The Meltdown vulnerability affects Intel and some ARM (but not AMD) processor chips and can allow unprivileged access to memory in the kernel and other processes.
In this article, I’ll step through patching an Ubuntu kernel with the candidate kernel fixes.
Determine current kernel version
First, we want to take note of the current kernel version. This is easily done using the following command:
$ uname -r
If you are running Ubuntu 16.04 with the latest updates you will probably have “4.4.0-104-generic”, which is known to be vulnerable to Meltdown.
If you are running Ubuntu 14.04 LTS, you will likely have “3.13.0-137-generic” which is known to be vulnerable to Meltdown.
In a previous article I detailed how to run the Meltdown POC that checks if your system is vulnerable. See that article for full details, but let me lay out the essential steps here, and watch how the output changes after we update the kernel.
Download and compile the POC:
$ sudo apt-get install git build-essential $ git clone https://github.com/raphaelsc/Am-I-affected-by-Meltdown.git $ cd Am-I-affected-by-Meltdown $ make
Allow the program to read the kernel symbols, which is necessary to allow the POC to check whether the address of a system call found by exploiting Meltdown matches the system call table.
$ sudo sh -c "echo 0 > /proc/sys/kernel/kptr_restrict"
Then run the proof of concept:
On an unpatched system such as this, you will receive output similar to below saying ‘System affected!’
Check availability of patched kernel
The patched kernel for Ubuntu 16.04 is 4.4.0-109, so we check if these are available:
$ sudo apt-cache search linux-image-4.4.0-109-generic linux-headers-4.4.0-109-generic - Linux kernel headers for version 4.4.0 on 64 bit x86 SMP $ sudo apt-cache search linux-headers-4.4.0-109-generic linux-image-4.4.0-109-generic - Linux kernel image for version 4.4.0 on 64 bit x86 SMP
for Ubuntu 14.04 we look for 3.13.0-139:
$ sudo apt-cache search linux-image-3.13.0-139-generic linux-image-3.13.0-139-generic - Linux kernel image for version 3.13.0 on 64 bit x86 SMP $ sudo apt-cache search linux-headers-3.13.0-139-generic linux-headers-3.13.0-139-generic - Linux kernel headers for version 3.13.0 on 64 bit x86 SMP
If a single row is not returned for each search, then look in “/etc/apt/sources.list”, and check if the ‘-updates’ and ‘-security’ repositories are commented out.
Install latest patched kernel
If the system you are working on has been kept up to date on all packages, then you can simply run ‘apt-get dist-upgrade’ and get the latest kernel patches. If you are not sure what state the system is in, you can run dist-upgrade in simulated mode (-s), which will show you exactly which packages it will run without taking any action.
$ sudo apt-get dist-upgrade -s
But if you need to selectively install only the latest kernel then for Ubuntu 16.04:
$ sudo apt-get install linux-headers-4.4.0-109-generic linux-image-4.4.0-109-generic -y
And for Ubuntu 14.04 LTS:
$ sudo apt-get install linux-headers-3.13.0-139-generic linux-image-3.13.0-139-generic -y
And finally, reboot to make the kernel changes take affect:
$ sudo init 6
After reboot, you should now see a new kernel version reported from the command below:
$ uname -r
It should repot ‘4.4.0-109-generic’ for Ubuntu 16.04, and ‘3.13.0-139-generic’ for Ubuntu 14.04.
Validate mitigation of vulnerability
The last step is to run the Meltdown POC program again, and verify that the system is not affected anymore.
The application will once again need to be given permission to read kernel symbols, then the POC can be run once again.
$ sudo sh -c "echo 0 > /proc/sys/kernel/kptr_restrict" $ ./meltdown-checker
You should now get output similar to below that indicates the ‘System not affected’.
https://www.amd.com/en/corporate/speculative-execution (AMD response)
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown (Ubuntu response)
https://en.wikipedia.org/wiki/Kernel_page-table_isolation (describes kernel page table isolation patch)
https://askubuntu.com/questions/49958/how-to-find-the-number-of-packages-needing-update-from-the-command-line (how packages needing updates is shown at login)
https://news.slashdot.org/story/18/01/10/1634215/meltdown-and-spectre-patches-bricking-ubuntu-1604-computers (do NOT install .108 which could break boot)
/usr/lib/update-notifier/apt-check –human-readable (shows number of packages needing update upon login)