English

FP2 patch for Meltdown/Spectre

Tags: #<Tag:0x00007f05db1c6be0>

Hi,

Is there any news on a patch for Meltdown/Spectre? I believe it has been fixed in the latest core Android patch, but I was wondering how long this might take to come through to the Fairphone OS particularly as this has been such à widely publicised vulnerability…

4 Likes

We are aware of the problem and are assessing how the Fairphone 2 is affected. Needed patches will be part of the February update.

11 Likes

For me as a Lineage (LOS) user the question is:
Do i have to live with the fixes LOS (same applies to Ubuntu etc.) includes in their updates?
I think they cannot include proprietory fixes for specific hardware due to the numerous different phones using alternative software.

I understood that even when using Lineage OS for Fairphone 2 fixes for modem software are available e.g. modem-17.11.2.zip2

Is there any chance that Fairphone makes available in the same way also other specific proprietory security fixes?

(I don’t know which SoC FP1 exactly has.)

Spectre should be fixed with the update Tuesday (assuming LOS backports these fixes which is a fair bet). You can verify by checking patch level at Settings -> About phone -> Android security patch level. Should be as Ingo stated after Tuesday.

Meltdown, as far as its known today, only affects Intel and a few rare ARM processors: Cortex-A15, Cortex-A57, Cortex-A72. Snapdragon 810 is based on A57. FP2 is a Snapdragon 800 though.

See this article for current information and which hardware is affected:

To protect your browser from remote exploitation via JavaScript (POC shown on 34C3) see:

You can also figure out about other devices by checking https://en.wikipedia.org/wiki/Comparison_of_ARMv8-A_cores and sorting on out of order execution. F.e. my Shield Tablet has a Tegra K1 which is based on Cortex-A15.

5 Likes

FP2 issues a Snapdragon 801 (Qualcomm MSM8974PRO-AA and MSM8974PRO-AB), which is a SoC that includes 4x Qualcomm® Krait™ 400 CPU. “[Krait CPUs were] introduced in 2012 as a successor to the Scorpion CPU and although it has architectural similarities, Krait is not a Cortex-A15 core, but it was designed in-house.” (Wikipedia). More importantly, Meltdown and Spectre are vulnerabilities built around speculative code execution, a capability Krait 400 has.

(Opinion) FP2’s CPU is probably not directly affected by Meltdown, but as Spectre is a processor design flaw, patches will be needed for each derived vulnerability.

Also, I want to add an useful article to understand those vulnerabilities here (ignore the title):

12 Likes

Thanks @Roboe for the details about the Krait 400 CPU etc…
As the last sentence is “only” (I don’t want to say that it is useless :wink: ) your Opinion, are there any reliable information in the meanwhile how exactly the FP2 is affected?

@Douwe: Ok, we can expect necessary patches in the February release. (of course LineageOS and Ubuntu Touch, etc. will get patches by the maintainers separatly so Fairphone cannot say anything about that)
But maybe Fairphone can say something official if the FPs are effected by Spectre only or Meltdown+Spectre and so on. Maybe a little blogpost helps as well.

1 Like

You’re right. Although my opinion is never a “plain” opinion —I know some things about how tech work, :wink:— it was non-reliable opinion, after all, and marked as such.

Searching for some info, these articles emerged:

In a nutshell, Qualcomm SoCs are affected by those vulnerabilities. However, only Cortex-A75 —not in any shipping product at the moment— is affected by Meltdown. FP2 (Snapdragon 801 SoC/Krati 400 CPU) is based on Cortex-A15 architecture.

I don’t think anyone can be more specific because only Qualcomm knows specific details about their hardware implementations.

1 Like

There is no Spectre fix at the actual LOS (14.1-20180109-NIGHTLY-FP2). The Android security patch level is 5. December 2017 still.

1 Like

I tend to look at the changelog to see what’s in: https://www.lineageoslog.com/14.1/FP2

1 Like

From the customer relations standpoint, it would be good of FP to put an official statement on the support page for such a high-profile issue, detailing how they intend to handle the issue, and in which time frame. Would be a nice change from the usual FUD approach of most IT giants.

4 Likes

A post was merged into an existing topic: Spectre vulnerability: Fairphone fix?

This topic was automatically closed after 182 days. New replies are no longer allowed.

This vulnerability [1] got released in the news the other day:

A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream “x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()” commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped.

TL;DR all Linux kernel (longterm)stable versions were vulnerable to Spectre v1 up till… well, current git? Cause I still don’t see Linux kernel 5.2.12 released, to name an example.

I’m not entirely sure at which date the vulnerability got reintroduced.

Whether this applies to FP1/FP2 I do not know. I know that FP2 runs Linux kernel 3.16 (on LOS 16, and supposedly also other OSes use this kernel cause of blobs) which isn’t mentioned as affected.

While I assume they backported the Meltdown and Spectre fixes, including this bug, it has to be carefully verified.

Has anyone tried such? Where can I browse the source used?

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15902

It uses 3.4 but that doesn’t make in not vulnerable to spectre - I don’t think it will ever get fixed by Qualcomm because it’s end of life.

On the other hand attack scenarios on smartphones with spectre are as of today of a rather theoretical nature because these vulnerabilities extremely hard to exploit. I am not too worried.

2 Likes

Cheers, thanks for the heads up. Not sure how I came up with 3.16 as I just verified it with one glance (on the very same page where I looked :scream:) that you’re right.

Do security fixes not get backported into the Linux kernel though? I thought they were?

There was already a PoC of Spectre in the browser which was very easy, and cross-platform. As time goes by, these vulnerabilities get easier to exploit.

Yes they do, but only into the maintained versions at https://www.kernel.org/ by the kernel developers - currently 3.16 is the oldest version there. Linux distributors backport fixes to other kernels used in their own long term support distros, but none of the main distros is on 3.4 as far as I can see. (Red Hat/CentOS still maintain a 3.10 and 2.6.32 kernel)

I don’t think Fairphone has the resources to backport these fixes themselves, security issues like these would probably require a professional kernel developer.

1 Like

Ah well, I’m upgrading anyway. Hopefully FP3 won’t suffer the same fate. AFAIK browsers such as Chrome and Firefox have mitigations against JavaScript Spectre attacks (the PoC I saw was straightforward), but not sure about other software.