[gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

On 02/02/18 13:19, Mick wrote: Anyway, as I understand it, we'll have to wait for gcc-8.1 in March, which utilises 'gcc -mindirect-branch=thunk-extern' to get the benefit of the retpoline kernel patch. No. You get that with GCC 7.3 already, which is in portage now. However, improvements to

Re: [gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

On Wednesday, 31 January 2018 12:20:51 GMT Nikos Chantziaras wrote: > On 31/01/18 14:04, Mick wrote: > > Just to dilute my confusion on what I should do to keep desktops safe(r), > > would someone please clarify: > > > > Is it necessary to keyword gcc 7.3 + kernel 4.15 and emerge kernel 4.15 > >

Re: [gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

On Wed, Jan 31, 2018 at 7:07 AM, Nikos Chantziaras wrote: > > I was under the impression that it's the function that performs the call > that needs protection. The called function doesn't need protection, because > if it ends up being actually called, then it's too late already.

Re: [gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

On Wed, Jan 31, 2018 at 4:16 AM, Nikos Chantziaras wrote: > On 30/01/18 23:43, Rich Freeman wrote: >> >> If you had some program that listened on a socket and accepted a >> length and a string and then did a bounds check using the length, it >> might be exploitable if a local

[gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

Nikos Chantziaras wrote: > > For example, if you don't trust Firefox, don't install Firefox. But you > *do* trust Firefox. What you don't trust is the JS code Firefox is > executing. That's an artificial distinction, because it is actually firefox which is executing the code

Re: [gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

On Wednesday, 31 January 2018 12:20:51 GMT Nikos Chantziaras wrote: > On 31/01/18 14:04, Mick wrote: > > Just to dilute my confusion on what I should do to keep desktops safe(r), > > would someone please clarify: > > > > Is it necessary to keyword gcc 7.3 + kernel 4.15 and emerge kernel 4.15 > >

[gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

On 31/01/18 14:04, Mick wrote: Just to dilute my confusion on what I should do to keep desktops safe(r), would someone please clarify: Is it necessary to keyword gcc 7.3 + kernel 4.15 and emerge kernel 4.15 with gcc 7.3, or wait until these versions have been stabilised in the tree? What gcc

[gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

On 31/01/18 13:17, Martin Vaeth wrote: Nikos Chantziaras wrote: Well, if you're running a local process that is trying to attack you, you've been compromised already, imo. By your definition, you are compromised if you surf to the wrong webpage with enabled javascript.

Re: [gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

On Wednesday, 31 January 2018 11:30:13 GMT Martin Vaeth wrote: > Nikos Chantziaras wrote: > > Yeah, that's the kind of software that benefits from the Spectre > > mitigation patches. Like browsers, virtualization or emulation software, > > the kernel, etc. > > No. It's software

[gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

Nikos Chantziaras wrote: > Yeah, that's the kind of software that benefits from the Spectre > mitigation patches. Like browsers, virtualization or emulation software, > the kernel, etc. No. It's software like gnupg, encfs, openssl and all the library they use (glibc, glib, X

[gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

Nikos Chantziaras wrote: > > Well, if you're running a local process that is trying to attack you, > you've been compromised already, imo. By your definition, you are compromised if you surf to the wrong webpage with enabled javascript. While this is arguably true, I would

[gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

On 31/01/18 11:48, taii...@gmx.com wrote: On 01/31/2018 04:16 AM, Nikos Chantziaras wrote: On 30/01/18 23:43, Rich Freeman wrote: If you had some program that listened on a socket and accepted a length and a string and then did a bounds check using the length, it might be exploitable if a

Re: [gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

On 01/31/2018 04:16 AM, Nikos Chantziaras wrote: On 30/01/18 23:43, Rich Freeman wrote: If you had some program that listened on a socket and accepted a length and a string and then did a bounds check using the length, it might be exploitable if a local process could feed it data. Even if the

[gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

On 30/01/18 23:43, Rich Freeman wrote: If you had some program that listened on a socket and accepted a length and a string and then did a bounds check using the length, it might be exploitable if a local process could feed it data. Even if the process only listened for outside connections it

Re: [gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

On Mon, Jan 29, 2018 at 11:35 PM, Nikos Chantziaras wrote: > On 30/01/18 00:36, Henry Kohli wrote: >> >> Would it be usefull to do a emerge -e @world with the new GCC 7.3 ? > > These flags are for *affected* applications only. That means application > that: a) run third-party

[gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

On 2018-01-29 20:35, Alexander Kapshuk wrote: > To compile the kernel with a different compiler, the method shown > below may be used, e.g.: > make CC=clang Unfortunately, this has the annoying side effect that kconfig forces a full reconfiguration, asking every question. Maybe there is a way

[gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

On 30/01/18 00:36, Henry Kohli wrote: Would it be usefull to do a emerge -e @world with the new GCC 7.3 ? No. Unless there's a bug involved that would require a rebuild. There doesn't seem to be such bug. If yes, should we add /-mindirect-branch/, /-mindirect-branch-loop/,

Re: [gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

On Mon, Jan 29, 2018 at 1:56 PM, Mick wrote: > On Monday, 29 January 2018 18:35:58 GMT Mike Gilbert wrote: >> On Mon, Jan 29, 2018 at 12:50 PM, Ian Zimmerman > wrote: >> > On 2018-01-29 20:11, Adam Carter wrote: >> >> Comparing the contents of >>

Re: [gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

On Monday, 29 January 2018 18:35:58 GMT Mike Gilbert wrote: > On Mon, Jan 29, 2018 at 12:50 PM, Ian Zimmerman wrote: > > On 2018-01-29 20:11, Adam Carter wrote: > >> Comparing the contents of > >> /sys/devices/system/cpu/vulnerabilities/spectre_v2 > >> > >> With gcc 7.2 +

Re: [gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

On Mon, Jan 29, 2018 at 12:50 PM, Ian Zimmerman wrote: > On 2018-01-29 20:11, Adam Carter wrote: > >> Comparing the contents of /sys/devices/system/cpu/vulnerabilities/spectre_v2 >> >> With gcc 7.2 + kernel 4.14.15; >> Intel system shows; Vulnerable: Minimal generic ASM

Re: [gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

On Mon, Jan 29, 2018 at 7:50 PM, Ian Zimmerman wrote: > On 2018-01-29 20:11, Adam Carter wrote: > >> Comparing the contents of /sys/devices/system/cpu/vulnerabilities/spectre_v2 >> >> With gcc 7.2 + kernel 4.14.15; >> Intel system shows; Vulnerable: Minimal generic ASM

[gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

On 2018-01-29 20:11, Adam Carter wrote: > Comparing the contents of /sys/devices/system/cpu/vulnerabilities/spectre_v2 > > With gcc 7.2 + kernel 4.14.15; > Intel system shows; Vulnerable: Minimal generic ASM retpoline > AMD system shows: Vulnerable: Minimal AMD ASM retpoline > > With gcc 7.3 +