MIPS Technology claims that none of their Debian-supported cores are affected by these issues. It is likely that Loongson cores are affected by some of these issues. It is not known whether other vendors' cores are affected by these issues.
Release |
Linux version |
Spectre 1 |
Spectre 2 |
Meltdown |
Stretch/oldstable |
4.9 |
unknown |
unknown |
|
Buster/stable |
4.19 |
4.15.4-1 and later |
unknown |
unknown |
testing/unstable |
4.19+ |
4.15.4-1 and later |
unknown |
unknown |
Checking status
In stretch-backports, buster and sid there is a package spectre-meltdown-checker which can be used to help determine ones vulnerability status.
sudo apt install -t stretch-backports spectre-meltdown-checker sudo spectre-meltdown-checker
Furthermore, kernel-level mitigation strategies are visible from userspace in the /sys/devices/system/cpu/vulnerabilities/ directory. For example, this is the output after a successful kernel update in Debian stretch:
$ grep . /sys/devices/system/cpu/vulnerabilities/* /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
Related information
Red Hat has released good information that describe the issue further. Most information in this article is applicable to Debian as well.
Xen project has made an advisory on how to handle these issues in a Xen virtualization environment.
Ubuntu has a similar page for those using that Debian derivative.