Skip to main content

Meltdown and Spectre

Comments

6 comments

  • Irina Semenova
    Could you, please specify your kernel version?
    0
  • Mark
    Sure here is one but I already ran yum update and I saw that it installed a new cloudlinux kernel

    uname -a
    Linux XXXX.XXX.XXX 2.6.32-673.26.1.lve1.4.25.el6.x86_64 #1 SMP Wed Apr 5 16:33:01 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux
    0
  • Mark
    Here is the output of some commands too

    /usr/bin/kcarectl --update
    Kernel is safe
    XXX [~]# /usr/bin/kcarectl --info
    kpatch-state: patch is applied
    kpatch-for: Linux version 2.6.32-673.26.1.lve1.4.25.el6.x86_64 (mockbuild@build.cloudlinux.com) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC) ) #1 SMP Wed Apr 5 16:33:01 EDT 2017
    kpatch-build-time: Wed Dec 6 05:54:33 2017
    kpatch-description: 210-;2.6.32-773.26.1.lve1.4.46.el6
    0
  • Mark
    Hmm maybe this was an issue, I reran yum update and saw this

    Transaction couldn't start:
    installing package kernel-1:2.6.32-896.16.1.lve1.4.49.el6.x86_64 needs 2MB on the /boot filesystem

    [('installing package kernel-1:2.6.32-896.16.1.lve1.4.49.el6.x86_64 needs 2MB on the /boot filesystem', (9, '/boot', 1265664L))]

    But I see
    /dev/sda1 190M 125M 56M 70% /boot
    0
  • Mark
    Hmm after getting yum to update the kernel and running /usr/bin/kcarectl --update I still get

    Yum updated kernel to
    Installed:
    kernel.x86_64 1:2.6.32-896.16.1.lve1.4.49.el6

    /usr/bin/kcarectl --info
    kpatch-state: patch is applied
    kpatch-for: Linux version 2.6.32-673.26.1.lve1.4.25.el6.x86_64 (mockbuild@build.cloudlinux.com) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC) ) #1 SMP Wed Apr 5 16:33:01 EDT 2017
    kpatch-build-time: Wed Dec 6 05:54:33 2017
    kpatch-description: 210-;2.6.32-773.26.1.lve1.4.46.el6

    XXX [/boot]# /usr/bin/kcarectl --update
    Kernel is safe
    0
  • Alexandre Parubochyi
    Mark,

    KernelCare does not actually "switch" to the newly installed (by yum update) kernel - it is not possible without reboot.
    What it does is binary patching the running one so that vulnerable procedures are replaced by patched ones in memory.
    That's the reason your system still reports to be running an old kernel when you issue 'uname -r'
    At the same time, KernelCare does its patching so that you can see that 'Kernel is safe' in kcarectl output.
    0

Please sign in to leave a comment.