Many modern processors have implementation issues that allow unprivileged attackers to bypass user-kernel or inter-process memory access restrictions, by exploiting speculative execution and shared resources (caches).

Details of these flaws were announced publicly on 3 January 2018. In May 2018 rumours started circulating of a second set of flaws.

Background

x86

Arm

Power

MIPS

Vulnerability Status (by Architecture)

CVE: CVE-2017-5753 CVE-2017-5715 CVE-2017-5754 CVE-2018-3640 CVE-2018-3639 CVE-2018-3665 GPZ variant: Variant 1 Variant 2 Variant 3 Variant 3a Variant 4 Nickname: Spectre Spectre Meltdown Lazy FP State Restore arch microarch amd64 AMD Vulnerable Mitigation [8] Not vulnerable Not vulnerable ** Vulnerable Intel Vulnerable Mitigation [7,8] Mitigation [1,5,6] Vulnerable Mitigation [10] Mitigation [12] Via i386 AMD Vulnerable Mitigation [8] Not vulnerable Not vulnerable ** Vulnerable Intel Vulnerable Mitigation [8,11] Mitigation [9] Vulnerable Vulnerable Via arm64 Cavium ThunderX Not vulnerable Not vulnerable Not vulnerable Not vulnerable Cavium ThunderX2 * Vulnerable Vulnerable Not vulnerable Not vulnerable Qualcomm Falkor * Vulnerable Cortex A53, A55 Not vulnerable Not vulnerable Not vulnerable Not vulnerable Cortex A57 Vulnerable Mitigation [2] Not vulnerable Vulnerable Vulnerable Cortex A72 Vulnerable Mitigation [2] Not vulnerable Vulnerable Vulnerable Cortex A73 Vulnerable Mitigation [2] Not vulnerable Not vulnerable Vulnerable Cortex A75 Vulnerable Mitigation [2] Vulnerable Not vulnerable Vulnerable armv7 Cortex A5, A7 Not vulnerable Not vulnerable Not vulnerable Not vulnerable Cortex A8, A9, A17 Vulnerable Mitigation [4] Not vulnerable Not vulnerable Cortex A15 Vulnerable Mitigation [4] Vulnerable Not vulnerable armv4,5,6 Not vulnerable Not vulnerable Not vulnerable Not vulnerable mips MIPS P5600 Vulnerable Vulnerable Not vulnerable Not vulnerable MIPS P6600 Vulnerable Vulnerable Not vulnerable Not vulnerable MIPS Other Not vulnerable Not vulnerable Not vulnerable Not vulnerable sparc64 powerpc64 POWER6 Vulnerable Vulnerable Not vulnerable + Not vulnerable POWER7, POWER8, POWER9 Vulnerable Vulnerable Not vulnerable + Not vulnerable

* These CPUs are not yet supported by FreeBSD

+ ppc64 hashed page tables use separate user/kernel address space and are not vulnerable to meltdown

** AMD reports "We have not identified any AMD x86 products susceptible to the Variant 3a vulnerability in our analysis to-date."

NOTE: Empty cells and unlisted architectures either have an unknown status, or will be added to the table shortly.

This table represents the most up-to-date information we have, but as the understanding of these vulnerabilities is changing rapidly certain details may be out of date or incorrect.

Mitigation Patches

Commit # Description Review HEAD stable/11 stable/10 1 amd64 PTI (Meltdown) D13797, D13956, D13962 r328083, r328096, r328116, r328119, r328120, r328128, r328135, r328153, r328157, r328177, r328199, r328202, r328205, r328468 r329462 2 arm64 Spectre variant 2 D13812 r327876 3 amd64 bhyve partial Spectre variant 2 D13919 r328011 r330704 4 armv7 Spectre variant 2 D13931 r328467 5 amd64 PTI-PCID integration D13985 r328470 r329462 6 amd64 PTI default setting D13971 r328166, r328624 r329462 7 amd64 Spectre IBRS D14029 r328625, r328627, r328628 r329462 8 x86 Clang retpoline Spectre variant 2 LLVM D41723, D14228, D14242 r328817, r328972, r330110, r330112 9 i386 4/4G split D14633 r332489 10 amd64 Intel SSBD r334005 11 i386 Spectre IBRS D15522 r334103 12 amd64 Lazy FP State Restore r335072, r336683 r335090, r336963

NOTE: Descriptions above indicate patch applicability (e.g. arch and variant) but are not necessarily the entire/full or final mitigation for the issue.

AMD64 user guide

Meltdown (CVE-2017-5754)

Meltdown vulnerability mitigation requires using separate kernel and user mode page tables, so that user mode does not have sensitive physical pages mapped even with restricted permissions. The technique is known as Page Table Isolation (PTI) and implemented for amd64 kernel. PTI is enabled by default for any non-AMD CPUs. You can enforce PTI, or instead disable it, with vm.pmap.pti=0 loader tunable.

The older Intel Atoms CPUs are in-order and there is a belief that they are not vulnerable to Meltdown. We do not try to distinguish the microarchitectures to not enable PTI on such CPUs, since we do not have conclusive answer to that question, and do not have exhaustive list of the microarchitecture identifiers.

At https://github.com/dag-erling/meltdown you can find a test for Meltdown, which might be used to verify the CPU. Note that positive result from it is definitive, while negative answer might indicate the required tweaking for the test instead of the bug free CPU.

Spectre: Variant 2 (CVE-2017-5715)

The patches for retpoline approach to mitigation of the Spectre variant 2 vulnerability are in work, meantime we provide IBRS-based mitigation on Intel CPUs. The IBRS mitigation main disadvantage is the significant performance penalty. Also, due to the situation with the Intel microcode releases, it is somewhat not trivial to find working and stable blob.

AMD promised to provide the same mechanism, but its presence on AMD CPUs is detected differently than on Intel CPUs. We do not yet see any AMD CPU with this capability, so the supposed code to detect and use IBRS on AMD is not committed. Also, it seems that AMD specifies that even if SMEP is enabled, user/kernel boundary IBRS protection still requires Return Stack Buffer (RSB) flush. On Intels, it is only needed for CPUs not providing the SMEP.

You can verify that the IBRS-enabling microcode is loaded by looking at the dmesg buffer after the microcode update. If the line Structured Extended Features3=0xc000000<IBPB,STIBP> appears in the CPU features report, then IBPB (the IBRS barrier) feature is patched in, so system can perform the mitigation on user/kernel boundary. Current status of the mitigation can be verified with the sysctl hw.ibrs_active. If the CPU feature is present and not disabled by the tunable/sysctl hw.ibrs_disable, it should indicate activation.

If you have access to the Intel microcode list, for instance https://www.intel.com/content/dam/www/public/us/en/documents/sa00115-microcode-update-guidance.pdf, you can look at the version of the currently patched microcode as well. Use sysutils/x86info from ports, load the cpuctl(4) driver (already required for microcode load), and use the '-a' switch to see the microcode version among other things.

Spectre: Variant 1 (CVE-2017-5753)

<empty>