[CentOS-devel] [Centos6.5][Spectre]variant 2 not getting fixed

Thu Jan 11 07:13:10 UTC 2018
Simon Matter <simon.matter at invoca.ch>

> Dear team
>     My Guest os (CentOS 6.5 ,kernel version 2.6.32-696.18.7.el6.x86_64) is
> running in ESXI server (VMware ESXi 5.5.0 build-6480324,
> patch ESXi550-201709001.zip was applied ) .
>     I installed all the packages mention in https://lists.centos.org/
...
> I used a tool https://raw.githubusercontent.com/speed47/spectre-meltdown-
> checker/master/spectre-meltdown-checker.sh to
> detect if meltdown and spectre got fixed . Spectre Variant 1 and Meltdown
> got fixed but not Variant 2 .
> "CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigation 1
> *   Hardware (CPU microcode) support for mitigation:  YES
> *   Kernel support for IBRS:  YES
> *   IBRS enabled for Kernel space:  NO
> *   IBRS enabled for User space:  NO
> * Mitigation 2
> *   Kernel compiled with retpoline option:  NO
> *   Kernel compiled with a retpoline-aware compiler:  NO
>> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with
> retpoline are needed to mitigate the vulnerability)"

Hi,

I think it's because you're running it as a guest so the fixes are not
needed, they are needed on the virtual host then.

Running an updated CentOS 7 KVM guest on a CentOS 6 host, I see all three
options set to 0.

Regards,
Simon