Many Ubuntu Linux users who installed the latest kernel updates to fix the Meltdown CPU vulnerability found themselves stuck in a boot loop and had to revert back to a previous version.
The problem affected mostly Ubuntu 16.04 (Xenial Xerus), which is a long-term support (LTS) release. Soon after the 4.4.0-108 kernel update was released to fix the Meltdown vulnerability, users flooded the Ubuntu Forums and bug tracker to report booting problems.
The Ubuntu developers isolated the bug and released kernel version 4.4.0-109, which corrects the issue for most people. However, questions remain about the quality of the Meltdown patch on the 4.4.x kernel series in general.
A few days ago, Linux kernel hacker Andrew Lutomirski described the backporting work for the Meltdown patch on older kernels as “buggy.”
Meltdown, which allows userspace applications to defeat a critical security layer and read sensitive information from the kernel’s memory, was patched through a mechanism called the Kernel Page Table Isolation (KPTI). This patch actually started out under the name KAISER, as a method for preventing attacks that bypass the Kernel Address Space Layout Randomization (KASLR).
KASLR is an important security feature that randomizes kernel memory addresses to make the exploitation of entire classes of vulnerabilities more difficult. Windows and macOS have their own implementations.
When the Linux kernel developers learned of the new Meltdown bug, which affects most modern Intel CPUs, they realized that the KASLR strengthening they were already working on could be used to mitigate the flaw. However, KPTI was only intended as a new feature and was released in kernel 4.14.11, the stable version.
Meltdown raised a serious problem because it meant that KPTI had to be backported also to older LTS kernel series including 4.9.x and 4.4.x. That process was not easy, and the result is not really on par with KPTI.
The backports are derived from an older KAISER version and don’t match what the 4.14 and 4.15 kernels do, Lutomirski warned in a post on Hacker News a few days ago. “They will have bugs. There’s a reason PTI was heavily modified from the old KAISER code. They will also tend to diverge from upstream just because the code is so different. This means that the next time low-level x86 changes need to be backported, it’ll be a huge mess.”
Lutomirski also warned that the backported patches will not receive a lot of support from the upstream kernel developers and already there are some bugs that are simply getting ignored. This could pose problems for Linux distributions that rely on those older kernels because they might have to fix the issues themselves.
Also, KAISER does not effectively mitigate KASLR leaks, and on Meltdown-affected hardware exposes the kernel stack to userspace, Lutomirski said. “If that’s not usable for rooting a box, I’ll eat my hat. KPTI doesn’t have this problem.”
Because of these issues, the kernel developer advises organizations to update their Linux systems to kernel 4.14 or newer, but that’s probably not something that many users of enterprise Linux distros can do.
Meltdown is a dangerous vulnerability with serious security implications. However, for some use cases, detection rather than mitigation might be more appropriate, especially since the Meltdown patches can have a significant performance impact for certain types of workloads. Microsoft suggested companies consider the risk versus their performance needs before applying its own Meltdown and Spectre patches on Windows servers.
Security firm Capsule8 has released code that can be used to detect Meltdown attacks on Linux systems and has documented the methods used.