fix(opcodes): fix regression introduced in previous commit

We were saying unknown instead of vulnerable when the count of lfence opcodes was low
This was not impacting batch mode or the final decision, just the human-readable output of the script.
This commit is contained in:
Stéphane Lesimple 2018-01-11 15:35:57 +01:00
parent 62f8ed6f61
commit bc4e39038a

View File

@ -611,7 +611,7 @@ check_variant1()
if [ "$nb_lfence" -lt 70 ]; then if [ "$nb_lfence" -lt 70 ]; then
msg="only $nb_lfence opcodes found, should be >= 70, heuristic to be improved when official patches become available" msg="only $nb_lfence opcodes found, should be >= 70, heuristic to be improved when official patches become available"
status=VULN status=VULN
pstatus yellow UNKNOWN pstatus red NO
else else
msg="$nb_lfence opcodes found, which is >= 70, heuristic to be improved when official patches become available" msg="$nb_lfence opcodes found, which is >= 70, heuristic to be improved when official patches become available"
status=OK status=OK
@ -857,6 +857,9 @@ check_variant3()
mount_debugfs mount_debugfs
_info_nol "* PTI enabled and active: " _info_nol "* PTI enabled and active: "
if [ "$opt_live" = 1 ]; then if [ "$opt_live" = 1 ]; then
dmesg_grep="Kernel/User page tables isolation: enabled"
dmesg_grep="$dmesg_grep|Kernel page table isolation enabled"
dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace"
if grep ^flags /proc/cpuinfo | grep -qw pti; then if grep ^flags /proc/cpuinfo | grep -qw pti; then
# vanilla PTI patch sets the 'pti' flag in cpuinfo # vanilla PTI patch sets the 'pti' flag in cpuinfo
kpti_enabled=1 kpti_enabled=1
@ -866,10 +869,10 @@ check_variant3()
elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then
# RedHat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301 # RedHat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301
kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null) kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
elif dmesg | grep -Eq 'Kernel/User page tables isolation: enabled|Kernel page table isolation enabled'; then elif dmesg | grep -Eq "$dmesg_grep"; then
# if we can't find the flag, grep dmesg output # if we can't find the flag, grep dmesg output
kpti_enabled=1 kpti_enabled=1
elif [ -r /var/log/dmesg ] && grep -Eq 'Kernel/User page tables isolation: enabled|Kernel page table isolation enabled' /var/log/dmesg; then elif [ -r /var/log/dmesg ] && grep -Eq "$dmesg_grep" /var/log/dmesg; then
# if we can't find the flag in dmesg output, grep in /var/log/dmesg when readable # if we can't find the flag in dmesg output, grep in /var/log/dmesg when readable
kpti_enabled=1 kpti_enabled=1
else else