minor is_cpu_vulnerable() changes (#71)

* correct is_cpu_vulnerable() comment

As far as I can tell, the function and usage are correct for the comment
to be inverted.

Add a clarifying note as to why the value choice makes sense.

* exit on invalid varient

If this happens, it's a bug in the script. None of the calling code
checks for status 255, so don't let a scripting bug cause a false
negative.

* no need to set vulnerable CPUs

According to comment above this code:
'by default, everything is vulnerable, we work in a "whitelist" logic here.'
This commit is contained in:
Corey Hickey 2018-01-13 04:16:37 -08:00 committed by Stéphane Lesimple
parent f3551b9734
commit 4a2d051285

View File

@ -151,14 +151,14 @@ _debug()
is_cpu_vulnerable() is_cpu_vulnerable()
{ {
# param: 1, 2 or 3 (variant) # param: 1, 2 or 3 (variant)
# returns 1 if vulnerable, 0 if not vulnerable, 255 on error # returns 0 if vulnerable, 1 if not vulnerable
# (note that in shell, a return of 0 is success)
# by default, everything is vulnerable, we work in a "whitelist" logic here. # by default, everything is vulnerable, we work in a "whitelist" logic here.
# usage: is_cpu_vulnerable 2 && do something if vulnerable # usage: is_cpu_vulnerable 2 && do something if vulnerable
variant1=0 variant1=0
variant2=0 variant2=0
variant3=0 variant3=0
if grep -q AMD /proc/cpuinfo; then if grep -q AMD /proc/cpuinfo; then
variant1=0
variant2=1 variant2=1
variant3=1 variant3=1
elif grep -qi 'CPU implementer\s*:\s*0x41' /proc/cpuinfo; then elif grep -qi 'CPU implementer\s*:\s*0x41' /proc/cpuinfo; then
@ -174,20 +174,16 @@ is_cpu_vulnerable()
# arch 7? 7? 7 7 7 8 8 8 8 # arch 7? 7? 7 7 7 8 8 8 8
if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -Eq '^0x(c09|c0f|c0e)$'; then if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -Eq '^0x(c09|c0f|c0e)$'; then
# armv7 vulnerable chips # armv7 vulnerable chips
variant1=0 :
variant2=0
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(d07|d08|d09|d0a)$'; then elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(d07|d08|d09|d0a)$'; then
# armv8 vulnerable chips # armv8 vulnerable chips
variant1=0 :
variant2=0
else else
variant1=1 variant1=1
variant2=1 variant2=1
fi fi
# for variant3, only A75 is vulnerable # for variant3, only A75 is vulnerable
if [ "$cpuarch" = 8 -a "$cpupart" = 0xd0a ]; then if ! [ "$cpuarch" = 8 -a "$cpupart" = 0xd0a ]; then
variant3=0
else
variant3=1 variant3=1
fi fi
fi fi
@ -195,7 +191,8 @@ is_cpu_vulnerable()
[ "$1" = 1 ] && return $variant1 [ "$1" = 1 ] && return $variant1
[ "$1" = 2 ] && return $variant2 [ "$1" = 2 ] && return $variant2
[ "$1" = 3 ] && return $variant3 [ "$1" = 3 ] && return $variant3
return 255 echo "$0: error: invalid variant '$1' passed to is_cpu_vulnerable()" >&2
exit 1
} }
show_header() show_header()