Meltdown/Spectre - non-issue?

Questions about Wine on Linux
Post Reply
chibbs
Newbie
Newbie
Posts: 1
Joined: Tue Jan 09, 2018 1:50 pm

Meltdown/Spectre - non-issue?

Post by chibbs » Tue Jan 09, 2018 1:59 pm

So, may be a silly question, but I'm assuming that Wine doesn't load a kernel so there's no concern. But wanted to validate yes, no?

AndrewAitchison
Newbie
Newbie
Posts: 1
Joined: Tue May 15, 2018 9:31 am

Re: Meltdown/Spectre - non-issue?

Post by AndrewAitchison » Tue May 15, 2018 9:39 am

> So, may be a silly question, but I'm assuming that
> Wine doesn't load a kernel so there's no concern.
> But wanted to validate yes, no?


The Windows Meltdown/Spectre
https://www.grc.com/files/inspectre.htm
https://www.grc.com/files/InSpectre.exe
from GRC runs under wine !

My Scientific Linux 6.9 machine has patched microcode [1] and
https://raw.githubusercontent.com/speed ... checker.sh
reports that all three vulnerabilities are mitigated.

With Wine version 1.8.6 [2] InSpectre.exe reports that the
CPU has been updated, but
This 64-bit version of Window is not aware of
either the Spectre or Meltdown problems. ...

If you have a newer version of Wine, do you get different results from InSpectre ?

[1] from https://downloadcenter.intel.com/download/27776

[2] Yes I know that Wine 3 is out, but 1.8.6 is "standard" on this linux
and I've not yet attempted to build a newer Wine myself.

Cybermax
Level 4
Level 4
Posts: 188
Joined: Fri Dec 01, 2017 5:26 pm

Re: Meltdown/Spectre - non-issue?

Post by Cybermax » Fri May 18, 2018 8:29 am

Have no idea if it is even relevant tbh, but running InSpectre.exe with wine-staging-3.8 i got:

Code: Select all

System is Meltdown pretected: NO!
System is Spectre protected: NO!
Microcode Update Available: YES
Performance: GOOD
Not really easy to TEST that it is vulnerable without going through hoops of "if-this-happened-while-your-left-index-finger-is-in-your-right-ear" type of scenario, i dunno :)

Havent really been paying much attention to windows proof-of-concept of late, so if anyone have a REAL test to run please share :)

User avatar
Bob Wya
Level 12
Level 12
Posts: 2764
Joined: Sat Oct 16, 2010 7:40 pm
Location: Cambridge
Contact:

Re: Meltdown/Spectre - non-issue?

Post by Bob Wya » Mon May 21, 2018 7:39 am

AndrewAitchison wrote: With Wine version 1.8.6 [2] InSpectre.exe reports that the
CPU has been updated, but
This 64-bit version of Window is not aware of
either the Spectre or Meltdown problems. ...

If you have a newer version of Wine, do you get different results from InSpectre ?

[1] from https://downloadcenter.intel.com/download/27776

[2] Yes I know that Wine 3 is out, but 1.8.6 is "standard" on this linux
and I've not yet attempted to build a newer Wine myself.
Steve Gibson has discussed quite extensively how InSpectre works on the Security Now podcast. Transcripts are available...
The utility works by probing for specific Registry keys and Windows KB updates being installed.
You need Release #6 (or newer) of the InSpectre utility to support 64-bit Systems.
This utility won't work at all under Wine.

If you run:

Code: Select all

wine InSpectre.exe probe &>/dev/null; echo $?
15
Which is:

Code: Select all

1	OS is not aware of the Meltdown vulnerability
2	OS is not aware of the Spectre vulnerability
4	The system is vulnerable to Meltdown
8	The system is vulnerable to Spectre
Which is basically just garbage output.

Much better is to compile Wine (and all other system packages) with >gcc 7.3.0 to get code that has global retpoline mitigations in place.
Use updated Intel microcode in a early boot initramfs-type image (assuming it is available for your processor model).
Then use a more appropriate native tool to test your system's vulnerability status...
Typically with: Github: speed47 / spectre-meltdown-checker.
E.g.

Code: Select all

~/scripts/spectre-meltdown-checker.sh --no-color

Spectre and Meltdown mitigation detection tool v0.37+

Checking for vulnerabilities on current system
Kernel is Linux 4.14.40-gentoo #1 SMP PREEMPT Tue May 15 05:47:26 BST 2018 x86_64
CPU is Intel(R) Core(TM) i7-4710HQ CPU @ 2.50GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available: YES
    * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available: YES
    * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available: YES
    * CPU indicates STIBP capability: YES (Intel STIBP feature bit)
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability: NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
  * CPU microcode is known to cause stability problems: NO (model 60 stepping 3 ucode 0x24 cpuid 0x306c3)
* CPU vulnerability to the three speculative execution attack variants
  * Vulnerable to Variant 1: YES
  * Vulnerable to Variant 2: YES
  * Vulnerable to Variant 3: YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization)
* Kernel has array_index_mask_nospec (x86): YES (1 occurrence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch: NO
* Kernel has mask_nospec64 (arm): NO
> STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB, IBRS_FW)
* Mitigation 1
  * Kernel is compiled with IBRS support: YES
    * IBRS enabled and active: YES (for firmware code only)
  * Kernel is compiled with IBPB support: YES
    * IBPB enabled and active: YES
* Mitigation 2
  * Kernel has branch predictor hardening (arm): NO
  * Kernel compiled with retpoline option: YES
    * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
> STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI): YES
  * PTI enabled and active: YES
  * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer
Which provides far more accurate and detailed information then InSpectre ever could...

Also note that Wine 1.8.6 is not supported any more... In fact Wine 1.8.7 was the final release of that stable branch anyway.

You're not expected to compile newer versions of Wine, just to get them installed...
Unless of course you're using Gentoo like me, or any another source-based distribution for that matter... 8)

See: WineHQ Download.
Note: OpenSUSE somehow manage to package their own versions of Wine that aren't years out-of-date... Hmmm. :roll:

Bob

Post Reply