From 3e454f1817c447baab60990fc5c4b11ca9880c73 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= <speed47_github@speed47.net>
Date: Tue, 23 Jan 2018 22:20:34 +0100
Subject: [PATCH] fix(offline): report unknown when too few info

In offline mode, in the worst case where an invalid
config file is given, and we have no vmlinux image
nor System.map, the script was reporting Variant 2
and Variant 3 as vulnerable in the global status.
Replace this by a proper pair of UNKNOWNs
---
 spectre-meltdown-checker.sh | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
index 09658b4..aa1b43b 100755
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@@ -928,7 +928,9 @@ check_variant2()
 		fi
 
 		_info_nol "*   Kernel support for IBRS: "
+		ibrs_can_tell=0
 		if [ "$opt_live" = 1 ]; then
+			ibrs_can_tell=1
 			mount_debugfs
 			for ibrs_file in \
 				/sys/kernel/debug/ibrs_enabled \
@@ -962,6 +964,7 @@ check_variant2()
 			fi
 		fi
 		if [ "$ibrs_supported" != 1 -a -n "$opt_map" ]; then
+			ibrs_can_tell=1
 			if grep -q spec_ctrl "$opt_map"; then
 				pstatus green YES
 				ibrs_supported=1
@@ -969,7 +972,12 @@ check_variant2()
 			fi
 		fi
 		if [ "$ibrs_supported" != 1 ]; then
-			pstatus red NO
+			if [ "$ibrs_can_tell" = 1 ]; then
+				pstatus red NO
+			else
+				# if we're in offline mode without System.map, we can't really know
+				pstatus yellow UNKNOWN "in offline mode, we need System.map to be able to tell"
+			fi
 		fi
 
 		_info_nol "*   IBRS enabled for Kernel space: "
@@ -1068,8 +1076,10 @@ check_variant2()
 		else
 			if [ "$ibrs_supported" = 1 ]; then
 				pvulnstatus CVE-2017-5715 OK "offline mode: IBRS will mitigate the vulnerability if enabled at runtime"
-			else
+			elif [ "$ibrs_can_tell" = 1 ]; then
 				pvulnstatus CVE-2017-5715 VULN "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability"
+			else
+				pvulnstatus CVE-2017-5715 UNK "offline mode: not enough information"
 			fi
 		fi
 	else
@@ -1235,8 +1245,10 @@ check_variant3()
 		else
 			if [ "$kpti_support" = 1 ]; then
 				pvulnstatus $cve OK "offline mode: PTI will mitigate the vulnerability if enabled at runtime"
-			else
+			elif [ "$kpti_can_tell" = 1 ]; then
 				pvulnstatus $cve VULN "PTI is needed to mitigate the vulnerability"
+			else
+				pvulnstatus $cve UNK "offline mode: not enough information"
 			fi
 		fi
 	else