Linus Finally Releases Linux 4.15 Kernel, Blames Intel For Delay

An anonymous reader writes: Linus Torvalds has released Linux 4.15 following the lengthy development cycle due to the Spectre v2 and Meltdown CPU vulnerability mitigation work. This update comes with many kernel improvements including RISC-V architecture support, AMDGPU Display Code support, Intel Coffee Lake graphics support, and many other improvements.
"This obviously was not a pleasant release cycle, with the whole meltdown/spectre thing coming in in the middle of the cycle and not really gelling with our normal release cycle," Linus writes. "The extra two weeks were obviously mainly due to that whole timing issue... [T]he news cycle notwithstanding, the bulk of the 4.15 work is all the regular plodding 'boring' stuff. And I mean that in the best possible way. It may not be glamorous and get the headlines, but it's the bread and butter of kernel development, and is in many ways the really important stuff.

"Go forth and play with it, things actually look pretty good despite everything. And obviously this also means that the merge window for 4.16 is open... Hopefully we'll have a _normal_ and entirely boring release cycle for 4.16. Because boring really is good."

Blame Intel? He doesn't MENTION Intel

He blames the Meltdown/Spectre mess in general (duh!), but he only blames the timing, which is either the discoverer's fault, or Microsoft's: the embargo was timed to coincide with patch Tuesday.

While the root cause may be placed at Intel's door, the timing of the disclosure after 10+ years of vulnerability is hardly Intel's choice, and Linus (correctly) refrains from linking them to it in any way.

Buggy Fixes

[DrYak]

I thought everyone in the super-fun-secret club knew about Spectre and Meltdown like 6 months ago, because it took them time to code up fixes? I'm guessing Linux kernel devs weren't part of the super-fun-secret club?

In general, Linux devs happens to have been working for a general class of technology (KAISER, now KPTI) that happens to also be useful against Meltdown (in addition to tons of other problems).
So from the perspective of Linux devs, not much changed (and it is the general mantra in team Linus Torvalds, that *any* bugs is a serious bug, no matter if it is a security one or not - so it's a general tendency that when there are security reports, it's business as usual).

The problem comes from the answer of the manufacturers :

- intel botched patches they were submitting (see Linus' ire about them), intel provided buggy firmware (CPU microcode) that causes problems and that Dell and HP ended-up delaying. Intel has tried to enable Meltdown circumvention for everyone even if they're almost the only constructor that's concerned, etc.

- AMD still can't really decide if version 2 of Spectre (abusing the indiredct branch prediction) can actually lead to an actual usable exploit in the wild or not. Though they at least now have determined that a few of their CPUs (since Zen, I think) are affected. So at least for now it's "enable retpoline for them, too".
etc.

Re:Does this happen now?

Currently no protection, but also no danger - the actual exploits still don't exist, and aren't expected to show up anytime soon (the vulnerabilities are damn obscure and difficult to exploit) - plus one thing to notice the exploit in action would be a massive CPU load spike - the proof-of-concept programs were extremely CPU-heavy.

Thing is currently there are counter-measures in place that change the old exploit approach of "just call a fixed address" into "map the entire memory and locate the address you need to call" - randomization of code locations meaning the exploits need to *find* given data in restricted memory instead of just picking it from a known location through (illegally) elevated privileges.

And both Spectre and Meltdown have an abysmally low data leak rate - something like 1 bit per 200 microseconds. Mapping the couple gigabytes in order to find the usable data/procedures can take hours at maximum CPU load. Something that should be quite noticeable. So while they are an actual risk, they aren't an immediate risk. Just have some patience.