From 7a7b05db5915541e997510f2aba59f21463280c4 Mon Sep 17 00:00:00 2001 From: "Gomez Iglesias, Antonio" Date: Tue, 14 Jun 2022 15:05:39 -0700 Subject: [PATCH] Add support for SRBDS Update (CVE-2022-21127) --- .github/workflows/check.yml | 6 +-- README.md | 2 + spectre-meltdown-checker.sh | 101 +++++++++++++++++++++++++++++++++--- 3 files changed, 99 insertions(+), 10 deletions(-) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index c928dd5..7e5afbe 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -24,7 +24,7 @@ jobs: fi - name: check direct execution run: | - expected=15 + expected=16 nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l) if [ "$nb" -ne "$expected" ]; then echo "Invalid number of CVEs reported: $nb instead of $expected" @@ -34,7 +34,7 @@ jobs: fi - name: check docker-compose run execution run: | - expected=15 + expected=16 docker-compose build nb=$(docker-compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) if [ "$nb" -ne "$expected" ]; then @@ -45,7 +45,7 @@ jobs: fi - name: check docker run execution run: | - expected=15 + expected=16 docker build -t spectre-meltdown-checker . nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) if [ "$nb" -ne "$expected" ]; then diff --git a/README.md b/README.md index 710840b..0375189 100644 --- a/README.md +++ b/README.md @@ -175,6 +175,8 @@ docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/m **CVE-2020-0543** Special Register Buffer Data Sampling (SRBDS) +**CVE-2022-21127** Special Register Buffer Data Sampling (SRBDS) Update + - Impact: Kernel - Mitigation: microcode update + kernel update helping to protect various CPU internal buffers from unprivileged speculative access to data - Performance impact of the mitigation: low diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index 248a444..1598036 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -168,7 +168,7 @@ global_critical=0 global_unknown=0 nrpe_vuln='' -supported_cve_list='CVE-2017-5753 CVE-2017-5715 CVE-2017-5754 CVE-2018-3640 CVE-2018-3639 CVE-2018-3615 CVE-2018-3620 CVE-2018-3646 CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091 CVE-2019-11135 CVE-2018-12207 CVE-2020-0543' +supported_cve_list='CVE-2017-5753 CVE-2017-5715 CVE-2017-5754 CVE-2018-3640 CVE-2018-3639 CVE-2018-3615 CVE-2018-3620 CVE-2018-3646 CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091 CVE-2019-11135 CVE-2018-12207 CVE-2020-0543 CVE-2022-21127' # find a sane command to print colored messages, we prefer `printf` over `echo` # because `printf` behavior is more standard across Linux/BSD @@ -293,6 +293,7 @@ cve2name() CVE-2019-11135) echo "ZombieLoad V2, TSX Asynchronous Abort (TAA)";; CVE-2018-12207) echo "No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)";; CVE-2020-0543) echo "Special Register Buffer Data Sampling (SRBDS)";; + CVE-2022-21127) echo "Special Register Buffer Data Sampling (SRBDS) Update";; *) echo "$0: error: invalid CVE '$1' passed to cve2name()" >&2; exit 255;; esac } @@ -317,6 +318,7 @@ _is_cpu_affected_cached() CVE-2019-11135) return $variant_taa;; CVE-2018-12207) return $variant_itlbmh;; CVE-2020-0543) return $variant_srbds;; + CVE-2022-21127) return $variant_srbds_update;; *) echo "$0: error: invalid variant '$1' passed to is_cpu_affected()" >&2; exit 255;; esac } @@ -346,6 +348,7 @@ is_cpu_affected() variant_taa='' variant_itlbmh='' variant_srbds='' + variant_srbds_update='' if is_cpu_mds_free; then [ -z "$variant_msbds" ] && variant_msbds=immune @@ -365,6 +368,11 @@ is_cpu_affected() _debug "is_cpu_affected: cpu not affected by Special Register Buffer Data Sampling" fi + if is_cpu_srbds_update_free; then + [ -z "$variant_srbds_update" ] && variant_srbds_update=immune + _debug "is_cpu_affected: cpu not affected by Special Register Buffer Data Sampling Update" + fi + if is_cpu_specex_free; then variant1=immune variant2=immune @@ -378,6 +386,7 @@ is_cpu_affected() variant_mdsum=immune variant_taa=immune variant_srbds=immune + variant_srbds_update=immune elif is_intel; then # Intel # https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not affected @@ -615,10 +624,11 @@ is_cpu_affected() [ "$variant_taa" = "immune" ] && variant_taa=1 || variant_taa=0 [ "$variant_itlbmh" = "immune" ] && variant_itlbmh=1 || variant_itlbmh=0 [ "$variant_srbds" = "immune" ] && variant_srbds=1 || variant_srbds=0 + [ "$variant_srbds_update" = "immune" ] && variant_srbds_update=1 || variant_srbds_update=0 variantl1tf_sgx="$variantl1tf" # even if we are affected to L1TF, if there's no SGX, we're not affected to the original foreshadow [ "$cpuid_sgx" = 0 ] && variantl1tf_sgx=1 - _debug "is_cpu_affected: final results are <$variant1> <$variant2> <$variant3> <$variant3a> <$variant4> <$variantl1tf> <$variantl1tf_sgx>" + _debug "is_cpu_affected: final results are <$variant1> <$variant2> <$variant3> <$variant3a> <$variant4> <$variantl1tf> <$variantl1tf_sgx> <$variant_srbds> <$variant_srbds_update>" is_cpu_affected_cached=1 _is_cpu_affected_cached "$1" return $? @@ -783,6 +793,68 @@ is_cpu_srbds_free() } +is_cpu_srbds_update_free() +{ + # return zero (0) if the CPU isn't affected by special register buffer data sampling update, one (1) if it is. + # If it's not in the list we know, return one (1). + # source: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/cpu/common.c + # + # A processor is affected by SRBDS Update if its Family_Model and stepping is in the + # following list, with the exception of the listed processors + # exporting MDS_NO while Intel TSX is available yet not enabled. The + # latter class of processors are only affected when Intel TSX is enabled + # by software using TSX_CTRL_MSR otherwise they are not affected. + # + # ============= ============ ======== + # common name Family_Model Stepping + # ============= ============ ======== + # IvyBridge 06_3AH All (INTEL_FAM6_IVYBRIDGE) + # + # Haswell 06_3CH All (INTEL_FAM6_HASWELL) + # Haswell_L 06_45H All (INTEL_FAM6_HASWELL_L) + # Haswell_G 06_46H All (INTEL_FAM6_HASWELL_G) + # + # Broadwell_G 06_47H All (INTEL_FAM6_BROADWELL_G) + # Broadwell 06_3DH All (INTEL_FAM6_BROADWELL) + # + # Skylake_L 06_4EH All (INTEL_FAM6_SKYLAKE_L) + # Skylake 06_5EH All (INTEL_FAM6_SKYLAKE) + # + # Kabylake_L 06_8EH <=0xC (MDS_NO) (INTEL_FAM6_KABYLAKE_L) + # + # Kabylake 06_9EH <=0xD (MDS_NO) (INTEL_FAM6_KABYLAKE) + # + # Tigerlake 06_8CH 1 (INTEL_FAM6_TIGERLAKE_L) + # ============= ============ ======== + parse_cpu_details + if is_intel; then + if [ "$cpu_family" = 6 ]; then + if [ "$cpu_model" = "$INTEL_FAM6_IVYBRIDGE" ] || \ + [ "$cpu_model" = "$INTEL_FAM6_HASWELL" ] || \ + [ "$cpu_model" = "$INTEL_FAM6_HASWELL_L" ] || \ + [ "$cpu_model" = "$INTEL_FAM6_HASWELL_G" ] || \ + [ "$cpu_model" = "$INTEL_FAM6_BROADWELL_G" ] || \ + [ "$cpu_model" = "$INTEL_FAM6_BROADWELL" ] || \ + [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_L" ] || \ + [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE" ]; then + return 1 + elif [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE_L" ] && [ "$cpu_stepping" -le 12 ] || \ + [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE" ] && [ "$cpu_stepping" -le 13 ]; then + if [ "$capabilities_mds_no" -eq 1 ] && { [ "$cpuid_rtm" -eq 0 ] || [ "$tsx_ctrl_msr_rtm_disable" -eq 1 ] ;} ; then + return 0 + else + return 1 + fi + elif [ "$cpu_model" = "$INTEL_FAM6_TIGERLAKE_L" ] && [ "$cpu_stepping" -eq 1 ]; then + return 1 + fi + fi + fi + + return 0 + +} + is_cpu_ssb_free() { # return true (0) if the CPU isn't affected by speculative store bypass, false (1) if it does. @@ -1145,7 +1217,7 @@ while [ -n "${1:-}" ]; do l1tf) opt_cve_list="$opt_cve_list CVE-2018-3615 CVE-2018-3620 CVE-2018-3646"; opt_cve_all=0;; taa) opt_cve_list="$opt_cve_list CVE-2019-11135"; opt_cve_all=0;; mcepsc) opt_cve_list="$opt_cve_list CVE-2018-12207"; opt_cve_all=0;; - srbds) opt_cve_list="$opt_cve_list CVE-2020-0543"; opt_cve_all=0;; + srbds) opt_cve_list="$opt_cve_list CVE-2020-0543 CVE-2022-21127"; opt_cve_all=0;; *) echo "$0: error: invalid parameter '$2' for --variant, expected either 1, 2, 3, 3a, 4, l1tf, msbds, mfbds, mlpds, mdsum, taa, mcepsc or srbds" >&2; exit 255 @@ -1238,6 +1310,7 @@ pvulnstatus() CVE-2019-11135) aka="TAA";; CVE-2018-12207) aka="ITLBMH";; CVE-2020-0543) aka="SRBDS";; + CVE-2022-21127) aka="SRBDS Update";; *) echo "$0: error: invalid CVE '$1' passed to pvulnstatus()" >&2; exit 255;; esac @@ -5634,15 +5707,29 @@ check_CVE_2020_0543() cve='CVE-2020-0543' _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" if [ "$os" = Linux ]; then - check_CVE_2020_0543_linux + check_CVE_srbds_linux elif echo "$os" | grep -q BSD; then - check_CVE_2020_0543_bsd + check_CVE_srbds_bsd else _warn "Unsupported OS ($os)" fi } -check_CVE_2020_0543_linux() +# Special Register Buffer Data Sampling (SRBDS) Update +check_CVE_2022_21127() +{ + cve='CVE-2022-21127' + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_srbds_linux + elif echo "$os" | grep -q BSD; then + check_CVE_srbds_bsd + else + _warn "Unsupported OS ($os)" + fi +} + +check_CVE_srbds_linux() { status=UNK sys_interface_available=0 @@ -5737,7 +5824,7 @@ check_CVE_2020_0543_linux() fi } -check_CVE_2020_0543_bsd() +check_CVE_srbds_bsd() { if ! is_cpu_affected "$cve"; then # override status & msg in case CPU is not vulnerable after all