Intel problems -This is not technically listed as a vulnerab

Under development: PCMCIA, wireless, etc.
Post Reply
Message
Author
scsijon
Posts: 1596
Joined: Thu 24 May 2007, 03:59
Location: the australian mallee
Contact:

Intel problems -This is not technically listed as a vulnerab

#1 Post by scsijon »

Message: 1

Subject: [lfs-dev] The latest Intel problems

As people who read one or more of El Reg || Phoronix || Toms Hardware
will be aware, there have been some announcements by Intel on
Tuesday.

The first is described as the 'Jump Conditional Code (JCC) Erratum'.
This is not technically listed as a vulnerability. Quoting from
Phoronix:

"Intel is today making public the Jump Conditional Code (JCC) erratum.
This is a bug involving the CPU's Decoded ICache where on Skylake
and derived CPUs where unpredictable behavior could happen when jump
instructions cross cache lines."

Apparently, the new microcode (20191112) fixes this, at the cost of
various slowdowns in both kernel and userspace.

The second and third items _are_ listed as vulnerabilities:

TSX Async Abort (TAA) CVE-2019-11135 (another mds-style vulnerability,
only now disclosed) - according to Toms Hardware this affects certain
Whiskey Lake, Cascade Lake and Coffee Lake R CPUs.

ilTLB Multihit CVE-2018-12207 (malicious guests in a virtualized system)

Further details of these vulnerabilities are at
https://www.kernel.org/doc/html/latest/ ... index.html

None of this applies to AMD processors.

There are workarounds for the vulnerabilities in kernels 5.3.11,
4.19.84, 4.14.154, 4.9.201 and 4.4.201 (and I hope nobody here is
using those last three).

>From the release notes for the new microcode I don't think that
anything older than Skylake has got new microcode.

ĸen
---
cut and cleaned up
---
Message: 2
Subject: Re: [lfs-dev] The latest Intel problems

On Wed, Nov 13, 2019 at 02:53:28AM +0000, Ken Moffat via lfs-dev wrote:
> As people who read one or more of El Reg || Phoronix || Toms Hardware
> will be aware, there have been some announcements by Intel on
> Tuesday.
>

And another, again from phoronix: potential privilege escalation or
denial of service by an unprivileged local user on (at least) gen 8/9
graphics hardware (Broadwell to pre Cannonlake / Icelake),
CVE-2019-015{4,5}.

Commits merged in trunk:
https://git.kernel.org/pub/scm/linux/ke ... c5bcb92d60
and new graphics firmware is being made available.

A quick look suggests these fixes are not yet in any released kernels.

ĸen
--
Whilst all mushrooms are edible, the trick is to eat only those which will prove to be edible more than once. The Celebrated Discworld Almanak recommends you play safe and eat beans on toast.


------------------------------

User avatar
Mike Walsh
Posts: 6351
Joined: Sat 28 Jun 2014, 12:42
Location: King's Lynn, UK.

#2 Post by Mike Walsh »

scsijon wrote:There are workarounds for the vulnerabilities in kernels 5.3.11, 4.19.84, 4.14.154, 4.9.201 and 4.4.201 (and I hope nobody here is
using those last three).
Errm.....what; because they're (gasp) *whispers*....'old'? :shock: :shock:

God in heaven, man, I don't think I'm using a kernel that new anywhere in the kennels. Most of mine are 3-series, with the odd, early 4-series here & there, plus an assortment of 2-series floating around for good measure.

Explain to me, willya; what IS this near-obsession with 'must use the newest kernel the instant it's released', huh? I mean, okay; I consider myself 'tech-savvy', yes.....but I tend to wait and let tech 'prove' itself, y'know?

I didn't invest in my first CD player till the early years of this millennium.... :lol:

Yes, I know; there's always 'security vulnerabilities being addressed'. My hardware is nearly 16 yrs old; it's not Intel, it's always been AMD.....and, just like the malware writers/crackers/hackers, they always tend to target those investing in the newer tech. With the kernel being like 90+% nowt but drivers, there isn't a kernel newer than a 3-series that will support my hardware better than it already is. And the newer you get, they're having to drop support for really old tech simply to stop the damned thing getting too unwieldy.

Nah, I'm sorry, but you'll have to prove the earth will fall down around my ears before I start worrying about all that guff...I've never had the slightest bit of trouble with my 'puters, even back when I was running Windoze.....and definitely not since using Puppy.


Mike. :wink:

User avatar
nic007
Posts: 3408
Joined: Sun 13 Nov 2011, 12:31
Location: Cradle of Humankind

#3 Post by nic007 »

People with new computers will want to use the newest available. They will worry about things like that. Most puppy users (well probably, I'm guessing) use older machines.

ozsouth
Posts: 858
Joined: Fri 01 Jan 2010, 22:08
Location: S.E Australia

#4 Post by ozsouth »

My laptops range from 9 years to 1 year old. I find the longterm 4.14 kernels most stable for me - supported until 2024. The newest laptop doesn't like anything after 4.18. I just released an new .cpio file (under Security Topic) with 13Nov19 update. All my Intel CPUs need it.

User avatar
Mike Walsh
Posts: 6351
Joined: Sat 28 Jun 2014, 12:42
Location: King's Lynn, UK.

#5 Post by Mike Walsh »

nic007 wrote:People with new computers will want to use the newest available. They will worry about things like that. Most puppy users (well probably, I'm guessing) use older machines.
Oh, you're probably right there, Nic, on both counts.We're all the same when it comes to summat brand-new; we fuss over them like a mother hen, and worry about everything under the sun.....
ozsouth wrote:My laptops range from 9 years to 1 year old.
Hah. My newest is at least 15 yrs old.....the oldest, getting on for nearly 18.
ozsouth wrote:All my Intel CPUs need it.
Fair comment. My main rig is a pretty elderly, first-gen dual-core Athlon 64.....and I don't think early, 'cooking' P4s even come into this kinda stuff, do they?

I could be wrong...

EDIT:-
Mike Walsh wrote:God in heaven, man, I don't think I'm using a kernel that new anywhere in the kennels. Most of mine are 3-series, with the odd, early 4-series here & there, plus an assortment of 2-series floating around for good measure.
Correction; I've told a 'porky' here. I do have one 5-series, running in peebee's UPupBB; it's one of rockedge's compiles.....I came across it on his website, and thought to myself, 'Ah, what the hell; why not?'

Every other Pup has an "oldie-but-goodie".....


Mike. :wink:

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

Re: Intel problems -This is not technically listed as a vulnerab

#6 Post by rufwoof »

scsijon wrote:There are workarounds for the vulnerabilities in kernels 5.3.11, 4.19.84, 4.14.154, 4.9.201 and 4.4.201 (and I hope nobody here is using those last three)
I'm running 4.14.154 (with the latest stable busybox). Is there a particular reason why you suggest that is unwise? (I track it primarily for its kernel.org Jan 2024 EOL date).
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

scsijon
Posts: 1596
Joined: Thu 24 May 2007, 03:59
Location: the australian mallee
Contact:

Re: Intel problems -This is not technically listed as a vulnerab

#7 Post by scsijon »

rufwoof wrote:
scsijon wrote:There are workarounds for the vulnerabilities in kernels 5.3.11, 4.19.84, 4.14.154, 4.9.201 and 4.4.201 (and I hope nobody here is using those last three)
I'm running 4.14.154 (with the latest stable busybox). Is there a particular reason why you suggest that is unwise? (I track it primarily for its kernel.org Jan 2024 EOL date).
Not personally, that was just what the announcements said, I am just passing it on. Have a look again at the first message as it relates to intel processors only, amd are ok. How you update the microcode in linux I don't know though, I haven't looked at that. And as it says above there are workarounds in your kernel so maybe your ok. Have a look at the changelog on kernel.org for yours is really all I can sugest.

ozsouth
Posts: 858
Joined: Fri 01 Jan 2010, 22:08
Location: S.E Australia

#8 Post by ozsouth »

How you update the microcode in linux I don't know though, I haven't looked at that.
See: http://murga-linux.com/puppy/viewtopic. ... 15#1030115

scsijon
Posts: 1596
Joined: Thu 24 May 2007, 03:59
Location: the australian mallee
Contact:

#9 Post by scsijon »

ozsouth wrote:
How you update the microcode in linux I don't know though, I haven't looked at that.
See: http://murga-linux.com/puppy/viewtopic. ... 15#1030115
thanks ozsouth, as I said i hadn't needed it so i hadn't try to find out, it's nice that someone has, maybe rutwolf can followit if he finds he needs it.

And to make some jelous, i've got a Ryzen 9 16core on loan till christmas and been promised the loan of a threadripper after they come out next year. Funny thing is the Ryzen 9 isn't using all it's cores so i suspect there is need for a kernel setting or two, and what a threadripper is going to do with 32 cores/64threads/80meg primary cache I'm not sure, but I don't plan on buying one at present, your most likely going to be talking over $10K for a basic box and double that for a real world one.

Post Reply