Bug#912109: Spectre Meltdown. System has more than MAX_PA/2 memory. L1TF mitigation not effective for CVE-2018-3620
Hi,
Thx for responding quickly.
I have the microcode package installed.
dpkg -l | grep microcode
ii intel-microcode 3.20180807a.1~deb9u1 amd64
Processor microcode firmware for Intel
and activated:
# dmesg | grep microc
[ 0.000000] microcode: microcode updated early to revision 0x20, date =
2018-04-10
[ 0.545764] microcode: sig=0x306a9, pf=0x2, revision=0x20
[ 0.545879] microcode: Microcode Update Driver: v2.01
<tigran@aivazian.fsnet.co.uk>, Peter Oruba
>From what i read the issue applies to certain ram / cpu combo's.
Not sure if it's reproducible @ azure.
There is some more about it as well:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1788563
and here the upstream fix:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i
d=b0a182f875689647b014bc01d36b340217792852
regards,
Tobias.
On Sun, 28 Oct 2018 10:50:26 +0100 tobias <bugs@appelo.org> wrote:
> Package: src:linux
> Version: 4.9.110-3+deb9u6
> Severity: normal
> Tags: security
>
> According to
https://github.com/speed47/spectre-meltdown-checker/releases/tag/v0.40 my
system is vulnerable for vulnerability CVE-2018-3620
>
> results:
>
> CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
> * Mitigated according to the /sys interface: NO (Vulnerable)
> * Kernel supports PTE inversion: YES (found in kernel image)
> * PTE inversion enabled and active: NO
> STATUS: VULNERABLE (Vulnerable)
>
>
> dmesg | grep L1TF
> [ 0.014828] L1TF: System has more than MAX_PA/2 memory. L1TF
> mitigation not effective.
>
> workaround:
> as described here: https://bugzilla.opensuse.org/show_bug.cgi?id=1105536
> supplied command line parameter "mem=33554428k" and the issue is gone.
>
>
>
> -- Package-specific info:
> ** Version:
> Linux version 4.9.0-8-amd64 (debian-kernel@lists.debian.org) (gcc version
6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.110-3+deb9u6
(2018-10-08)
>
> ** Command line:
> BOOT_IMAGE=/boot/vmlinuz-4.9.0-8-amd64 root=/dev/mapper/vol00-lvroot ro
ipv6.disable=1 quiet
>
> ** Not tainted
>
> ** Kernel log:
> [ 22.581813] device veth5bacacd entered promiscuous mode
> [ 22.581854] br-f6f67b537c3b: port 1(veth5bacacd) entered blocking state
> [ 22.581855] br-f6f67b537c3b: port 1(veth5bacacd) entered forwarding
state
> [ 22.581935] br-f6f67b537c3b: port 1(veth5bacacd) entered disabled state
> [ 22.587449] br-ced3a9da9295: port 1(veth1f742ed) entered blocking state
> [ 22.587450] br-ced3a9da9295: port 1(veth1f742ed) entered disabled state
> [ 22.587483] device veth1f742ed entered promiscuous mode
> [ 22.587522] br-ced3a9da9295: port 1(veth1f742ed) entered blocking state
> [ 22.587523] br-ced3a9da9295: port 1(veth1f742ed) entered forwarding
state
> [ 22.587564] br-ced3a9da9295: port 1(veth1f742ed) entered disabled state
> [ 22.696461] br-429b9edca99c: port 1(veth8d7b672) entered blocking state
> [ 22.696463] br-429b9edca99c: port 1(veth8d7b672) entered disabled state
> [ 22.696495] device veth8d7b672 entered promiscuous mode
> [ 22.696533] br-429b9edca99c: port 1(veth8d7b672) entered blocking state
> [ 22.696534] br-429b9edca99c: port 1(veth8d7b672) entered forwarding
state
> [ 22.696568] br-429b9edca99c: port 1(veth8d7b672) entered disabled state
> [ 22.717457] br-f6f67b537c3b: port 2(veth423bb83) entered blocking state
> [ 22.717458] br-f6f67b537c3b: port 2(veth423bb83) entered disabled state
> [ 22.717488] device veth423bb83 entered promiscuous mode
> [ 22.717772] br-eb3952fed7f5: port 1(vethe2fd06e) entered blocking state
> [ 22.717773] br-eb3952fed7f5: port 1(vethe2fd06e) entered disabled state
> [ 22.717801] device vethe2fd06e entered promiscuous mode
> [ 22.717835] br-eb3952fed7f5: port 1(vethe2fd06e) entered blocking state
> [ 22.717836] br-eb3952fed7f5: port 1(vethe2fd06e) entered forwarding
state
Reply to: