Ubuntu: Testing the official released kernel patches for Meltdown CVE-2017-5754

ubuntuThe Meltdown vulnerability affects Intel and some ARM (but not AMD) processor chips and can allow unprivileged access to memory in the kernel and other processes.

Canonical has committed to kernel patches to address this issue and they are now available from the both the updates and security official Ubuntu repositories.

In this article, I’ll step through patching an Ubuntu kernel with the candidate kernel fixes.

Determine current kernel version

First, we want to take note of the current kernel version.  This is easily done using the following command:

$ uname -r

If you are running Ubuntu 16.04 with the latest updates you will probably have “4.4.0-104-generic”, which is known to be vulnerable to Meltdown.

If you are running Ubuntu 14.04 LTS, you will likely have “3.13.0-137-generic” which is known to be vulnerable to Meltdown.

Verify vulnerability

In a previous article I detailed how to run the Meltdown POC that checks if your system is vulnerable.  See that article for full details, but let me lay out the essential steps here, and watch how the output changes after we update the kernel.

Download and compile the POC:

$ sudo apt-get install git build-essential
$ git clone https://github.com/raphaelsc/Am-I-affected-by-Meltdown.git
$ cd Am-I-affected-by-Meltdown
$ make

Allow the program to read the kernel symbols, which is necessary to allow the POC to check whether the address of a system call found by exploiting Meltdown matches the system call table.

$ sudo sh -c "echo 0 > /proc/sys/kernel/kptr_restrict"

Then run the proof of concept:

$ ./meltdown-checker

On an unpatched system such as this, you will receive output similar to below saying  ‘System affected!’

Check availability of patched kernel

The patched kernel for Ubuntu 16.04 is 4.4.0-109, so we check if these are available:

$ sudo apt-cache search linux-image-4.4.0-109-generic
linux-headers-4.4.0-109-generic - Linux kernel headers for version 4.4.0 on 64 bit x86 SMP

$ sudo apt-cache search linux-headers-4.4.0-109-generic
linux-image-4.4.0-109-generic - Linux kernel image for version 4.4.0 on 64 bit x86 SMP

for Ubuntu 14.04 we look for 3.13.0-139:

$ sudo apt-cache search linux-image-3.13.0-139-generic 
linux-image-3.13.0-139-generic - Linux kernel image for version 3.13.0 on 64 bit x86 SMP

$ sudo apt-cache search linux-headers-3.13.0-139-generic
linux-headers-3.13.0-139-generic - Linux kernel headers for version 3.13.0 on 64 bit x86 SMP

If a single row is not returned for each search, then look in “/etc/apt/sources.list”, and check if the ‘-updates’ and ‘-security’ repositories are commented out.

Install latest patched kernel

If the system you are working on has been kept up to date on all packages, then you can simply run ‘apt-get dist-upgrade’ and get the latest kernel patches.  If you are not sure what state the system is in, you can run dist-upgrade in simulated mode (-s), which will show you exactly which packages it will run without taking any action.

$ sudo apt-get dist-upgrade -s

But if you need to selectively install only the latest kernel then for Ubuntu 16.04:

$ sudo apt-get install linux-headers-4.4.0-109-generic linux-image-4.4.0-109-generic -y

And for Ubuntu 14.04 LTS:

$ sudo apt-get install linux-headers-3.13.0-139-generic linux-image-3.13.0-139-generic -y

And finally, reboot to make the kernel changes take affect:

$ sudo init 6

After reboot, you should now see a new kernel version reported from the command below:

$ uname -r

It should repot ‘4.4.0-109-generic’ for Ubuntu 16.04, and ‘3.13.0-139-generic’ for Ubuntu 14.04.

Validate mitigation of vulnerability

The last step is to run the Meltdown POC program again, and verify that the system is not affected anymore.

The application will once again need to be given permission to read kernel symbols, then the POC can be run once again.

$ sudo sh -c "echo 0 > /proc/sys/kernel/kptr_restrict"

$ ./meltdown-checker

You should now get output similar to below that indicates the ‘System not affected’.

 

 

REFERENCES

https://spectreattack.com/

https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

https://github.com/raphaelsc/Am-I-affected-by-Meltdown (poc code)

https://meltdownattack.com/meltdown.pdf (whitepaper)

https://www.amd.com/en/corporate/speculative-execution (AMD response)

https://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-the-meltdown-spectre-vulnerabilities/

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown (Ubuntu response)

https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)

https://en.wikipedia.org/wiki/Kernel_page-table_isolation (describes kernel page table isolation patch)

https://askubuntu.com/questions/49958/how-to-find-the-number-of-packages-needing-update-from-the-command-line (how packages needing updates is shown at login)

https://news.slashdot.org/story/18/01/10/1634215/meltdown-and-spectre-patches-bricking-ubuntu-1604-computers (do NOT install .108 which could break boot)

/usr/lib/update-notifier/apt-check –human-readable (shows number of packages needing update upon login)