Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

With so much going on - is there a way in linux to know whether my system is patched or not?

Similar to the powershell script for Windows?



A number of ways are listed here [1]

1. With dmesg

dmesg -wH | grep 'page tables isolation'

2. With /proc/cpuinfo

grep cpu_insecure /proc/cpuinfo && echo "Patched" || echo "Unpatched!"

[1] https://askubuntu.com/questions/992137/how-to-check-that-kpt...


> grep cpu_insecure /proc/cpuinfo && echo "Patched" || echo "Unpatched!"

That command checks for the "bugs: cpu_insecure" entry in /proc/cpuinfo. However, that line only appears in some of the kernel versions. Recent kernels will have either "cpu_insecure" or "cpu_meltdown" (the name has been changed), while for instance the 3.10 kernel from CentOS 7, which has a backported version of these patches, doesn't even have the "bugs:" field.

And it's that 3.10 kernel which has all the workarounds (both for Spectre and Meltdown), while the more recent kernel has only what's been upstreamed, which so far is only the Meltdown workaround.

It's a mess.


Note that `dmesg` prints from a fixed-size ring buffer, so if your system has significant other output (e.g. if you create and destroy lots of devices or such), it's very possible the boot-time message about page table isolation will have fallen out of the ring buffer.

If you use journald, it by default saves the kernel's ring buffer to disk, so you can use it to check for that message:

sudo journalctl -b -o cat | grep "page table isolation"


Interestingly I get:

    dmesg -H | grep 'page tables isolation'
    [  +0.000000] Kernel/User page tables isolation: enabled

    grep cpu_insecure /proc/cpuinfo && echo "Patched" || echo "Unpatched!"
    Unpatched!

    cat /proc/cpuinfo | grep pti
    fpu_exception	: yes

    uname -a
    Linux host 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux
So page tables isolation seems to be enabled but neither the pti flag nor the cpu_insecure bug is in cpuinfo.

EDIT: Maybe this is because it is Xen guest. Do I need pti on a XEN guest if the host is fully patched?


I like

    dmesg -H | grep 'page tables isolation'
better, because dmesg -wH doesn't return and I suppose the 'page tables isolation' appears during boot.


Thanks. So apparently, my system:

  Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-104-generic x86_64)
is unpatched! Is it because of LTS version? Most servers run this including mine.


Ubuntu has not released kernel updates for this issue yet.


Ubuntu say they will release a patch on or before the 9th of January.

They got caught out by the embargo being ended early.


Ubuntu’s kernel package updates are pending.

This Ubuntu Wiki page is being updated with relevant information and package updates as they become available:

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAn...


Link to the powershell script for those who need it:

https://blogs.technet.microsoft.com/ralphkyttle/2018/01/05/v...


$ dmesg | grep isolation

[ 0.000000] Kernel/User page tables isolation: enabled


cat /proc/cpuinfo | grep pti


What is the expected outcome if its patched vs. not?

I am getting:

  fpu_exception	: yes


You should see "pti" on the "flags" line of /proc/cpuinfo. You apparently don't, so you don't have page table isolation.


No, he shouldn’t be seeing that regardless as it doesn’t match the grep regex. I don’t know what, though.

Edit: facepalm. Or should that be foot-in-mouth?


It does match the regex. "pti" is a substring in "exception"


Thanks. I feel stupid, I looked that line up, down, and sideways for a match :/


I was wrong


I currently have the following system (up-to-date):

  Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-104-generic x86_64)
I ran the following command:

  sudo cat /proc/cpuinfo | grep pti
which returned:

  fpu_exception	: yes
Note the instance of 'pti' in the word 'exception'.


fpu_excePTIon




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: