fix(offline): report unknown when too few info

In offline mode, in the worst case where an invalid
config file is given, and we have no vmlinux image
nor System.map, the script was reporting Variant 2
and Variant 3 as vulnerable in the global status.
Replace this by a proper pair of UNKNOWNs
This commit is contained in:
Stéphane Lesimple 2018-01-23 22:20:34 +01:00
parent c8a25c5d97
commit 3e454f1817

View File

@ -928,7 +928,9 @@ check_variant2()
fi
_info_nol "* Kernel support for IBRS: "
ibrs_can_tell=0
if [ "$opt_live" = 1 ]; then
ibrs_can_tell=1
mount_debugfs
for ibrs_file in \
/sys/kernel/debug/ibrs_enabled \
@ -962,6 +964,7 @@ check_variant2()
fi
fi
if [ "$ibrs_supported" != 1 -a -n "$opt_map" ]; then
ibrs_can_tell=1
if grep -q spec_ctrl "$opt_map"; then
pstatus green YES
ibrs_supported=1
@ -969,7 +972,12 @@ check_variant2()
fi
fi
if [ "$ibrs_supported" != 1 ]; then
if [ "$ibrs_can_tell" = 1 ]; then
pstatus red NO
else
# if we're in offline mode without System.map, we can't really know
pstatus yellow UNKNOWN "in offline mode, we need System.map to be able to tell"
fi
fi
_info_nol "* IBRS enabled for Kernel space: "
@ -1068,8 +1076,10 @@ check_variant2()
else
if [ "$ibrs_supported" = 1 ]; then
pvulnstatus CVE-2017-5715 OK "offline mode: IBRS will mitigate the vulnerability if enabled at runtime"
else
elif [ "$ibrs_can_tell" = 1 ]; then
pvulnstatus CVE-2017-5715 VULN "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability"
else
pvulnstatus CVE-2017-5715 UNK "offline mode: not enough information"
fi
fi
else
@ -1235,8 +1245,10 @@ check_variant3()
else
if [ "$kpti_support" = 1 ]; then
pvulnstatus $cve OK "offline mode: PTI will mitigate the vulnerability if enabled at runtime"
else
elif [ "$kpti_can_tell" = 1 ]; then
pvulnstatus $cve VULN "PTI is needed to mitigate the vulnerability"
else
pvulnstatus $cve UNK "offline mode: not enough information"
fi
fi
else