feat(variant1): better detection for Red Hat/Ubuntu patch

This commit is contained in:
Stéphane Lesimple 2018-02-13 21:25:14 +01:00
parent 35c8a63de6
commit 55a6fd3911

View File

@ -1239,6 +1239,28 @@ check_cpu()
_info
}
check_redhat_canonical_spectre()
{
# if we were already called, don't do it again
[ -n "$redhat_canonical_spectre" ] && return
if ! which strings >/dev/null 2>&1; then
redhat_canonical_spectre=-1
else
# Red Hat / Ubuntu specific variant1 patch is difficult to detect,
# let's use the same way than the official Red Hat detection script,
# and detect their specific variant2 patch. If it's present, it means
# that the variant1 patch is also present (both were merged at the same time)
if strings "$vmlinux" | grep -qw noibrs && strings "$vmlinux" | grep -qw noibpb; then
_debug "found redhat/canonical version of the variant2 patch (implies variant1)"
redhat_canonical_spectre=1
else
redhat_canonical_spectre=0
fi
fi
}
###################
# SPECTRE VARIANT 1
check_variant1()
@ -1289,7 +1311,17 @@ check_variant1()
fi
fi
if [ "$opt_verbose" -ge 2 ] || [ "$v1_mask_nospec" != 1 ]; then
_info_nol "* Kernel has the Red Hat/Ubuntu patch: "
check_redhat_canonical_spectre
if [ "$redhat_canonical_spectre" = -1 ]; then
pstatus yellow UNKNOWN "missing 'strings' tool, please install it, usually it's in the binutils package"
elif [ "$redhat_canonical_spectre" = 1 ]; then
pstatus green YES
else
pstatus red NO
fi
if [ "$opt_verbose" -ge 2 ] || ( [ "$v1_mask_nospec" != 1 ] && [ "$redhat_canonical_spectre" != 1 ] ); then
# this is a slow heuristic and we don't need it if we already know the kernel is patched
# but still show it in verbose mode
_info_nol "* Checking count of LFENCE instructions following a jump in kernel... "
@ -1332,6 +1364,8 @@ check_variant1()
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$v1_mask_nospec" = 1 ]; then
pvulnstatus $cve OK "Kernel source has been patched to mitigate the vulnerability (array_index_mask_nospec)"
elif [ "$redhat_canonical_spectre" = 1 ]; then
pvulnstatus $cve OK "Kernel source has been patched to mitigate the vulnerability (Red Hat/Ubuntu patch)"
elif [ "$v1_lfence" = 1 ]; then
pvulnstatus $cve OK "Kernel source has PROBABLY been patched to mitigate the vulnerability (jump-then-lfence instructions heuristic)"
elif [ "$vmlinux_err" ]; then
@ -1418,6 +1452,13 @@ check_variant2()
_debug "ibrs: found '*spec_ctrl*' symbol in $opt_map"
fi
fi
if [ "$ibrs_supported" != 1 ]; then
check_redhat_canonical_spectre
if [ "$redhat_canonical_spectre" = 1 ]; then
pstatus green YES "Red Hat/Ubuntu patch"
ibrs_supported=1
fi
fi
if [ "$ibrs_supported" != 1 ]; then
if [ "$ibrs_can_tell" = 1 ]; then
pstatus red NO