fix: don't make IBPB mandatory when it's not there

On some kernels there could be IBRS support but not
IBPB support, in that case, don't report VULN just
because IBPB is not enabled when IBRS is
This commit is contained in:
Stéphane Lesimple 2018-01-24 08:53:33 +01:00
parent 3b0ec998b1
commit 53b9eda040

View File

@ -1011,6 +1011,7 @@ check_variant2()
ibpb_enabled=$(cat "$dir/ibpb_enabled" 2>/dev/null) ibpb_enabled=$(cat "$dir/ibpb_enabled" 2>/dev/null)
_debug "ibpb: found $dir/ibpb_enabled=$ibpb_enabled" _debug "ibpb: found $dir/ibpb_enabled=$ibpb_enabled"
else else
ibpb_enabled=-1
_debug "ibpb: no ibpb_enabled file in $dir" _debug "ibpb: no ibpb_enabled file in $dir"
fi fi
break break
@ -1193,6 +1194,9 @@ check_variant2()
elif [ "$opt_live" = 1 ]; then elif [ "$opt_live" = 1 ]; then
if [ "$ibrs_enabled" = 1 -o "$ibrs_enabled" = 2 ] && [ "$ibpb_enabled" = 1 ]; then if [ "$ibrs_enabled" = 1 -o "$ibrs_enabled" = 2 ] && [ "$ibpb_enabled" = 1 ]; then
pvulnstatus $cve OK "IBRS/IBPB are mitigating the vulnerability" pvulnstatus $cve OK "IBRS/IBPB are mitigating the vulnerability"
elif [ "$ibrs_enabled" = 1 -o "$ibrs_enabled" = 2 ] && [ "$ibpb_enabled" = -1 ]; then
# IBPB doesn't seem here on this kernel
pvulnstatus $cve OK "IBRS is mitigating the vulnerability"
elif [ "$ibpb_enabled" = 2 ]; then elif [ "$ibpb_enabled" = 2 ]; then
pvulnstatus $cve OK "Full IBPB is mitigating the vulnerability" pvulnstatus $cve OK "Full IBPB is mitigating the vulnerability"
else else