diff --git a/src/vulns/CVE-2018-3646.sh b/src/vulns/CVE-2018-3646.sh index 16bf8f7..60e3531 100644 --- a/src/vulns/CVE-2018-3646.sh +++ b/src/vulns/CVE-2018-3646.sh @@ -13,6 +13,53 @@ check_CVE_2018_3646_linux() { if sys_interface_check "$VULN_SYSFS_BASE/l1tf" '.*' quiet; then # this kernel has the /sys interface, trust it over everything sys_interface_available=1 + # quiet mode doesn't set ret_sys_interface_check_status, derive it ourselves. + # + # Complete sysfs message inventory for l1tf, traced via git blame + # on mainline (~/linux) and stable (~/linux-stable): + # + # all versions: + # "Not affected" (cpu_show_common, d1059518b4789) + # "Vulnerable" (cpu_show_common fallthrough, d1059518b4789) + # + # --- mainline --- + # 17dbca119312 (v4.18-rc1, initial l1tf sysfs): + # "Mitigation: Page Table Inversion" + # 72c6d2db64fa (v4.18-rc1, renamed + added VMX reporting): + # "Mitigation: PTE Inversion" (no KVM_INTEL, or VMX=AUTO) + # "Mitigation: PTE Inversion; VMX: SMT , L1D " (KVM_INTEL enabled) + # : auto | vulnerable | conditional cache flushes | cache flushes + # a7b9020b06ec (v4.18-rc1, added EPT disabled state): + # : + EPT disabled + # ea156d192f52 (v4.18-rc7, reordered VMX/SMT fields): + # "Mitigation: PTE Inversion; VMX: EPT disabled" (no SMT part) + # "Mitigation: PTE Inversion; VMX: vulnerable" (NEVER + SMT active, no SMT part) + # "Mitigation: PTE Inversion; VMX: , SMT " (all other cases) + # 8e0b2b916662 (v4.18, added flush not necessary): + # : + flush not necessary + # 130d6f946f6f (v4.20-rc4, no string change): + # SMT detection changed from cpu_smt_control to sched_smt_active() + # + # --- stable backports --- + # 4.4.y: no VMX reporting (only "PTE Inversion" / "Vulnerable" / "Not affected"). + # initially backported as "Page Table Inversion" (bf0cca01b873), + # renamed to "PTE Inversion" in stable-only commit 6db8c0882912 (May 2019). + # 4.9.y, 4.14.y: full VMX reporting, post-reorder format. + # the pre-reorder format ("SMT , L1D ") and the post-reorder + # format ("VMX: , SMT ") landed in the same stable release + # (4.9.120, 4.14.63), so no stable release ever shipped the pre-reorder format. + # sched_smt_active() backported (same strings, different runtime behavior). + # 4.17.y, 4.18.y: full VMX reporting, post-reorder format. + # still uses cpu_smt_control (sched_smt_active() not backported to these EOL branches). + # + # is one of: vulnerable | disabled + # + # all messages start with either "Not affected", "Mitigation", or "Vulnerable" + if echo "$ret_sys_interface_check_fullmsg" | grep -qEi '^(Not affected|Mitigation)'; then + status=OK + elif echo "$ret_sys_interface_check_fullmsg" | grep -qi '^Vulnerable'; then + status=VULN + fi fi l1d_mode=-1 if [ "$opt_sysfs_only" != 1 ]; then @@ -142,40 +189,48 @@ check_CVE_2018_3646_linux() { elif [ "$ret_sys_interface_check_fullmsg" = "Not affected" ]; then # just in case a very recent kernel knows better than we do pvulnstatus "$cve" OK "your kernel reported your CPU model as not affected" - elif [ "$g_has_vmm" = 0 ]; then - pvulnstatus "$cve" OK "this system is not running a hypervisor" - else - if [ "$ept_disabled" = 1 ]; then - pvulnstatus "$cve" OK "EPT is disabled which mitigates the vulnerability" - elif [ "$opt_paranoid" = 0 ]; then - if [ "$l1d_mode" -ge 1 ]; then - pvulnstatus "$cve" OK "L1D flushing is enabled and mitigates the vulnerability" + elif [ -z "$msg" ]; then + if [ "$opt_sysfs_only" != 1 ]; then + if [ "$g_has_vmm" = 0 ]; then + pvulnstatus "$cve" OK "this system is not running a hypervisor" + elif [ "$ept_disabled" = 1 ]; then + pvulnstatus "$cve" OK "EPT is disabled which mitigates the vulnerability" + elif [ "$opt_paranoid" = 0 ]; then + if [ "$l1d_mode" -ge 1 ]; then + pvulnstatus "$cve" OK "L1D flushing is enabled and mitigates the vulnerability" + else + pvulnstatus "$cve" VULN "disable EPT or enable L1D flushing to mitigate the vulnerability" + fi else - pvulnstatus "$cve" VULN "disable EPT or enable L1D flushing to mitigate the vulnerability" + if [ "$l1d_mode" -ge 2 ]; then + if [ "$smt_enabled" = 1 ]; then + pvulnstatus "$cve" OK "L1D unconditional flushing and Hyper-Threading disabled are mitigating the vulnerability" + else + pvulnstatus "$cve" VULN "Hyper-Threading must be disabled to fully mitigate the vulnerability" + fi + else + if [ "$smt_enabled" = 1 ]; then + pvulnstatus "$cve" VULN "L1D unconditional flushing should be enabled to fully mitigate the vulnerability" + else + pvulnstatus "$cve" VULN "enable L1D unconditional flushing and disable Hyper-Threading to fully mitigate the vulnerability" + fi + fi + fi + + if [ "$l1d_mode" -gt 3 ]; then + pr_warn + pr_warn "This host is a Xen Dom0. Please make sure that you are running your DomUs" + pr_warn "with a kernel which contains CVE-2018-3646 mitigations." + pr_warn + pr_warn "See https://www.suse.com/support/kb/doc/?id=7023078 and XSA-273 for details." fi else - if [ "$l1d_mode" -ge 2 ]; then - if [ "$smt_enabled" = 1 ]; then - pvulnstatus "$cve" OK "L1D unconditional flushing and Hyper-Threading disabled are mitigating the vulnerability" - else - pvulnstatus "$cve" VULN "Hyper-Threading must be disabled to fully mitigate the vulnerability" - fi - else - if [ "$smt_enabled" = 1 ]; then - pvulnstatus "$cve" VULN "L1D unconditional flushing should be enabled to fully mitigate the vulnerability" - else - pvulnstatus "$cve" VULN "enable L1D unconditional flushing and disable Hyper-Threading to fully mitigate the vulnerability" - fi - fi - fi - - if [ "$l1d_mode" -gt 3 ]; then - pr_warn - pr_warn "This host is a Xen Dom0. Please make sure that you are running your DomUs" - pr_warn "with a kernel which contains CVE-2018-3646 mitigations." - pr_warn - pr_warn "See https://www.suse.com/support/kb/doc/?id=7023078 and XSA-273 for details." + # --sysfs-only: sysfs was available (otherwise msg would be set), use its result + pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg" fi + else + # msg was set explicitly: either sysfs-not-available error, or a sysfs override + pvulnstatus "$cve" "$status" "$msg" fi }