Meltdown Patch Is Causing Problems for Some Ubuntu Linux Users

Many Ubuntu Linux users who installed the latest kernel updates to fix the Meltdown CPU vulnerability found themselves stuck in a boot loop and had to revert back to a previous version.

The problem affected mostly Ubuntu 16.04 (Xenial Xerus), which is a long-term support (LTS) release. Soon after the 4.4.0-108 kernel update was released to fix the Meltdown vulnerability, users flooded the Ubuntu Forums and bug tracker to report booting problems.

The Ubuntu developers isolated the bug and released kernel version 4.4.0-109, which corrects the issue for most people. However, questions remain about the quality of the Meltdown patch on the 4.4.x kernel series in general.

A few days ago, Linux kernel hacker Andrew Lutomirski described the backporting work for the Meltdown patch on older kernels as “buggy.”

Meltdown, which allows userspace applications to defeat a critical security layer and read sensitive information from the kernel’s memory, was patched through a mechanism called the Kernel Page Table Isolation (KPTI). This patch actually started out under the name KAISER, as a method for preventing attacks that bypass the Kernel Address Space Layout Randomization (KASLR).

KASLR is an important security feature that randomizes kernel memory addresses to make the exploitation of entire classes of vulnerabilities more difficult. Windows and macOS have their own implementations.

When the Linux kernel developers learned of the new Meltdown bug, which affects most modern Intel CPUs, they realized that the KASLR strengthening they were already working on could be used to mitigate the flaw. However, KPTI was only intended as a new feature and was released in kernel 4.14.11, the stable version.

Meltdown raised a serious problem because it meant that KPTI had to be backported also to older LTS kernel series including 4.9.x and 4.4.x. That process was not easy, and the result is not really on par with KPTI.

The backports are derived from an older KAISER version and don’t match what the 4.14 and 4.15 kernels do, Lutomirski warned in a post on Hacker News a few days ago. “They will have bugs. There’s a reason PTI was heavily modified from the old KAISER code. They will also tend to diverge from upstream just because the code is so different. This means that the next time low-level x86 changes need to be backported, it’ll be a huge mess.”

Lutomirski also warned that the backported patches will not receive a lot of support from the upstream kernel developers and already there are some bugs that are simply getting ignored. This could pose problems for Linux distributions that rely on those older kernels because they might have to fix the issues themselves.

Also, KAISER does not effectively mitigate KASLR leaks, and on Meltdown-affected hardware exposes the kernel stack to userspace, Lutomirski said. “If that’s not usable for rooting a box, I’ll eat my hat. KPTI doesn’t have this problem.”

Because of these issues, the kernel developer advises organizations to update their Linux systems to kernel 4.14 or newer, but that’s probably not something that many users of enterprise Linux distros can do.

Meltdown is a dangerous vulnerability with serious security implications. However, for some use cases, detection rather than mitigation might be more appropriate, especially since the Meltdown patches can have a significant performance impact for certain types of workloads. Microsoft suggested companies consider the risk versus their performance needs before applying its own Meltdown and Spectre patches on Windows servers.

Security firm Capsule8 has released code that can be used to detect Meltdown attacks on Linux systems and has documented the methods used.

Lucian Constantin

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin

2 thoughts on “Meltdown Patch Is Causing Problems for Some Ubuntu Linux Users

Comments are closed.