WineHQ
Wine Forums

Board index » WineHQ » Wine Help » Linux




 Page 1 of 1 [ 4 posts ] 



 
Author Message
 Post Posted: Tue Jan 09, 2018 1:59 pm 
Offline
Newbie
Newbie

Joined: Tue Jan 09, 2018 1:50 pm
Posts: 1
So, may be a silly question, but I'm assuming that Wine doesn't load a kernel so there's no concern. But wanted to validate yes, no?


Top 
 Post Posted: Tue May 15, 2018 9:39 am 
Offline
Newbie
Newbie

Joined: Tue May 15, 2018 9:31 am
Posts: 1
> So, may be a silly question, but I'm assuming that
> Wine doesn't load a kernel so there's no concern.
> But wanted to validate yes, no?


The Windows Meltdown/Spectre
https://www.grc.com/files/inspectre.htm
https://www.grc.com/files/InSpectre.exe
from GRC runs under wine !

My Scientific Linux 6.9 machine has patched microcode [1] and
https://raw.githubusercontent.com/speed ... checker.sh
reports that all three vulnerabilities are mitigated.

With Wine version 1.8.6 [2] InSpectre.exe reports that the
CPU has been updated, but
This 64-bit version of Window is not aware of
either the Spectre or Meltdown problems. ...

If you have a newer version of Wine, do you get different results from InSpectre ?

[1] from https://downloadcenter.intel.com/download/27776

[2] Yes I know that Wine 3 is out, but 1.8.6 is "standard" on this linux
and I've not yet attempted to build a newer Wine myself.


Top 
 Post Posted: Fri May 18, 2018 8:29 am 
Offline
Level 3
Level 3

Joined: Fri Dec 01, 2017 5:26 pm
Posts: 80
Have no idea if it is even relevant tbh, but running InSpectre.exe with wine-staging-3.8 i got:
Code:
System is Meltdown pretected: NO!
System is Spectre protected: NO!
Microcode Update Available: YES
Performance: GOOD

Not really easy to TEST that it is vulnerable without going through hoops of "if-this-happened-while-your-left-index-finger-is-in-your-right-ear" type of scenario, i dunno :)

Havent really been paying much attention to windows proof-of-concept of late, so if anyone have a REAL test to run please share :)


Top 
 Post Posted: Mon May 21, 2018 7:39 am 
Offline
Level 12
Level 12
User avatar

Joined: Sat Oct 16, 2010 7:40 pm
Posts: 2214
Location: Cambridge
AndrewAitchison wrote:
With Wine version 1.8.6 [2] InSpectre.exe reports that the
CPU has been updated, but
This 64-bit version of Window is not aware of
either the Spectre or Meltdown problems. ...

If you have a newer version of Wine, do you get different results from InSpectre ?

[1] from https://downloadcenter.intel.com/download/27776

[2] Yes I know that Wine 3 is out, but 1.8.6 is "standard" on this linux
and I've not yet attempted to build a newer Wine myself.


Steve Gibson has discussed quite extensively how InSpectre works on the Security Now podcast. Transcripts are available...
The utility works by probing for specific Registry keys and Windows KB updates being installed.
You need Release #6 (or newer) of the InSpectre utility to support 64-bit Systems.
This utility won't work at all under Wine.

If you run:
Code:
wine InSpectre.exe probe &>/dev/null; echo $?
15

Which is:
Code:
1   OS is not aware of the Meltdown vulnerability
2   OS is not aware of the Spectre vulnerability
4   The system is vulnerable to Meltdown
8   The system is vulnerable to Spectre

Which is basically just garbage output.

Much better is to compile Wine (and all other system packages) with >gcc 7.3.0 to get code that has global retpoline mitigations in place.
Use updated Intel microcode in a early boot initramfs-type image (assuming it is available for your processor model).
Then use a more appropriate native tool to test your system's vulnerability status...
Typically with: Github: speed47 / spectre-meltdown-checker.
E.g.
Code:
~/scripts/spectre-meltdown-checker.sh --no-color

Spectre and Meltdown mitigation detection tool v0.37+

Checking for vulnerabilities on current system
Kernel is Linux 4.14.40-gentoo #1 SMP PREEMPT Tue May 15 05:47:26 BST 2018 x86_64
CPU is Intel(R) Core(TM) i7-4710HQ CPU @ 2.50GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available: YES
    * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available: YES
    * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available: YES
    * CPU indicates STIBP capability: YES (Intel STIBP feature bit)
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability: NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
  * CPU microcode is known to cause stability problems: NO (model 60 stepping 3 ucode 0x24 cpuid 0x306c3)
* CPU vulnerability to the three speculative execution attack variants
  * Vulnerable to Variant 1: YES
  * Vulnerable to Variant 2: YES
  * Vulnerable to Variant 3: YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization)
* Kernel has array_index_mask_nospec (x86): YES (1 occurrence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch: NO
* Kernel has mask_nospec64 (arm): NO
> STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB, IBRS_FW)
* Mitigation 1
  * Kernel is compiled with IBRS support: YES
    * IBRS enabled and active: YES (for firmware code only)
  * Kernel is compiled with IBPB support: YES
    * IBPB enabled and active: YES
* Mitigation 2
  * Kernel has branch predictor hardening (arm): NO
  * Kernel compiled with retpoline option: YES
    * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
> STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI): YES
  * PTI enabled and active: YES
  * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer

Which provides far more accurate and detailed information then InSpectre ever could...

Also note that Wine 1.8.6 is not supported any more... In fact Wine 1.8.7 was the final release of that stable branch anyway.

You're not expected to compile newer versions of Wine, just to get them installed...
Unless of course you're using Gentoo like me, or any another source-based distribution for that matter... 8)

See: WineHQ Download.
Note: OpenSUSE somehow manage to package their own versions of Wine that aren't years out-of-date... Hmmm. :roll:

Bob


Top 
Display posts from previous:  Sort by  
 
 Page 1 of 1 [ 4 posts ] 




Board index » WineHQ » Wine Help » Linux


Who is online

Users browsing this forum: ogobeone, olivierfrdierick and 11 guests

 
 

 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to: