peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2026-04-02 13:17:07 +02:00
Code Issues Projects Releases Wiki Activity

enh: CVE-2017-5715; check for unprivileged eBPF for paranoid mode

Browse Source
This commit is contained in:
Stéphane Lesimple
2026-04-01 20:37:54 +00:00
parent ac327ce7c5
commit e5c6d2d905
1 changed files with 26 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
src/vulns/CVE-2017-5715.sh
View File

@@ -905,6 +905,24 @@ check_CVE_2017_5715_linux() {
fi fi
fi fi
# eBPF caveat: eIBRS without retpoline is insufficient when unprivileged eBPF is enabled
_ebpf_disabled=''
if [ "$v2_base_mode" = "eibrs" ] || [ "$v2_base_mode" = "eibrs_lfence" ]; then
# shellcheck disable=SC2154
if [ -n "${SMC_MOCK_UNPRIVILEGED_BPF_DISABLED:-}" ]; then
_ebpf_disabled="$SMC_MOCK_UNPRIVILEGED_BPF_DISABLED"
g_mocked=1
elif [ "$opt_live" = 1 ] && [ -r "$g_procfs/sys/kernel/unprivileged_bpf_disabled" ]; then
_ebpf_disabled=$(cat "$g_procfs/sys/kernel/unprivileged_bpf_disabled" 2>/dev/null)
g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_UNPRIVILEGED_BPF_DISABLED='$_ebpf_disabled'")
fi
# In paranoid mode, enabled unprivileged eBPF makes eIBRS insufficient
if [ "$_v2_ok" = 1 ] && [ "$_ebpf_disabled" = 0 ] && [ "$opt_paranoid" = 1 ]; then
_v2_ok=0
_v2_add_caveat "unprivileged eBPF enabled (eIBRS insufficient)"
fi
fi
# Build the base description # Build the base description
case "$v2_base_mode" in case "$v2_base_mode" in
eibrs) _v2_desc="Enhanced / Automatic IBRS" ;; eibrs) _v2_desc="Enhanced / Automatic IBRS" ;;
@@ -918,14 +936,19 @@ check_CVE_2017_5715_linux() {
else else
pvulnstatus "$cve" OK "$_v2_desc mitigates the vulnerability" pvulnstatus "$cve" OK "$_v2_desc mitigates the vulnerability"
fi fi
# eBPF caveat: we cannot detect unprivileged eBPF status
if [ "$v2_base_mode" = "eibrs" ] || [ "$v2_base_mode" = "eibrs_lfence" ]; then if [ "$v2_base_mode" = "eibrs" ] || [ "$v2_base_mode" = "eibrs_lfence" ]; then
pr_info " NOTE: eIBRS is considered vulnerable by the kernel when unprivileged eBPF is enabled." pr_info " NOTE: eIBRS is considered vulnerable by the kernel when unprivileged eBPF is enabled."
pr_info " This script cannot detect unprivileged eBPF status. Check \`sysctl kernel.unprivileged_bpf_disabled\`." if [ "$_ebpf_disabled" = 0 ]; then
pr_info " Unprivileged eBPF is currently ENABLED (kernel.unprivileged_bpf_disabled=0): this system may be vulnerable!"
elif [ "$_ebpf_disabled" = 1 ] || [ "$_ebpf_disabled" = 2 ]; then
pr_info " Unprivileged eBPF is currently disabled (kernel.unprivileged_bpf_disabled=$_ebpf_disabled): eIBRS is sufficient."
else
pr_info " Could not read kernel.unprivileged_bpf_disabled, check it manually with \`sysctl kernel.unprivileged_bpf_disabled\`."
fi
fi fi
else else
pvulnstatus "$cve" VULN "$_v2_desc active but insufficient: $_v2_caveats" pvulnstatus "$cve" VULN "$_v2_desc active but insufficient: $_v2_caveats"
explain "Your system uses $_v2_desc but has gaps in sub-mitigations: $_v2_caveats. Update your kernel and microcode to the latest versions. If BHI is vulnerable, a kernel with CONFIG_MITIGATION_SPECTRE_BHI or BHI_DIS_S microcode support is needed. If PBRSB-eIBRS is vulnerable, update the kernel for RSB VM exit mitigation. If STIBP is disabled on AMD AutoIBRS with SMT, add \`spectre_v2_user=on\` or disable SMT with \`nosmt\`. In paranoid mode, disable SMT with \`nosmt\` and set \`spectre_v2_user=on\` for IBPB always-on." explain "Your system uses $_v2_desc but has gaps in sub-mitigations: $_v2_caveats. Update your kernel and microcode to the latest versions. If BHI is vulnerable, a kernel with CONFIG_MITIGATION_SPECTRE_BHI or BHI_DIS_S microcode support is needed. If PBRSB-eIBRS is vulnerable, update the kernel for RSB VM exit mitigation. If STIBP is disabled on AMD AutoIBRS with SMT, add \`spectre_v2_user=on\` or disable SMT with \`nosmt\`. If unprivileged eBPF is enabled, disable it with \`sysctl -w kernel.unprivileged_bpf_disabled=1\`. In paranoid mode, disable SMT with \`nosmt\` and set \`spectre_v2_user=on\` for IBPB always-on."
fi fi
# Kernel IBRS path # Kernel IBRS path