Re: Question on CVE-2017-5754 on Debian 8.9

[Michael Fothergill <michael.fothergill@gmail.com>]

On 24 January 2018 at 15:49, Michael Fothergill <michael.fothergill@gmail.com> wrote:

On 24 January 2018 at 14:15, Michael Fothergill <michael.fothergill@gmail.com> wrote:

On 24 January 2018 at 14:11, Vincent Lefevre <vincent@vinc17.net> wrote:

On 2018-01-24 14:44:18 +0100, Sven Hartge wrote:
> Michael Fothergill <michael.fothergill@gmail.com> wrote:
> > On 24 January 2018 at 12:58, Sven Hartge <sven@svenhartge.de> wrote:
>
> >> Michael Fothergill <michael.fothergill@gmail.com> wrote:
>
> >> > The link within the above one:
> >>> https://gcc.gnu.org/ml/gcc/2018-01/msg00148.html
> >>> also has a link to the ftp download for the release candidate version of
> >>> gcc 7.3 ie 7.3.0rc1 which does actually work for spectre and retpoline.
>
> >> Debian Sid got gcc-7.3.0rc2 last night, the package is still named gcc-7
> >> (7.2.0-20) though.
>
> > Does that mean that if you upgrade to sid and installed gcc 7.2.0 you
> > would actually get 7.3.0rc2 in practice?
>
> Unless I interpret the changelog wrong: yes.

​I have found a kernel image file here:

​https://packages.debian.org/experimental/linux-image-4.15.0-rc8-amd64

I think this will likely work OK with KPTI and retpoline.

It's in debian experimental.

If you can be sid and experimental together then I guess you can have gcc 7.3 rc1 or 2 (or whatever it is) installed and then

install the image as a kernel upgrade not a kernel compilation:

Something like this:

 # cat >> /etc/apt/preferences << EOF
 Package: *
 Pin: release o=Debian,a=experimental
 Pin-Priority: 102
 EOF
 # apt-cache policy   # shows/verifies the current preferences

 # echo "deb http://deb.debian.org/debian experimental main" >> /etc/apt/sources.list

 # apt-get update

 # apt-get -t experimental install linux-image-3.10-rc5-686-pae

Except here you would do:

# apt-get -t experimental install linux-image-4.15.0-rc8-amd64

Then I would have thought KPTI and retpoline would be installed in a relatively painless way if you don't mind running as sid.

Cheers

MF

​Wait a minute.  If the linux image kernel is a binary ie compiled then as long as it was compiled using a gcc compiler v 7.3 or greater

then the retpoline and KPTI would correctly installed by default.

So, if my understanding is correct then would that not mean you would not need to have v 7.3 of gcc installed locally so you would

not need to become sid?

Just a thought.

MF

​

 

 

But the changelogs don't mention anything about Spectre and retpoline.

​It's OK.  As long as you really do end up installing gcc 7.3.0 rc2 we know it can handle the compilation of kernel 4.14.14 correctly to

make the KPTI and retpoline patches work...........

So the changelog doesn't matter.

Cheers

MF​

 

--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)