From f75cc0bb6ff9ca78973a14c5ce342cfc437ea009 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Tue, 22 May 2018 09:39:11 +0200 Subject: [PATCH] feat(variant4): add sysfs mitigation hint and some explanation about the vuln --- spectre-meltdown-checker.sh | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index 6c74c61..5382d27 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -2906,12 +2906,32 @@ check_variant4() { _info "\033[1;34mCVE-2018-3639 [speculative store bypass] aka 'Variant 4'\033[0m" + status=UNK + sys_interface_available=0 + msg='' + if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/spec_store_bypass"; then + # this kernel has the /sys interface, trust it over everything + sys_interface_available=1 + fi + if [ "$opt_sysfs_only" != 1 ]; then + : + elif [ "$sys_interface_available" = 0 ]; then + # we have no sysfs but were asked to use it only! + msg="/sys vulnerability interface use forced, but it's not available!" + status=UNK + fi + cve='CVE-2018-3639' if ! is_cpu_vulnerable 4; then # override status & msg in case CPU is not vulnerable after all pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable" + elif [ -z "$msg" ]; then + # if msg is empty, sysfs check didn't fill it, rely on our own test + pvulnstatus $cve VULN "your CPU microcode needs to be updated" + explain "A new microcode is needed for your CPU to provide mitigation tools that software running on your machine can use to protect itself against the vulnerability." else - pvulnstatus $cve UNK "new vulnerability, script will be updated when more technical information is available in the next hours/days" + pvulnstatus $cve "$status" "$msg" + [ "$msg" = "Vulnerable" ] && explain "A new microcode is needed for your CPU to provide mitigation tools that software running on your machine can use to protect itself against the vulnerability." fi }