3e454f1817
fix(offline): report unknown when too few info
...
In offline mode, in the worst case where an invalid
config file is given, and we have no vmlinux image
nor System.map, the script was reporting Variant 2
and Variant 3 as vulnerable in the global status.
Replace this by a proper pair of UNKNOWNs
2018-01-23 22:20:34 +01:00
c8a25c5d97
feat: detect invalid kconfig files
2018-01-23 21:48:19 +01:00
40381349ab
fix(dmesg): detect when dmesg is truncated
...
To avoid false negatives when looking for a message
in dmesg, we were previously also grepping in known
on-disk archives of dmesg (dmesg.log, kern.log).
This in turn caused false positives because we have no
guarantee that we're grepping the dmesg of the current
running kernel. Hence we now only look in the live
`dmesg`, detect if it has been truncated, and report
it to the user.
2018-01-21 16:26:08 +01:00
0aa5857a76
fix(cpu): Pentium Exxxx series are not vulnerable
...
Pentium E series are not in the vulnerable list from
Intel, and Spectre2 PoC reportedly doesn't work on
an E5200
2018-01-21 16:13:17 +01:00
b3b7f634e6
fix(display): use text-mode compatible colors
...
in text-mode 80-cols TERM=linux terminals, colors
were not displaying properly, one had to use
--no-color to be able to read some parts of the
text.
2018-01-21 12:32:22 +01:00
263ef65fec
bump to v0.32
2018-01-20 12:49:12 +01:00
a1bd233c49
revert to a simpler check_vmlinux()
2018-01-20 12:26:26 +01:00
de6590cd09
cache is_cpu_vulnerable result for performance
2018-01-20 12:24:23 +01:00
56d4f82484
is_cpu_vulnerable: implement check for multi-arm systems
2018-01-20 12:24:23 +01:00
7fa2d6347b
check_vmlinux: when readelf doesn't work, try harder with another way
2018-01-20 12:23:55 +01:00
3be5e90481
be smarter to find a usable echo command
2018-01-20 12:23:55 +01:00
995620a682
add pine64 vmlinuz location
2018-01-20 12:23:19 +01:00
193e0d8d08
arm: cosmetic fix for name and handle aarch64
2018-01-20 12:22:48 +01:00
72ef94ab3d
ARM: display a friendly name instead of empty string
2018-01-20 12:22:48 +01:00
ccc0453df7
search in /lib/modules/$(uname -r) for vmlinuz, config, System.map
...
On Fedora machines /lib/modules/$(uname -r) has all the files.
2018-01-20 11:19:34 +01:00
14ca49a042
Atom N270: implement another variation
2018-01-19 18:47:38 +01:00
db357b8e25
CoreOS: remove ephemeral install of a non-used package
2018-01-18 10:17:25 +01:00
42a57dd980
add kern.log as another backend of dmesg output
2018-01-17 17:17:39 +01:00
5ab95f3656
fix(atom): don't use a pcre regex, only an extended one
2018-01-17 12:01:13 +01:00
5b6e39916d
fix(atom): properly detect Nxxx Atom series
2018-01-17 11:07:47 +01:00
556951d5f0
Add Support for Slackware.
...
Signed-off-by: Willy Sudiarto Raharjo <willysr@gmail.com >
2018-01-16 11:55:03 +01:00
7a88aec95f
Implement CoreOS compatibility mode ( #84 )
...
* Add special CoreOS compatibility mode
* CoreOS: refuse --coreos if we're not under CoreOS
* CoreOS: warn if launched without --coreos option
* is_coreos: make stderr silent
* CoreOS: tiny adjustments
2018-01-16 10:33:01 +01:00
bd18323d79
bump to v0.31 to reflect changes
2018-01-14 22:34:09 +01:00
b89d67dd15
meltdown: detecting Xen PV, reporting as not vulnerable
2018-01-14 22:31:21 +01:00
704e54019a
is_cpu_vulnerable: add check for old Atoms
2018-01-14 21:32:56 +01:00
d96093171a
verbose: add PCID check for performance impact of PTI
2018-01-14 17:18:34 +01:00
dcc4488340
Merge pull request #80 from speed47/cpuid_spec_ctrl
...
v0.30, cpuid spec ctrl and other enhancements
2018-01-14 16:48:02 +01:00
32e3fe6c07
bump to v0.30 to reflect changes
2018-01-14 16:45:59 +01:00
f488947d43
Merge pull request #79 from andir/add-nixos
...
add support for NixOS kernel
2018-01-14 16:40:10 +01:00
71213c11b3
ibrs: check for spec_ctrl_ibrs in cpuinfo
2018-01-14 16:36:51 +01:00
2964c4ab44
add support for NixOS kernel
...
this removes the need to specify the kernel version manually on NixOS
2018-01-14 16:18:29 +01:00
749f432d32
also check for spec_ctrl flag in cpuinfo
2018-01-14 15:47:51 +01:00
a422b53d7c
also check for cpuinfo flag
2018-01-14 15:47:51 +01:00
c483a2cf60
check spec_ctrl support using cpuid
2018-01-14 15:47:51 +01:00
dead0054a4
fix: proper detail msg in vuln status
2018-01-14 15:47:22 +01:00
8ed7d465aa
Merge pull request #77 from speed47/exitcode
...
proper return codes regardless of the batch mode
2018-01-14 14:25:12 +01:00
e5e4851d72
proper return codes regardless of the batch mode
2018-01-14 14:24:31 +01:00
7f92717a2c
add info about accuracy when missing kernel files
2018-01-13 13:59:17 +01:00
b47d505689
AMD now vuln to variant2 (as per their stmt)
2018-01-13 13:35:31 +01:00
4a2d051285
minor is_cpu_vulnerable() changes ( #71 )
...
* correct is_cpu_vulnerable() comment
As far as I can tell, the function and usage are correct for the comment
to be inverted.
Add a clarifying note as to why the value choice makes sense.
* exit on invalid varient
If this happens, it's a bug in the script. None of the calling code
checks for status 255, so don't let a scripting bug cause a false
negative.
* no need to set vulnerable CPUs
According to comment above this code:
'by default, everything is vulnerable, we work in a "whitelist" logic here.'
2018-01-13 13:16:37 +01:00
f3551b9734
Only show the name of the script, not the full path ( #72 )
2018-01-13 13:14:19 +01:00
45b98e125f
fix some typos ( #73 )
2018-01-13 13:13:40 +01:00
dce917bfbb
add --version, bump to v0.28
2018-01-12 19:10:44 +01:00
8f18f53aba
add cpu model in output
2018-01-12 19:08:12 +01:00
d3f102b3b3
Typofix in readme ( #61 )
2018-01-12 13:58:04 +01:00
8bd093173d
Fixed a few spelling errors ( #60 )
2018-01-12 11:46:36 +01:00
bfe5a3b840
add some debug
2018-01-12 10:53:19 +01:00
6a0242eea3
bump to v0.27
2018-01-11 15:36:41 +01:00
bc4e39038a
fix(opcodes): fix regression introduced in previous commit
...
We were saying unknown instead of vulnerable when the count of lfence opcodes was low
This was not impacting batch mode or the final decision, just the human-readable output of the script.
2018-01-11 15:35:57 +01:00
62f8ed6f61
adding support for new /sys interface ( #55 )
...
* adding support for new /sys interface
* fix(objdump): prefer -d instead of -D, some kernels crash objdump otherwise
2018-01-11 12:23:16 +01:00
