mirror of
https://github.com/speed47/spectre-meltdown-checker.git
synced 2026-04-02 13:17:07 +02:00
enh: CVE-2018-3646: document all sysfs variations, fix --sysfs-only path
This commit is contained in:
Stéphane Lesimple
@@ -13,6 +13,53 @@ check_CVE_2018_3646_linux() {
|
|||||||
if sys_interface_check "$VULN_SYSFS_BASE/l1tf" '.*' quiet; then
|
if sys_interface_check "$VULN_SYSFS_BASE/l1tf" '.*' quiet; then
|
||||||
# this kernel has the /sys interface, trust it over everything
|
# this kernel has the /sys interface, trust it over everything
|
||||||
sys_interface_available=1
|
sys_interface_available=1
|
||||||
|
# quiet mode doesn't set ret_sys_interface_check_status, derive it ourselves.
|
||||||
|
#
|
||||||
|
# Complete sysfs message inventory for l1tf, traced via git blame
|
||||||
|
# on mainline (~/linux) and stable (~/linux-stable):
|
||||||
|
#
|
||||||
|
# all versions:
|
||||||
|
# "Not affected" (cpu_show_common, d1059518b4789)
|
||||||
|
# "Vulnerable" (cpu_show_common fallthrough, d1059518b4789)
|
||||||
|
#
|
||||||
|
# --- mainline ---
|
||||||
|
# 17dbca119312 (v4.18-rc1, initial l1tf sysfs):
|
||||||
|
# "Mitigation: Page Table Inversion"
|
||||||
|
# 72c6d2db64fa (v4.18-rc1, renamed + added VMX reporting):
|
||||||
|
# "Mitigation: PTE Inversion" (no KVM_INTEL, or VMX=AUTO)
|
||||||
|
# "Mitigation: PTE Inversion; VMX: SMT <smt>, L1D <flush>" (KVM_INTEL enabled)
|
||||||
|
# <flush>: auto | vulnerable | conditional cache flushes | cache flushes
|
||||||
|
# a7b9020b06ec (v4.18-rc1, added EPT disabled state):
|
||||||
|
# <flush>: + EPT disabled
|
||||||
|
# ea156d192f52 (v4.18-rc7, reordered VMX/SMT fields):
|
||||||
|
# "Mitigation: PTE Inversion; VMX: EPT disabled" (no SMT part)
|
||||||
|
# "Mitigation: PTE Inversion; VMX: vulnerable" (NEVER + SMT active, no SMT part)
|
||||||
|
# "Mitigation: PTE Inversion; VMX: <flush>, SMT <smt>" (all other cases)
|
||||||
|
# 8e0b2b916662 (v4.18, added flush not necessary):
|
||||||
|
# <flush>: + flush not necessary
|
||||||
|
# 130d6f946f6f (v4.20-rc4, no string change):
|
||||||
|
# SMT detection changed from cpu_smt_control to sched_smt_active()
|
||||||
|
#
|
||||||
|
# --- stable backports ---
|
||||||
|
# 4.4.y: no VMX reporting (only "PTE Inversion" / "Vulnerable" / "Not affected").
|
||||||
|
# initially backported as "Page Table Inversion" (bf0cca01b873),
|
||||||
|
# renamed to "PTE Inversion" in stable-only commit 6db8c0882912 (May 2019).
|
||||||
|
# 4.9.y, 4.14.y: full VMX reporting, post-reorder format.
|
||||||
|
# the pre-reorder format ("SMT <smt>, L1D <flush>") and the post-reorder
|
||||||
|
# format ("VMX: <flush>, SMT <smt>") landed in the same stable release
|
||||||
|
# (4.9.120, 4.14.63), so no stable release ever shipped the pre-reorder format.
|
||||||
|
# sched_smt_active() backported (same strings, different runtime behavior).
|
||||||
|
# 4.17.y, 4.18.y: full VMX reporting, post-reorder format.
|
||||||
|
# still uses cpu_smt_control (sched_smt_active() not backported to these EOL branches).
|
||||||
|
#
|
||||||
|
# <smt> is one of: vulnerable | disabled
|
||||||
|
#
|
||||||
|
# all messages start with either "Not affected", "Mitigation", or "Vulnerable"
|
||||||
|
if echo "$ret_sys_interface_check_fullmsg" | grep -qEi '^(Not affected|Mitigation)'; then
|
||||||
|
status=OK
|
||||||
|
elif echo "$ret_sys_interface_check_fullmsg" | grep -qi '^Vulnerable'; then
|
||||||
|
status=VULN
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
l1d_mode=-1
|
l1d_mode=-1
|
||||||
if [ "$opt_sysfs_only" != 1 ]; then
|
if [ "$opt_sysfs_only" != 1 ]; then
|
||||||
@@ -142,10 +189,11 @@ check_CVE_2018_3646_linux() {
|
|||||||
elif [ "$ret_sys_interface_check_fullmsg" = "Not affected" ]; then
|
elif [ "$ret_sys_interface_check_fullmsg" = "Not affected" ]; then
|
||||||
# just in case a very recent kernel knows better than we do
|
# just in case a very recent kernel knows better than we do
|
||||||
pvulnstatus "$cve" OK "your kernel reported your CPU model as not affected"
|
pvulnstatus "$cve" OK "your kernel reported your CPU model as not affected"
|
||||||
elif [ "$g_has_vmm" = 0 ]; then
|
elif [ -z "$msg" ]; then
|
||||||
|
if [ "$opt_sysfs_only" != 1 ]; then
|
||||||
|
if [ "$g_has_vmm" = 0 ]; then
|
||||||
pvulnstatus "$cve" OK "this system is not running a hypervisor"
|
pvulnstatus "$cve" OK "this system is not running a hypervisor"
|
||||||
else
|
elif [ "$ept_disabled" = 1 ]; then
|
||||||
if [ "$ept_disabled" = 1 ]; then
|
|
||||||
pvulnstatus "$cve" OK "EPT is disabled which mitigates the vulnerability"
|
pvulnstatus "$cve" OK "EPT is disabled which mitigates the vulnerability"
|
||||||
elif [ "$opt_paranoid" = 0 ]; then
|
elif [ "$opt_paranoid" = 0 ]; then
|
||||||
if [ "$l1d_mode" -ge 1 ]; then
|
if [ "$l1d_mode" -ge 1 ]; then
|
||||||
@@ -176,6 +224,13 @@ check_CVE_2018_3646_linux() {
|
|||||||
pr_warn
|
pr_warn
|
||||||
pr_warn "See https://www.suse.com/support/kb/doc/?id=7023078 and XSA-273 for details."
|
pr_warn "See https://www.suse.com/support/kb/doc/?id=7023078 and XSA-273 for details."
|
||||||
fi
|
fi
|
||||||
|
else
|
||||||
|
# --sysfs-only: sysfs was available (otherwise msg would be set), use its result
|
||||||
|
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
# msg was set explicitly: either sysfs-not-available error, or a sysfs override
|
||||||
|
pvulnstatus "$cve" "$status" "$msg"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user