peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2026-04-02 05:07:07 +02:00
Code Issues Projects Releases Wiki Activity

enh: CVE-2017-5715; check for unprivileged eBPF for paranoid mode

Browse Source 
built from commit e5c6d2d905
 dated 2026-04-01 20:37:54 +0000
 by Stéphane Lesimple (speed47_github@speed47.net)
This commit is contained in:
github-actions[bot]
2026-04-01 20:39:36 +00:00
parent 7b41bcca2b
commit fe376887ab
1 changed files with 27 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
spectre-meltdown-checker.sh
View File

@@ -13,7 +13,7 @@
#
# Stephane Lesimple
#
VERSION='26.21.0401841'
VERSION='26.21.0401860'
# --- Common paths and basedirs ---
readonly VULN_SYSFS_BASE="/sys/devices/system/cpu/vulnerabilities"
@@ -5468,6 +5468,24 @@ check_CVE_2017_5715_linux() {
fi
fi
# eBPF caveat: eIBRS without retpoline is insufficient when unprivileged eBPF is enabled
_ebpf_disabled=''
if [ "$v2_base_mode" = "eibrs" ] || [ "$v2_base_mode" = "eibrs_lfence" ]; then
# shellcheck disable=SC2154
if [ -n "${SMC_MOCK_UNPRIVILEGED_BPF_DISABLED:-}" ]; then
_ebpf_disabled="$SMC_MOCK_UNPRIVILEGED_BPF_DISABLED"
g_mocked=1
elif [ "$opt_live" = 1 ] && [ -r "$g_procfs/sys/kernel/unprivileged_bpf_disabled" ]; then
_ebpf_disabled=$(cat "$g_procfs/sys/kernel/unprivileged_bpf_disabled" 2>/dev/null)
g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_UNPRIVILEGED_BPF_DISABLED='$_ebpf_disabled'")
fi
# In paranoid mode, enabled unprivileged eBPF makes eIBRS insufficient
if [ "$_v2_ok" = 1 ] && [ "$_ebpf_disabled" = 0 ] && [ "$opt_paranoid" = 1 ]; then
_v2_ok=0
_v2_add_caveat "unprivileged eBPF enabled (eIBRS insufficient)"
fi
fi
# Build the base description
case "$v2_base_mode" in
eibrs) _v2_desc="Enhanced / Automatic IBRS" ;;
@@ -5481,14 +5499,19 @@ check_CVE_2017_5715_linux() {
else
pvulnstatus "$cve" OK "$_v2_desc mitigates the vulnerability"
fi
# eBPF caveat: we cannot detect unprivileged eBPF status
if [ "$v2_base_mode" = "eibrs" ] || [ "$v2_base_mode" = "eibrs_lfence" ]; then
pr_info " NOTE: eIBRS is considered vulnerable by the kernel when unprivileged eBPF is enabled."
pr_info " This script cannot detect unprivileged eBPF status. Check \`sysctl kernel.unprivileged_bpf_disabled\`."
if [ "$_ebpf_disabled" = 0 ]; then
pr_info " Unprivileged eBPF is currently ENABLED (kernel.unprivileged_bpf_disabled=0): this system may be vulnerable!"
elif [ "$_ebpf_disabled" = 1 ] || [ "$_ebpf_disabled" = 2 ]; then
pr_info " Unprivileged eBPF is currently disabled (kernel.unprivileged_bpf_disabled=$_ebpf_disabled): eIBRS is sufficient."
else
pr_info " Could not read kernel.unprivileged_bpf_disabled, check it manually with \`sysctl kernel.unprivileged_bpf_disabled\`."
fi
fi
else
pvulnstatus "$cve" VULN "$_v2_desc active but insufficient: $_v2_caveats"
explain "Your system uses $_v2_desc but has gaps in sub-mitigations: $_v2_caveats. Update your kernel and microcode to the latest versions. If BHI is vulnerable, a kernel with CONFIG_MITIGATION_SPECTRE_BHI or BHI_DIS_S microcode support is needed. If PBRSB-eIBRS is vulnerable, update the kernel for RSB VM exit mitigation. If STIBP is disabled on AMD AutoIBRS with SMT, add \`spectre_v2_user=on\` or disable SMT with \`nosmt\`. In paranoid mode, disable SMT with \`nosmt\` and set \`spectre_v2_user=on\` for IBPB always-on."
explain "Your system uses $_v2_desc but has gaps in sub-mitigations: $_v2_caveats. Update your kernel and microcode to the latest versions. If BHI is vulnerable, a kernel with CONFIG_MITIGATION_SPECTRE_BHI or BHI_DIS_S microcode support is needed. If PBRSB-eIBRS is vulnerable, update the kernel for RSB VM exit mitigation. If STIBP is disabled on AMD AutoIBRS with SMT, add \`spectre_v2_user=on\` or disable SMT with \`nosmt\`. If unprivileged eBPF is enabled, disable it with \`sysctl -w kernel.unprivileged_bpf_disabled=1\`. In paranoid mode, disable SMT with \`nosmt\` and set \`spectre_v2_user=on\` for IBPB always-on."
fi
# Kernel IBRS path