peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2026-05-03 22:13:21 +02:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: peter/spectre-meltdown-checker:e5c6d2d9056b0d2c09f43f34687e4323d446ea66
Branches Tags
peter/spectre-meltdown-checker:master peter/spectre-meltdown-checker:test-build peter/spectre-meltdown-checker:test peter/spectre-meltdown-checker:source-build peter/spectre-meltdown-checker:source peter/spectre-meltdown-checker:vuln-watch
peter/spectre-meltdown-checker:v26.33.0420460 peter/spectre-meltdown-checker:v26.26.0404682 peter/spectre-meltdown-checker:v26.21.0401891 peter/spectre-meltdown-checker:v0.46 peter/spectre-meltdown-checker:v0.45 peter/spectre-meltdown-checker:v0.44 peter/spectre-meltdown-checker:v0.43 peter/spectre-meltdown-checker:v0.42 peter/spectre-meltdown-checker:v0.41 peter/spectre-meltdown-checker:v0.40 peter/spectre-meltdown-checker:v0.39 peter/spectre-meltdown-checker:v0.38 peter/spectre-meltdown-checker:v0.37 peter/spectre-meltdown-checker:v0.36 peter/spectre-meltdown-checker:v0.35 peter/spectre-meltdown-checker:v0.34 peter/spectre-meltdown-checker:v0.33 peter/spectre-meltdown-checker:v0.32 peter/spectre-meltdown-checker:v0.31 peter/spectre-meltdown-checker:v0.30 peter/spectre-meltdown-checker:v0.29 peter/spectre-meltdown-checker:v0.28 peter/spectre-meltdown-checker:v0.27 peter/spectre-meltdown-checker:v0.26 peter/spectre-meltdown-checker:v0.25 peter/spectre-meltdown-checker:v0.24 peter/spectre-meltdown-checker:v0.23 peter/spectre-meltdown-checker:v0.22 peter/spectre-meltdown-checker:v0.21 peter/spectre-meltdown-checker:v0.20 peter/spectre-meltdown-checker:v0.19 peter/spectre-meltdown-checker:v0.18 peter/spectre-meltdown-checker:v0.17 peter/spectre-meltdown-checker:v0.16 peter/spectre-meltdown-checker:v0.15 peter/spectre-meltdown-checker:v0.14 peter/spectre-meltdown-checker:v0.13 peter/spectre-meltdown-checker:v0.12 peter/spectre-meltdown-checker:v0.11 peter/spectre-meltdown-checker:v0.10 peter/spectre-meltdown-checker:v0.09 peter/spectre-meltdown-checker:v0.08 peter/spectre-meltdown-checker:v0.07 peter/spectre-meltdown-checker:v0.06 peter/spectre-meltdown-checker:v0.05 peter/spectre-meltdown-checker:v0.04 peter/spectre-meltdown-checker:v0.03 peter/spectre-meltdown-checker:v0.02 peter/spectre-meltdown-checker:v0.01
..
compare: peter/spectre-meltdown-checker:9497abbee2723cedc561b6b785fe01fbe965ec1c
Branches Tags
peter/spectre-meltdown-checker:test-build peter/spectre-meltdown-checker:test peter/spectre-meltdown-checker:master peter/spectre-meltdown-checker:source-build peter/spectre-meltdown-checker:source peter/spectre-meltdown-checker:vuln-watch
peter/spectre-meltdown-checker:v26.33.0420460 peter/spectre-meltdown-checker:v26.26.0404682 peter/spectre-meltdown-checker:v26.21.0401891 peter/spectre-meltdown-checker:v0.46 peter/spectre-meltdown-checker:v0.45 peter/spectre-meltdown-checker:v0.44 peter/spectre-meltdown-checker:v0.43 peter/spectre-meltdown-checker:v0.42 peter/spectre-meltdown-checker:v0.41 peter/spectre-meltdown-checker:v0.40 peter/spectre-meltdown-checker:v0.39 peter/spectre-meltdown-checker:v0.38 peter/spectre-meltdown-checker:v0.37 peter/spectre-meltdown-checker:v0.36 peter/spectre-meltdown-checker:v0.35 peter/spectre-meltdown-checker:v0.34 peter/spectre-meltdown-checker:v0.33 peter/spectre-meltdown-checker:v0.32 peter/spectre-meltdown-checker:v0.31 peter/spectre-meltdown-checker:v0.30 peter/spectre-meltdown-checker:v0.29 peter/spectre-meltdown-checker:v0.28 peter/spectre-meltdown-checker:v0.27 peter/spectre-meltdown-checker:v0.26 peter/spectre-meltdown-checker:v0.25 peter/spectre-meltdown-checker:v0.24 peter/spectre-meltdown-checker:v0.23 peter/spectre-meltdown-checker:v0.22 peter/spectre-meltdown-checker:v0.21 peter/spectre-meltdown-checker:v0.20 peter/spectre-meltdown-checker:v0.19 peter/spectre-meltdown-checker:v0.18 peter/spectre-meltdown-checker:v0.17 peter/spectre-meltdown-checker:v0.16 peter/spectre-meltdown-checker:v0.15 peter/spectre-meltdown-checker:v0.14 peter/spectre-meltdown-checker:v0.13 peter/spectre-meltdown-checker:v0.12 peter/spectre-meltdown-checker:v0.11 peter/spectre-meltdown-checker:v0.10 peter/spectre-meltdown-checker:v0.09 peter/spectre-meltdown-checker:v0.08 peter/spectre-meltdown-checker:v0.07 peter/spectre-meltdown-checker:v0.06 peter/spectre-meltdown-checker:v0.05 peter/spectre-meltdown-checker:v0.04 peter/spectre-meltdown-checker:v0.03 peter/spectre-meltdown-checker:v0.02 peter/spectre-meltdown-checker:v0.01

27 Commits
e5c6d2d905 .. 9497abbee2

Author SHA1 Message Date
Stéphane Lesimple 9497abbee2 chore: prepare for dev-build renaming to test-build 2026-03-31 20:16:47 +00:00
Stéphane Lesimple 489290be94 chore: set VERSION when building 2026-03-31 20:16:47 +00:00
Stéphane Lesimple 8d1d680202 update dev docs and refactor CVE list in readme 2026-03-31 20:16:47 +00:00
Stéphane Lesimple d8400c6c4d chore: add .gitignore 2026-03-31 20:16:47 +00:00
Stéphane Lesimple e451b383c1 chore: adjust workflow for dev-build 2026-03-31 20:16:47 +00:00
Stéphane Lesimple 06a8b3e935 chore: move dist files to the dist/ subdir 2026-03-31 20:16:47 +00:00
Stéphane Lesimple 3088a4f72f feat: implement CVE-2024-36350 CVE-2024-36357 (Transient Scheduler Attack) 2026-03-31 20:16:47 +00:00
Stéphane Lesimple ce4a019cee doc: update development guidelines 2026-03-31 20:16:47 +00:00
Stéphane Lesimple 1e121086a8 chore: shfmt 2026-03-31 20:16:47 +00:00
Stéphane Lesimple 9e511cd714 dev-build workflow 2026-03-31 20:16:47 +00:00
Stéphane Lesimple 823f42dade use MSR names for read_msr for readability 2026-03-31 20:16:47 +00:00
Stéphane Lesimple 41ab027f86 fix: rework read_msr for values > INT32_MAX (#507) 2026-03-31 20:16:47 +00:00
Stéphane Lesimple 4e3cfc0a18 doc: add a note about the mandatory POSIX compliance of used tools 2026-03-31 20:16:47 +00:00
Stéphane Lesimple 5b7923c957 POSIX compatibility fix: replace sort -V by a manual comparison 2026-03-31 20:16:47 +00:00
Stéphane Lesimple 9dcb3249e9 BSD compatibility fix: stat -f and date -r fallbacks 2026-03-31 20:16:47 +00:00
Stéphane Lesimple e9f4956764 POSIX compatibility fix: sed -r => sed -E 2026-03-31 20:16:47 +00:00
Stéphane Lesimple 9fca4b6895 POSIX compatibility fix: cut -w => awk 2026-03-31 20:16:47 +00:00
Stéphane Lesimple 39e03373b6 split script in multiple files, reassembled through build.sh 2026-03-31 20:16:47 +00:00
Stéphane Lesimple 63e80e7409 standardize function naming and add doc headers to all of them 2026-03-31 20:16:47 +00:00
Stéphane Lesimple f373e5217f refactor functions that record/output results 2026-03-31 20:16:47 +00:00
Stéphane Lesimple fd9d0999af use global readonly vars for common paths/basedirs 2026-03-31 20:16:47 +00:00
Stéphane Lesimple 2b2478b8ef factorize/standardize check_CVE_*() funcs 2026-03-31 20:16:47 +00:00
Stéphane Lesimple 7cd9323681 factorize CVE metadata into a single CVE_REGISTRY global var 2026-03-31 20:16:47 +00:00
Stéphane Lesimple caa1a025b9 second vars renaming pass 2026-03-31 20:16:47 +00:00
Stéphane Lesimple f05b5f0fae chore: rename status_* to affected_* 2026-03-31 20:16:47 +00:00
Stéphane Lesimple 7663161edb chore: apply variables naming convention 2026-03-31 20:16:47 +00:00
Stéphane Lesimple 30ef15441d chore: add variables naming convention documentation 2026-03-31 20:16:47 +00:00
17 changed files with 563 additions and 1909 deletions
Expand all files Collapse all files
DEVELOPMENT.md
+34 -223
View File
@@ -100,10 +100,10 @@ There is no separate test suite. CI (`.github/workflows/check.yml`) runs shellch
The entire tool is a single bash script with no external script dependencies. Key structural sections:
- **Output/logging functions** (~line 253): `pr_warn`, `pr_info`, `pr_verbose`, `pr_debug`, `explain`, `pstatus`, `pvulnstatus` - verbosity-aware output with color support
- **CPU detection** (~line 2171): `parse_cpu_details`, `is_intel`/`is_amd`/`is_hygon`, `read_cpuid`, `read_msr`, `is_cpu_smt_enabled` - hardware identification via CPUID/MSR registers
- **Output/logging functions** (~line 253): `pr_warn`, `pr_info`, `pr_verbose`, `pr_debug`, `explain`, `pstatus`, `pvulnstatus` verbosity-aware output with color support
- **CPU detection** (~line 2171): `parse_cpu_details`, `is_intel`/`is_amd`/`is_hygon`, `read_cpuid`, `read_msr`, `is_cpu_smt_enabled` hardware identification via CPUID/MSR registers
- **Microcode database** (embedded): Intel/AMD microcode version lookup via `read_mcedb`/`read_inteldb`; updated automatically via `.github/workflows/autoupdate.yml`
- **Kernel analysis** (~line 1568): `extract_kernel`, `try_decompress` - extracts and inspects kernel images (handles gzip, bzip2, xz, lz4, zstd compression)
- **Kernel analysis** (~line 1568): `extract_kernel`, `try_decompress` extracts and inspects kernel images (handles gzip, bzip2, xz, lz4, zstd compression)
- **Vulnerability checks**: 19 `check_CVE_<year>_<number>()` functions, each with `_linux()` and `_bsd()` variants. Uses whitelist logic (assumes affected unless proven otherwise)
- **Main flow** (~line 6668): Parse options → detect CPU → loop through requested CVEs → output results (text/json/nrpe/prometheus) → cleanup
@@ -249,24 +249,24 @@ check_CVE_YYYY_NNNNN_bsd() {
}
```
The entry point calls `check_cve`, which prints the CVE header and dispatches to `_linux()` or `_bsd()` based on `$g_os`. If BSD mitigations are not yet understood, use the stub above - it correctly reports UNK rather than a false OK.
The entry point calls `check_cve`, which prints the CVE header and dispatches to `_linux()` or `_bsd()` based on `$g_os`. If BSD mitigations are not yet understood, use the stub above it correctly reports UNK rather than a false OK.
### Step 2: Register the CVE in the CPU Affection Logic
In `src/libs/200_cpu_affected.sh`, add an `affected_yourname` variable and populate it inside `is_cpu_affected()`. The variable follows the whitelist principle: **assume affected (`1`) unless you can prove the CPU is immune (`0`)**. Two kinds of evidence can prove immunity:
- **Static identifiers**: CPU vendor, family, model, stepping - these identify the hardware design.
- **Static identifiers**: CPU vendor, family, model, stepping these identify the hardware design.
- **Hardware immunity `cap_*` bits**: CPUID or MSR bits that the CPU vendor defines to explicitly declare "this hardware is not affected" (e.g. `cap_rdcl_no` for Meltdown, `cap_ssb_no` for Variant 4, `cap_gds_no` for Downfall, `cap_tsa_sq_no`/`cap_tsa_l1_no` for TSA). These are read in `check_cpu()` and stored as `cap_*` globals.
Never use microcode version strings.
**Important**: Do not confuse hardware immunity bits with *mitigation* capability bits. A hardware immunity bit (e.g. `GDS_NO`, `TSA_SQ_NO`) declares that the CPU design is architecturally free of the vulnerability - it belongs here in `is_cpu_affected()`. A mitigation capability bit (e.g. `VERW_CLEAR`, `MD_CLEAR`) indicates that updated microcode provides a mechanism to work around a vulnerability the CPU *does* have - it belongs in the `check_CVE_YYYY_NNNNN_linux()` function (Phase 2), where it is used to determine whether mitigations are in place.
**Important**: Do not confuse hardware immunity bits with *mitigation* capability bits. A hardware immunity bit (e.g. `GDS_NO`, `TSA_SQ_NO`) declares that the CPU design is architecturally free of the vulnerability it belongs here in `is_cpu_affected()`. A mitigation capability bit (e.g. `VERW_CLEAR`, `MD_CLEAR`) indicates that updated microcode provides a mechanism to work around a vulnerability the CPU *does* have it belongs in the `check_CVE_YYYY_NNNNN_linux()` function (Phase 2), where it is used to determine whether mitigations are in place.
### Step 3: Implement the Linux Check
The `_linux()` function follows a standard algorithm with four phases:
**Phase 1 - Initialize and check sysfs:**
**Phase 1 Initialize and check sysfs:**
```sh
check_CVE_YYYY_NNNNN_linux() {
@@ -282,7 +282,7 @@ check_CVE_YYYY_NNNNN_linux() {
`sys_interface_check` reads `/sys/devices/system/cpu/vulnerabilities/<name>` and parses the kernel's own assessment into `ret_sys_interface_check_status` (OK/VULN/UNK) and `ret_sys_interface_check_fullmsg`. If the sysfs file doesn't exist (older kernel, or the CVE predates kernel awareness), it returns false and `sys_interface_available` stays 0.
**Phase 2 - Custom detection (kernel + runtime):**
**Phase 2 Custom detection (kernel + runtime):**
Guarded by `if [ "$opt_sysfs_only" != 1 ]; then` so users who trust sysfs can skip it.
@@ -296,18 +296,18 @@ This is where the real detection lives. Check for mitigations at each layer:
kernel_mitigated="found mitigation evidence in kernel image"
fi
```
Guard with `if [ -n "$g_kernel_err" ]; then` first - the kernel image may be unavailable.
Guard with `if [ -n "$g_kernel_err" ]; then` first the kernel image may be unavailable.
- **Kernel config** (`$opt_config`): Look for the `CONFIG_*` option that enables the mitigation.
- **Kernel config** (`$g_kernel_config`): Look for the `CONFIG_*` option that enables the mitigation.
```sh
if [ -n "$opt_config" ] && grep -q '^CONFIG_MITIGATION_NAME=y' "$opt_config"; then
if [ -n "$g_kernel_config" ] && grep -q '^CONFIG_MITIGATION_NAME=y' "$g_kernel_config"; then
kernel_mitigated="found mitigation config option enabled"
fi
```
- **System.map** (`$opt_map`): Look for function names directly linked to the mitigation.
- **System.map** (`$g_kernel_map`): Look for function names directly linked to the mitigation.
```sh
if [ -n "$opt_map" ] && grep -q 'mitigation_function_name' "$opt_map"; then
if [ -n "$g_kernel_map" ] && grep -q 'mitigation_function_name' "$g_kernel_map"; then
kernel_mitigated="found mitigation function in System.map"
fi
```
@@ -337,227 +337,38 @@ Close the `opt_sysfs_only` block with the forced-sysfs fallback:
fi
```
**Phase 3 - CPU affection gate:**
**Phase 3 CPU affection gate:**
```sh
if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
```
If the CPU is not affected, nothing else matters - report OK and return. This overrides any sysfs or custom detection result.
If the CPU is not affected, nothing else matters report OK and return. This overrides any sysfs or custom detection result.
**Phase 4 - Final status determination:**
**Phase 4 Final status determination:**
For affected CPUs, combine the evidence from Phase 2 into a final verdict. The dispatch
works through `msg`: if Phase 1 (sysfs) or a sysfs override set `msg` to non-empty, use
it directly; otherwise run own logic or fall back to the raw sysfs result.
For affected CPUs, combine the evidence from Phase 2 into a final verdict:
```sh
elif [ -z "$msg" ]; then
# msg is empty: sysfs either wasn't available, or gave a standard
# response that wasn't overridden. Use our own logic when we have it.
if [ "$opt_sysfs_only" != 1 ]; then
# --- own logic using Phase 2 variables ---
if [ "$microcode_ok" = 1 ] && [ -n "$kernel_mitigated" ]; then
pvulnstatus "$cve" OK "Both kernel and microcode mitigate the vulnerability"
else
pvulnstatus "$cve" VULN "Neither kernel nor microcode mitigate the vulnerability"
explain "Remediation advice here..."
fi
elif [ "$opt_sysfs_only" != 1 ]; then
if [ "$microcode_ok" = 1 ] && [ -n "$kernel_mitigated" ]; then
pvulnstatus "$cve" OK "Both kernel and microcode mitigate the vulnerability"
elif [ "$microcode_ok" = 1 ]; then
pvulnstatus "$cve" OK "Microcode mitigates the vulnerability"
elif [ -n "$kernel_mitigated" ]; then
pvulnstatus "$cve" OK "Kernel mitigates the vulnerability"
else
# --sysfs-only: Phase 2 variables are unset, fall back to the
# raw sysfs result (status + fullmsg were set in Phase 1).
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
pvulnstatus "$cve" VULN "Neither kernel nor microcode mitigate the vulnerability"
explain "Remediation advice here..."
fi
else
# msg was explicitly set - either by the "sysfs not available" elif
# above, or by a sysfs override in Phase 1. Use it as-is.
pvulnstatus "$cve" "$status" "$msg"
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
fi
}
```
The `opt_sysfs_only` guard inside the `[ -z "$msg" ]` branch is **critical**: without it,
`--sysfs-only` mode would fall into own-logic with all Phase 2 variables unset, producing
wrong results. The `else` at line `pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"`
is safe because it is only reachable when sysfs was available (if it wasn't, the "sysfs not
available" `elif` at the end of Phase 2 would have set `msg`, sending us to the other branch).
The exact combination logic depends on the CVE. Some require **both** microcode and kernel fixes (report VULN if either is missing). Others are mitigated by **either** layer alone (report OK if one is present). Some also require SMT to be disabled - check with `is_cpu_smt_enabled()`.
**Sysfs overrides:** When the kernel's sysfs reporting is known to be incorrect for certain
messages (e.g. old kernels misclassifying a partial mitigation as fully mitigated), add an
override in Phase 1 after `sys_interface_check` returns. The override sets both `status` and
`msg`, which routes Phase 4 to the `else` branch - bypassing own logic entirely. This is
correct because the override and own logic will always agree on the verdict. Example:
```sh
if sys_interface_check "$VULN_SYSFS_BASE/vuln_name"; then
sys_interface_available=1
status=$ret_sys_interface_check_status
# Override: old kernels (before <commit>) incorrectly reported this as mitigated
if echo "$ret_sys_interface_check_fullmsg" | grep -qi 'Mitigation:.*partial mitigation.*missing piece'; then
status=VULN
msg="Vulnerable: partial mitigation, missing piece (your kernel incorrectly reports this as mitigated, it was fixed in more recent kernels)"
fi
fi
```
When adding a sysfs override, also add an `explain` call in the `else` branch of Phase 4
(where `msg` is non-empty) to tell the user why the kernel says "Mitigated" while the script
reports vulnerable. Additionally, in Phase 2, add a kernel-image grep to inform the user
whether their kernel has the corrected reporting (the post-fix kernel will contain the new
vulnerability string in its image).
**Sysfs message inventory:** Before writing Phase 1 (and any sysfs overrides), audit **every
version** of the sysfs message that the kernel has ever produced for this vulnerability. The
script may run on any kernel - from early release candidates that first introduced the sysfs
file, through every stable release, up to the latest mainline. The inventory must catalogue
every string variant, including:
- Messages that only existed briefly between two commits in the same release cycle.
- Format changes (e.g. field reordering, renamed labels).
- New states added in later kernels (e.g. new flush modes, new mitigation strategies).
- Reporting corrections where a later kernel changed its assessment of what counts as
mitigated (e.g. a message that said `"Mitigation: ..."` in kernel A is reclassified as
`"Vulnerable: ..."` in kernel B under the same conditions).
Document all discovered variants as comments in the CVE file, grouped by the kernel commit
that introduced or changed them, so future readers can understand the evolution at a glance.
See `src/vulns/CVE-2018-3646.sh` (Phase 1 comment block) for a reference example.
This inventory matters because later kernels may have a different - and more accurate - view
of what is vulnerable versus mitigated for a given vulnerability, as understanding progresses
over time. The script must be able to reach the same conclusions as the most recent kernel,
even when running under an old kernel that misreports a vulnerability as mitigated. This is
exactly what sysfs overrides (described above) are for: when the inventory reveals that an
old kernel's message is now known to be wrong, add an override in Phase 1 to correct the
status, and use the Phase 2 kernel-image grep to tell the user whether their kernel has the
corrected reporting.
**How to build the inventory - git blame walkback method:**
The goal is to find every commit that changed the sysfs output strings for a given
vulnerability. The method uses `git blame` iteratively, walking backwards through history
until the vulnerability's sysfs reporting no longer exists.
1. **Locate the output function.** Most vulnerability sysfs files are generated from
`arch/x86/kernel/cpu/bugs.c`. Find the `*_show_state()` function for the vulnerability
(e.g. `l1tf_show_state()`, `mds_show_state()`) and the corresponding `case X86_BUG_*`
in `cpu_show_common()`. Both paths can produce messages: the show_state function handles
the mitigated cases, while `cpu_show_common()` handles `"Not affected"` (common to all
bugs) and `"Vulnerable"` (fallthrough). Some vulnerabilities also use string arrays
(e.g. `l1tf_vmx_states[]`, `spectre_v1_strings[]`) - include those in the audit.
2. **Blame the current code.** Run `git blame` on the relevant line range:
```
git blame -L<start>,<end> arch/x86/kernel/cpu/bugs.c
```
For each line that contributes to the sysfs output (format strings, string arrays, enum
lookups, conditional branches that select different messages), note the commit hash.
3. **Walk back one commit at a time.** For each commit found in step 2, check the state of
the file **before** that commit to see what changed:
```
git show <commit>^:arch/x86/kernel/cpu/bugs.c | grep -n -A10 '<function_name>'
```
Compare the output strings, format patterns, and conditional logic with the version after
the commit. Record any differences: added/removed/renamed states, reordered fields,
changed conditions.
4. **Repeat until the vulnerability disappears.** Take the oldest commit found and check the
parent. Eventually you reach a version where the `case X86_BUG_*` for this vulnerability
does not exist - that is the boundary.
5. **Watch for non-obvious string changes.** Some commits change the output without touching
the format strings themselves:
- **Condition changes**: A commit may change *when* a branch is taken (e.g. switching from
`cpu_smt_control == CPU_SMT_ENABLED` to `sched_smt_active()`), which changes which
message appears for the same hardware state, even though the strings are identical.
- **Enum additions**: A new entry in a string array (e.g. adding `"flush not necessary"` to
`l1tf_vmx_states[]`) adds a new possible message without changing the format string.
- **Early returns**: Adding or removing an early-return path changes which messages are
reachable (e.g. returning `L1TF_DEFAULT_MSG` for `FLUSH_AUTO` before reaching the VMX
format string).
- **Mechanical changes**: `sprintf` → `sysfs_emit`, `const` qualifications, whitespace
reformats - these do not change strings and can be noted briefly or omitted.
6. **Cross-check with `git log`.** After the blame walkback, run a targeted `git log` to
confirm no commits were missed:
```
git log --all --oneline -- arch/x86/kernel/cpu/bugs.c | xargs -I{} \
sh -c 'git show {} -- arch/x86/kernel/cpu/bugs.c | grep -q "<vuln_name>" && echo {}'
```
Any commit that touches lines mentioning the vulnerability name should already be in
your inventory. If one is missing, inspect it.
7. **Audit the stable tree.** After completing the mainline inventory, repeat the process on
the linux-stable repository (`~/linux-stable`). Stable/LTS branches can carry backports
that differ from mainline in subtle ways:
- **Partial backports**: A stable branch may backport the mitigation but not the VMX
reporting, producing a simpler set of messages than mainline (e.g. 4.4.y has l1tf's
`"PTE Inversion"` but no VMX flush state reporting at all).
- **Stable-only commits**: Maintainers sometimes make stable-specific changes that never
existed in mainline (e.g. renaming a string to match upstream without backporting the
full commit that originally renamed it).
- **Backport batching**: Multiple mainline commits may land in the same stable release,
meaning intermediate formats (that existed briefly between mainline commits) may never
have shipped in any stable release. Note this when it happens - it narrows the set of
messages that real-world kernels can produce, but the script should still handle the
intermediate formats since someone could be running a mainline rc kernel.
- **Missing backports**: Some stable branches reach EOL before a fix is backported (e.g.
the `sched_smt_active()` change was not backported to 4.17.y or 4.18.y). This doesn't
change the strings but can change which message appears for the same hardware state.
Check each LTS/stable branch that was active when the vulnerability's sysfs support was
introduced. A quick way to identify relevant branches:
```
cd ~/linux-stable
for branch in $(git branch -r | grep 'linux-'); do
count=$(git show "$branch:arch/x86/kernel/cpu/bugs.c" 2>/dev/null | grep -c '<vuln_name>')
[ "$count" -gt 0 ] && echo "$branch: $count matches"
done
```
Then for each branch with matches, show the output function and compare it with mainline.
Document stable-specific differences in a separate `--- stable backports ---` section of
the inventory comment.
**Comment format in CVE files:**
The inventory comment goes in Phase 1, right after `sys_interface_check` returns successfully.
Group entries chronologically by commit, newest last. For each commit, show the hash, the
kernel version it appeared in, and the exact message(s) it introduced or changed. Use `+` to
indicate incremental additions to an enum or format. Example:
```sh
# Complete sysfs message inventory for <vuln>, traced via git blame:
#
# all versions:
# "Not affected" (cpu_show_common, <commit>)
# "Vulnerable" (cpu_show_common fallthrough, <commit>)
#
# <commit> (<version>, <what changed>):
# "Mitigation: <original message>"
# <commit> (<version>, <what changed>):
# "Mitigation: <new message format>"
# <field>: value1 | value2 | value3
# <commit> (<version>, <what changed>):
# <field>: + value4
#
# all messages start with either "Not affected", "Mitigation", or "Vulnerable"
```
The final line (`all messages start with ...`) is a summary that helps verify the grep
patterns used to derive `status` from the message are complete.
The exact combination logic depends on the CVE. Some require **both** microcode and kernel fixes (report VULN if either is missing). Others are mitigated by **either** layer alone (report OK if one is present). Some also require SMT to be disabled — check with `is_cpu_smt_enabled()`.
### Cross-Cutting Features
@@ -594,7 +405,7 @@ Other paranoid-mode effects include requiring unconditional (rather than conditi
The `--vmm` option tells the script whether the system is a hypervisor host running untrusted virtual machines. It accepts three values: `auto` (default, auto-detect by looking for `qemu`/`kvm`/`xen` processes), `yes` (force hypervisor mode), or `no` (force non-hypervisor mode). The result is stored in `g_has_vmm` by the `check_has_vmm()` function.
Some vulnerabilities (e.g. L1TF/CVE-2018-3646, ITLBMH/CVE-2018-12207) only matter - or require additional mitigations - when the host is running a hypervisor with untrusted guests. If `g_has_vmm` is 0, the system can be reported as not vulnerable to these VMM-specific aspects:
Some vulnerabilities (e.g. L1TF/CVE-2018-3646, ITLBMH/CVE-2018-12207) only matter or require additional mitigations when the host is running a hypervisor with untrusted guests. If `g_has_vmm` is 0, the system can be reported as not vulnerable to these VMM-specific aspects:
```sh
if [ "$g_has_vmm" = 0 ]; then
@@ -618,13 +429,13 @@ CVEs that need VMM context should call `check_has_vmm` early in their `_linux()`
### Key Rules to Remember
- **Never hardcode kernel or microcode versions** - detect capabilities directly (design principles 2 and 3).
- **Assume affected by default** - only mark a CPU as unaffected when there is positive evidence (design principle 4).
- **Always handle both live and offline modes** - use `$opt_live` to branch, and print `N/A "not testable in offline mode"` for runtime-only checks when offline.
- **Never hardcode kernel or microcode versions** detect capabilities directly (design principles 2 and 3).
- **Assume affected by default** only mark a CPU as unaffected when there is positive evidence (design principle 4).
- **Always handle both live and offline modes** use `$opt_live` to branch, and print `N/A "not testable in offline mode"` for runtime-only checks when offline.
- **Use `explain()`** when reporting VULN to give actionable remediation advice (see "Cross-Cutting Features" above).
- **Handle `--paranoid` and `--vmm`** when the CVE has stricter mitigation tiers or VMM-specific aspects (see "Cross-Cutting Features" above).
- **All indentation must use tabs** (CI enforces this).
- **Stay POSIX-compatible** - no bashisms, no GNU-only flags in portable code paths.
- **Stay POSIX-compatible** no bashisms, no GNU-only flags in portable code paths.
## Function documentation headers
@@ -650,7 +461,7 @@ Every function must have a documentation header immediately above its definition
**Rules:**
- The `# Sets:` line is critical - it makes global side effects explicit so any reviewer can immediately see what a function mutates.
- The `# Sets:` line is critical it makes global side effects explicit so any reviewer can immediately see what a function mutates.
- The `# Callers:` line is required for all `_`-prefixed functions. It documents which functions depend on this helper, making it safe to refactor.
- Keep descriptions to one line when possible. If more context is needed, add continuation comment lines before the structured lines.
- Parameter documentation uses `$1=name` format. Append `(optional, default X)` for optional parameters.
dist/README.md
Vendored
+35 -85
View File
@@ -1,79 +1,34 @@
Spectre & Meltdown Checker
==========================
A self-contained shell script to assess your system's resilience against the several [transient execution](https://en.wikipedia.org/wiki/Transient_execution_CPU_vulnerability) CVEs that were published since early 2018, and give you guidance as to how to mitigate them.
A shell script to assess your system's resilience against the several [transient execution](https://en.wikipedia.org/wiki/Transient_execution_CPU_vulnerability) CVEs that were published since early 2018, and give you guidance as to how to mitigate them.
## CVE list
CVE | Name | Aliases
--- | ---- | -------
[CVE-2017-5753](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753) | Bounds Check Bypass | Spectre V1
[CVE-2017-5715](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715) | Branch Target Injection | Spectre V2
[CVE-2017-5754](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754) | Rogue Data Cache Load | Meltdown
[CVE-2018-3640](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3640) | Rogue System Register Read | Variant 3a
[CVE-2018-3639](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639) | Speculative Store Bypass | Variant 4, SSB
[CVE-2018-3615](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3615) | L1 Terminal Fault | Foreshadow (SGX)
[CVE-2018-3620](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3620) | L1 Terminal Fault | Foreshadow-NG (OS/SMM)
[CVE-2018-3646](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646) | L1 Terminal Fault | Foreshadow-NG (VMM)
[CVE-2018-12126](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126) | Microarchitectural Store Buffer Data Sampling | MSBDS, Fallout
[CVE-2018-12130](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130) | Microarchitectural Fill Buffer Data Sampling | MFBDS, ZombieLoad
[CVE-2018-12127](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127) | Microarchitectural Load Port Data Sampling | MLPDS, RIDL
[CVE-2019-11091](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11091) | Microarchitectural Data Sampling Uncacheable Memory | MDSUM, RIDL
[CVE-2019-11135](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135) | TSX Asynchronous Abort | TAA, ZombieLoad V2
[CVE-2018-12207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207) | Machine Check Exception on Page Size Changes | iTLB Multihit, No eXcuses
[CVE-2020-0543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543) | Special Register Buffer Data Sampling | SRBDS, CROSSTalk
[CVE-2022-40982](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982) | Gather Data Sampling | Downfall, GDS
[CVE-2023-20569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569) | Return Address Security | Inception, SRSO
[CVE-2023-20593](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593) | Cross-Process Information Leak | Zenbleed
[CVE-2023-23583](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23583) | Redundant Prefix Issue | Reptar
[CVE-2024-36350](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36350) | Transient Scheduler Attack, Store Queue | TSA-SQ
[CVE-2024-36357](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36357) | Transient Scheduler Attack, L1 | TSA-L1
## Am I at risk?
Depending on your situation, the table below answers whether an attacker in a given position can extract data from a given target.
The "Userland → Kernel" column also applies within a VM (VM userland vs. VM kernel), since the same CPU mechanisms are at play regardless of virtualization.
Vulnerability | Userland → Kernel | Userland → Userland | VM → Host | VM → VM | Mitigation
------------ | :---------------: | :-----------------: | :-------: | :-----: | ----------
CVE-2017-5753 (Spectre V1) | 💥 | 💥 | 💥 | 💥 | Recompile everything with LFENCE
CVE-2017-5715 (Spectre V2) | 💥 | 💥 | 💥 | 💥 | Microcode + kernel update (or retpoline)
CVE-2017-5754 (Meltdown) | 💥 | ✅ | ✅ | ✅ | Kernel update
CVE-2018-3640 (Variant 3a) | 💥 | ✅ | ✅ | ✅ | Microcode update
CVE-2018-3639 (Variant 4, SSB) | ✅ | 💥 | ✅ | ✅ | Microcode + kernel update
CVE-2018-3615 (Foreshadow, SGX) | ✅ (3) | ✅ (3) | ✅ (3) | ✅ (3) | Microcode update
CVE-2018-3620 (Foreshadow-NG, OS/SMM) | 💥 | ✅ | ✅ | ✅ | Kernel update
CVE-2018-3646 (Foreshadow-NG, VMM) | ✅ | ✅ | 💥 | 💥 | Kernel update (or disable EPT/SMT)
CVE-2018-12126 (MSBDS, Fallout) | 💥 | 💥 (1) | 💥 | 💥 (1) | Microcode + kernel update
CVE-2018-12130 (MFBDS, ZombieLoad) | 💥 | 💥 (1) | 💥 | 💥 (1) | Microcode + kernel update
CVE-2018-12127 (MLPDS, RIDL) | 💥 | 💥 (1) | 💥 | 💥 (1) | Microcode + kernel update
CVE-2019-11091 (MDSUM, RIDL) | 💥 | 💥 (1) | 💥 | 💥 (1) | Microcode + kernel update
CVE-2019-11135 (TAA, ZombieLoad V2) | 💥 | 💥 (1) | 💥 | 💥 (1) | Microcode + kernel update
CVE-2018-12207 (iTLB Multihit, No eXcuses) | ✅ | ✅ | ☠️ | ✅ | Hypervisor update (or disable hugepages)
CVE-2020-0543 (SRBDS, CROSSTalk) | 💥 (2) | 💥 (2) | 💥 (2) | 💥 (2) | Microcode + kernel update
CVE-2022-40982 (Downfall, GDS) | 💥 | 💥 | 💥 | 💥 | Microcode update (or disable AVX)
CVE-2023-20569 (Inception, SRSO) | 💥 | ✅ | 💥 | ✅ | Microcode + kernel update
CVE-2023-20593 (Zenbleed) | 💥 | 💥 | 💥 | 💥 | Microcode update (or kernel workaround)
CVE-2023-23583 (Reptar) | ☠️ | ☠️ | ☠️ | ☠️ | Microcode update
CVE-2024-36350 (TSA-SQ) | 💥 | 💥 (1) | 💥 | 💥 (1) | Microcode + kernel update
CVE-2024-36357 (TSA-L1) | 💥 | 💥 (1) | 💥 | 💥 (1) | Microcode + kernel update
> 💥 Data can be leaked across this boundary.
> ✅ Not affected in this scenario.
> ☠️ Denial of service (system crash or unpredictable behavior), no data leak.
> (1) Cross-process leakage requires SMT (Hyper-Threading) to be active — attacker and victim must share a physical core.
> (2) Only leaks RDRAND/RDSEED output, not arbitrary memory; still allows recovering cryptographic material from any victim.
> (3) CVE-2018-3615 (Foreshadow SGX) inverts the normal trust model: the OS reads SGX enclave data. It is irrelevant unless the system runs SGX enclaves, and the attacker must already have OS-level access.
## Detailed CVE descriptions
CVE | Aliases | Impact | Mitigation | Perf. impact
--- | ------- | ------ | ---------- | ------------
[CVE-2017-5753](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753) | Spectre V1 | Kernel & all software | Recompile with LFENCE-inserting compiler | Negligible
[CVE-2017-5715](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715) | Spectre V2 | Kernel | Microcode (IBRS) and/or retpoline | Medium to high
[CVE-2017-5754](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754) | Meltdown | Kernel | Kernel update (PTI/KPTI) | Low to medium
[CVE-2018-3640](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3640) | Variant 3a | Kernel | Microcode update | Negligible
[CVE-2018-3639](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639) | Variant 4, SSB | JIT software | Microcode + kernel update | Low to medium
[CVE-2018-3615](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3615) | Foreshadow (SGX) | SGX enclaves | Microcode update | Negligible
[CVE-2018-3620](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3620) | Foreshadow-NG (OS/SMM) | Kernel & SMM | Kernel update (PTE inversion) | Negligible
[CVE-2018-3646](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646) | Foreshadow-NG (VMM) | VMM/hypervisors | Kernel update (L1d flush) or disable EPT/SMT | Low to significant
[CVE-2018-12126](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126) | MSBDS, Fallout | Kernel | Microcode + kernel update (MDS group) | Low to significant
[CVE-2018-12130](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130) | MFBDS, ZombieLoad | Kernel | Microcode + kernel update (MDS group) | Low to significant
[CVE-2018-12127](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127) | MLPDS, RIDL | Kernel | Microcode + kernel update (MDS group) | Low to significant
[CVE-2019-11091](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11091) | MDSUM, RIDL | Kernel | Microcode + kernel update (MDS group) | Low to significant
[CVE-2019-11135](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135) | TAA, ZombieLoad V2 | Kernel | Microcode + kernel update | Low to significant
[CVE-2018-12207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207) | iTLB Multihit, No eXcuses | VMM/hypervisors | Disable hugepages or update hypervisor | Low to significant
[CVE-2020-0543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543) | SRBDS, CROSSTalk | All software (RDRAND/RDSEED) | Microcode + kernel update | Low
[CVE-2022-40982](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982) | Downfall, GDS | Kernel & all software | Microcode update or disable AVX | Negligible to significant (AVX-heavy)
[CVE-2023-20569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569) | Inception, SRSO | Kernel & all software | Kernel + microcode update | Low to significant
[CVE-2023-20593](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593) | Zenbleed | Kernel & all software | Kernel (MSR bit) or microcode update | Negligible
[CVE-2023-23583](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23583) | Reptar | All software | Microcode update | Low
[CVE-2024-36350](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36350) | TSA-SQ | Kernel & all software (AMD) | Microcode + kernel update; SMT increases exposure | Low to medium
[CVE-2024-36357](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36357) | TSA-L1 | Kernel & all software (AMD) | Microcode + kernel update | Low to medium
<details>
<summary>Unfold for more detailed CVE descriptions</summary>
<summary>Detailed CVE descriptions</summary>
**CVE-2017-5753 — Bounds Check Bypass (Spectre Variant 1)**
@@ -155,15 +110,13 @@ On AMD Zen 3 and Zen 4 processors, the CPU's transient scheduler may speculative
</details>
## Scope
Supported operating systems:
- Linux (all versions, flavors and distros)
- FreeBSD, NetBSD, DragonFlyBSD and derivatives (others BSDs are [not supported](FAQ.md#which-bsd-oses-are-supported))
For Linux systems, the tool will detect mitigations, including backported non-vanilla patches, regardless of the advertised kernel version number and the distribution (such as Debian, Ubuntu, CentOS, RHEL, Fedora, openSUSE, Arch, ...), it also works if you've compiled your own kernel. More information [here](FAQ.md#how-does-this-script-work).
Other operating systems such as MacOS, Windows, ESXi, etc. [will never be supported](FAQ.md#why-is-my-os-not-supported).
Other operating systems such as MacOS, Windows, ESXi, etc. [will most likely never be supported](FAQ.md#why-is-my-os-not-supported).
Supported architectures:
- `x86` (32 bits)
@@ -173,13 +126,15 @@ Supported architectures:
## Frequently Asked Questions (FAQ)
What is the purpose of this tool? Why was it written? How can it be useful to me? How does it work? What can I expect from it?
- What is the purpose of this tool?
- Why was it written?
- How can it be useful to me?
- How does it work?
- What can I expect from it?
All these questions (and more) have detailed answers in the [FAQ](FAQ.md), please have a look!
## Running the script
### Direct way (recommended)
## Easy way to run the script
- Get the latest version of the script using `curl` *or* `wget`
@@ -201,12 +156,9 @@ chmod +x spectre-meltdown-checker.sh
sudo ./spectre-meltdown-checker.sh
```
### Using a docker container
### Run the script in a docker container
<details>
<summary>Unfold for instructions</summary>
Using `docker compose`:
#### With docker-compose
```shell
docker compose build
@@ -216,15 +168,13 @@ docker compose run --rm spectre-meltdown-checker
Note that on older versions of docker, `docker-compose` is a separate command, so you might
need to replace the two `docker compose` occurences above by `docker-compose`.
Using `docker build` directly:
#### Without docker-compose
```shell
docker build -t spectre-meltdown-checker .
docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker
```
</details>
## Example of script output
- Intel Haswell CPU running under Ubuntu 16.04 LTS
src/libs/200_cpu_affected.sh
+126 -144
View File
@@ -1,32 +1,4 @@
# vim: set ts=4 sw=4 sts=4 et:
# Helpers for is_cpu_affected: encode the 4 patterns for setting affected_* variables.
# Each function takes the variable suffix as $1 (e.g. "variantl1tf", not "affected_variantl1tf").
# Variables hold 1 (not affected / immune) or 0 (affected / vuln); empty = not yet decided.
# Set affected_$1 to 1 (not affected) unconditionally.
# Use for: hardware capability bits (cap_rdcl_no, cap_ssb_no, cap_gds_no, cap_tsa_*_no),
# is_cpu_specex_free results, and vendor-wide immune facts (AMD/L1TF, Cavium, etc.).
# This always wins and cannot be overridden by _infer_vuln (which only fires on empty).
# Must not be followed by _set_vuln for the same variable in the same code path.
_set_immune() { eval "affected_$1=1"; }
# Set affected_$1 to 0 (affected) unconditionally.
# Use for: confirmed-vuln model/erratum lists, ARM unknown-CPU fallback.
# Note: intentionally overrides a prior _infer_immune (1) — this is required for ARM
# big.LITTLE cumulative logic where a second vuln core must override a prior safe core.
# Must not be called after _set_immune for the same variable in the same code path.
_set_vuln() { eval "affected_$1=0"; }
# Set affected_$1 to 1 (not affected) only if not yet decided (currently empty).
# Use for: model/family whitelists, per-part ARM immune inferences,
# AMD/ARM partial immunity (immune on this variant axis but not others).
_infer_immune() { eval "[ -z \"\$affected_$1\" ] && affected_$1=1 || :"; }
# Set affected_$1 to 0 (affected) only if not yet decided (currently empty).
# Use for: family-level catch-all fallbacks (Intel L1TF non-whitelist, itlbmh non-whitelist).
_infer_vuln() { eval "[ -z \"\$affected_$1\" ] && affected_$1=0 || :"; }
# Return the cached affected_* status for a given CVE
# Args: $1=cve_id
# Returns: 0 if affected, 1 if not affected
@@ -100,79 +72,79 @@ is_cpu_affected() {
affected_itlbmh=''
affected_srbds=''
# Zenbleed and Inception are both AMD specific, look for "is_amd" below:
_set_immune zenbleed
_set_immune inception
affected_zenbleed=immune
affected_inception=immune
# TSA is AMD specific (Zen 3/4), look for "is_amd" below:
_set_immune tsa
affected_tsa=immune
# Downfall & Reptar are Intel specific, look for "is_intel" below:
_set_immune downfall
_set_immune reptar
affected_downfall=immune
affected_reptar=immune
if is_cpu_mds_free; then
_infer_immune msbds
_infer_immune mfbds
_infer_immune mlpds
_infer_immune mdsum
[ -z "$affected_msbds" ] && affected_msbds=immune
[ -z "$affected_mfbds" ] && affected_mfbds=immune
[ -z "$affected_mlpds" ] && affected_mlpds=immune
[ -z "$affected_mdsum" ] && affected_mdsum=immune
pr_debug "is_cpu_affected: cpu not affected by Microarchitectural Data Sampling"
fi
if is_cpu_taa_free; then
_infer_immune taa
[ -z "$affected_taa" ] && affected_taa=immune
pr_debug "is_cpu_affected: cpu not affected by TSX Asynhronous Abort"
fi
if is_cpu_srbds_free; then
_infer_immune srbds
[ -z "$affected_srbds" ] && affected_srbds=immune
pr_debug "is_cpu_affected: cpu not affected by Special Register Buffer Data Sampling"
fi
if is_cpu_specex_free; then
_set_immune variant1
_set_immune variant2
_set_immune variant3
_set_immune variant3a
_set_immune variant4
_set_immune variantl1tf
_set_immune msbds
_set_immune mfbds
_set_immune mlpds
_set_immune mdsum
_set_immune taa
_set_immune srbds
affected_variant1=immune
affected_variant2=immune
affected_variant3=immune
affected_variant3a=immune
affected_variant4=immune
affected_variantl1tf=immune
affected_msbds=immune
affected_mfbds=immune
affected_mlpds=immune
affected_mdsum=immune
affected_taa=immune
affected_srbds=immune
elif is_intel; then
# Intel
# https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not affected
# https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => meltdown affected
# model name : Pentium(R) Dual-Core CPU E5200 @ 2.50GHz
if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
_set_vuln variant1
_infer_immune variant2
_set_vuln variant3
affected_variant1=vuln
[ -z "$affected_variant2" ] && affected_variant2=immune
affected_variant3=vuln
fi
if [ "$cap_rdcl_no" = 1 ]; then
# capability bit for future Intel processor that will explicitly state
# that they're not affected to Meltdown
# this var is set in check_cpu()
_set_immune variant3
_set_immune variantl1tf
[ -z "$affected_variant3" ] && affected_variant3=immune
[ -z "$affected_variantl1tf" ] && affected_variantl1tf=immune
pr_debug "is_cpu_affected: RDCL_NO is set so not vuln to meltdown nor l1tf"
fi
if [ "$cap_ssb_no" = 1 ]; then
# capability bit for future Intel processor that will explicitly state
# that they're not affected to Variant 4
# this var is set in check_cpu()
_set_immune variant4
[ -z "$affected_variant4" ] && affected_variant4=immune
pr_debug "is_cpu_affected: SSB_NO is set so not vuln to affected_variant4"
fi
if is_cpu_ssb_free; then
_infer_immune variant4
[ -z "$affected_variant4" ] && affected_variant4=immune
pr_debug "is_cpu_affected: cpu not affected by speculative store bypass so not vuln to affected_variant4"
fi
# variant 3a
if [ "$cpu_family" = 6 ]; then
if [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] || [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ]; then
pr_debug "is_cpu_affected: xeon phi immune to variant 3a"
_infer_immune variant3a
[ -z "$affected_variant3a" ] && affected_variant3a=immune
elif [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_D" ]; then
@@ -181,10 +153,10 @@ is_cpu_affected() {
# => silvermont CPUs (aka cherry lake for tablets and brawsell for mobile/desktop) don't seem to be affected
# => goldmont ARE affected
pr_debug "is_cpu_affected: silvermont immune to variant 3a"
_infer_immune variant3a
[ -z "$affected_variant3a" ] && affected_variant3a=immune
fi
fi
# L1TF (cap_rdcl_no already checked above)
# L1TF (RDCL_NO already checked above)
if [ "$cpu_family" = 6 ]; then
if [ "$cpu_model" = "$INTEL_FAM6_ATOM_SALTWELL" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SALTWELL_TABLET" ] ||
@@ -205,14 +177,14 @@ is_cpu_affected() {
[ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ]; then
pr_debug "is_cpu_affected: intel family 6 but model known to be immune to l1tf"
_infer_immune variantl1tf
[ -z "$affected_variantl1tf" ] && affected_variantl1tf=immune
else
pr_debug "is_cpu_affected: intel family 6 is vuln to l1tf"
_infer_vuln variantl1tf
affected_variantl1tf=vuln
fi
elif [ "$cpu_family" -lt 6 ]; then
pr_debug "is_cpu_affected: intel family < 6 is immune to l1tf"
_infer_immune variantl1tf
[ -z "$affected_variantl1tf" ] && affected_variantl1tf=immune
fi
# Downfall
if [ "$cap_gds_no" = 1 ]; then
@@ -220,7 +192,6 @@ is_cpu_affected() {
# that they're unaffected by GDS. Also set by hypervisors on virtual CPUs
# so that the guest kernel doesn't try to mitigate GDS when it's already mitigated on the host
pr_debug "is_cpu_affected: downfall: not affected (GDS_NO)"
_set_immune downfall
elif [ "$cpu_family" = 6 ]; then
# list from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=64094e7e3118aff4b0be8ff713c242303e139834
set -u
@@ -236,7 +207,7 @@ is_cpu_affected() {
[ "$cpu_model" = "$INTEL_FAM6_TIGERLAKE" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ROCKETLAKE" ]; then
pr_debug "is_cpu_affected: downfall: affected"
_set_vuln downfall
affected_downfall=vuln
elif [ "$cap_avx2" = 0 ] && [ "$cap_avx512" = 0 ]; then
pr_debug "is_cpu_affected: downfall: no avx; immune"
else
@@ -295,7 +266,7 @@ is_cpu_affected() {
)
if [ "$cpu_cpuid" = "$affected_cpuid" ] && [ $((cpu_platformid & ucode_platformid_mask)) -gt 0 ]; then
# this is not perfect as Intel never tells about their EOL CPUs, so more CPUs might be affected but there's no way to tell
_set_vuln reptar
affected_reptar=vuln
g_reptar_fixed_ucode_version=$fixed_ucode_ver
break
fi
@@ -304,26 +275,26 @@ is_cpu_affected() {
elif is_amd || is_hygon; then
# AMD revised their statement about affected_variant2 => affected
# https://www.amd.com/en/corporate/speculative-execution
_set_vuln variant1
_set_vuln variant2
_infer_immune variant3
affected_variant1=vuln
affected_variant2=vuln
[ -z "$affected_variant3" ] && affected_variant3=immune
# https://www.amd.com/en/corporate/security-updates
# "We have not identified any AMD x86 products susceptible to the Variant 3a vulnerability in our analysis to-date."
_infer_immune variant3a
[ -z "$affected_variant3a" ] && affected_variant3a=immune
if is_cpu_ssb_free; then
_infer_immune variant4
[ -z "$affected_variant4" ] && affected_variant4=immune
pr_debug "is_cpu_affected: cpu not affected by speculative store bypass so not vuln to affected_variant4"
fi
_set_immune variantl1tf
affected_variantl1tf=immune
# Zenbleed
amd_legacy_erratum "$(amd_model_range 0x17 0x30 0x0 0x4f 0xf)" && _set_vuln zenbleed
amd_legacy_erratum "$(amd_model_range 0x17 0x60 0x0 0x7f 0xf)" && _set_vuln zenbleed
amd_legacy_erratum "$(amd_model_range 0x17 0xa0 0x0 0xaf 0xf)" && _set_vuln zenbleed
amd_legacy_erratum "$(amd_model_range 0x17 0x30 0x0 0x4f 0xf)" && affected_zenbleed=vuln
amd_legacy_erratum "$(amd_model_range 0x17 0x60 0x0 0x7f 0xf)" && affected_zenbleed=vuln
amd_legacy_erratum "$(amd_model_range 0x17 0xa0 0x0 0xaf 0xf)" && affected_zenbleed=vuln
# Inception (according to kernel, zen 1 to 4)
if [ "$cpu_family" = $((0x17)) ] || [ "$cpu_family" = $((0x19)) ]; then
_set_vuln inception
affected_inception=vuln
fi
# TSA (Zen 3/4 are affected, unless CPUID says otherwise)
@@ -332,19 +303,18 @@ is_cpu_affected() {
# they're not affected to TSA-SQ and TSA-L1
# these vars are set in check_cpu()
pr_debug "is_cpu_affected: TSA_SQ_NO and TSA_L1_NO are set so not vuln to TSA"
_set_immune tsa
elif [ "$cpu_family" = $((0x19)) ]; then
_set_vuln tsa
affected_tsa=vuln
fi
elif [ "$cpu_vendor" = CAVIUM ]; then
_set_immune variant3
_set_immune variant3a
_set_immune variantl1tf
affected_variant3=immune
affected_variant3a=immune
affected_variantl1tf=immune
elif [ "$cpu_vendor" = PHYTIUM ]; then
_set_immune variant3
_set_immune variant3a
_set_immune variantl1tf
affected_variant3=immune
affected_variant3a=immune
affected_variantl1tf=immune
elif [ "$cpu_vendor" = ARM ]; then
# ARM
# reference: https://developer.arm.com/support/security-update
@@ -376,73 +346,73 @@ is_cpu_affected() {
# Maintain cumulative check of vulnerabilities -
# if at least one of the cpu is affected, then the system is affected
if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
_set_vuln variant1
_set_vuln variant2
_infer_immune variant3
_infer_immune variant3a
_infer_immune variant4
affected_variant1=vuln
affected_variant2=vuln
[ -z "$affected_variant3" ] && affected_variant3=immune
[ -z "$affected_variant3a" ] && affected_variant3a=immune
[ -z "$affected_variant4" ] && affected_variant4=immune
pr_debug "checking cpu$i: armv7 A8/A9/A12/A17 non affected to variants 3, 3a & 4"
elif [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc0f; then
_set_vuln variant1
_set_vuln variant2
_infer_immune variant3
_set_vuln variant3a
_infer_immune variant4
affected_variant1=vuln
affected_variant2=vuln
[ -z "$affected_variant3" ] && affected_variant3=immune
affected_variant3a=vuln
[ -z "$affected_variant4" ] && affected_variant4=immune
pr_debug "checking cpu$i: armv7 A15 non affected to variants 3 & 4"
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then
_set_vuln variant1
_set_vuln variant2
_infer_immune variant3
_set_vuln variant3a
_set_vuln variant4
affected_variant1=vuln
affected_variant2=vuln
[ -z "$affected_variant3" ] && affected_variant3=immune
affected_variant3a=vuln
affected_variant4=vuln
pr_debug "checking cpu$i: armv8 A57/A72 non affected to variants 3"
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd09; then
_set_vuln variant1
_set_vuln variant2
_infer_immune variant3
_infer_immune variant3a
_set_vuln variant4
affected_variant1=vuln
affected_variant2=vuln
[ -z "$affected_variant3" ] && affected_variant3=immune
[ -z "$affected_variant3a" ] && affected_variant3a=immune
affected_variant4=vuln
pr_debug "checking cpu$i: armv8 A73 non affected to variants 3 & 3a"
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0a; then
_set_vuln variant1
_set_vuln variant2
_set_vuln variant3
_infer_immune variant3a
_set_vuln variant4
affected_variant1=vuln
affected_variant2=vuln
affected_variant3=vuln
[ -z "$affected_variant3a" ] && affected_variant3a=immune
affected_variant4=vuln
pr_debug "checking cpu$i: armv8 A75 non affected to variant 3a"
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
_set_vuln variant1
_infer_immune variant2
_infer_immune variant3
_infer_immune variant3a
_set_vuln variant4
affected_variant1=vuln
[ -z "$affected_variant2" ] && affected_variant2=immune
[ -z "$affected_variant3" ] && affected_variant3=immune
[ -z "$affected_variant3a" ] && affected_variant3a=immune
affected_variant4=vuln
pr_debug "checking cpu$i: armv8 A76/A77/NeoverseN1 non affected to variant 2, 3 & 3a"
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd40 -e 0xd49 -e 0xd4f; then
_set_vuln variant1
_infer_immune variant2
_infer_immune variant3
_infer_immune variant3a
_infer_immune variant4
affected_variant1=vuln
[ -z "$affected_variant2" ] && affected_variant2=immune
[ -z "$affected_variant3" ] && affected_variant3=immune
[ -z "$affected_variant3a" ] && affected_variant3a=immune
[ -z "$affected_variant4" ] && affected_variant4=immune
pr_debug "checking cpu$i: armv8 NeoverseN2/V1/V2 non affected to variant 2, 3, 3a & 4"
elif [ "$cpuarch" -le 7 ] || { [ "$cpuarch" = 8 ] && [ $((cpupart)) -lt $((0xd07)) ]; }; then
_infer_immune variant1
_infer_immune variant2
_infer_immune variant3
_infer_immune variant3a
_infer_immune variant4
[ -z "$affected_variant1" ] && affected_variant1=immune
[ -z "$affected_variant2" ] && affected_variant2=immune
[ -z "$affected_variant3" ] && affected_variant3=immune
[ -z "$affected_variant3a" ] && affected_variant3a=immune
[ -z "$affected_variant4" ] && affected_variant4=immune
pr_debug "checking cpu$i: arm arch$cpuarch, all immune (v7 or v8 and model < 0xd07)"
else
_set_vuln variant1
_set_vuln variant2
_set_vuln variant3
_set_vuln variant3a
_set_vuln variant4
affected_variant1=vuln
affected_variant2=vuln
affected_variant3=vuln
affected_variant3a=vuln
affected_variant4=vuln
pr_debug "checking cpu$i: arm unknown arch$cpuarch part$cpupart, considering vuln"
fi
fi
pr_debug "is_cpu_affected: for cpu$i and so far, we have <$affected_variant1> <$affected_variant2> <$affected_variant3> <$affected_variant3a> <$affected_variant4>"
done
_set_immune variantl1tf
affected_variantl1tf=immune
fi
# we handle iTLB Multihit here (not linked to is_specex_free)
@@ -465,31 +435,43 @@ is_cpu_affected() {
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_D" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_PLUS" ]; then
pr_debug "is_cpu_affected: intel family 6 but model known to be immune to itlbmh"
_infer_immune itlbmh
[ -z "$affected_itlbmh" ] && affected_itlbmh=immune
else
pr_debug "is_cpu_affected: intel family 6 is vuln to itlbmh"
_infer_vuln itlbmh
affected_itlbmh=vuln
fi
elif [ "$cpu_family" -lt 6 ]; then
pr_debug "is_cpu_affected: intel family < 6 is immune to itlbmh"
_infer_immune itlbmh
[ -z "$affected_itlbmh" ] && affected_itlbmh=immune
fi
else
pr_debug "is_cpu_affected: non-intel not affected to itlbmh"
_infer_immune itlbmh
[ -z "$affected_itlbmh" ] && affected_itlbmh=immune
fi
# shellcheck disable=SC2154 # affected_zenbleed/inception/tsa/downfall/reptar set via eval (_set_immune)
{
pr_debug "is_cpu_affected: final results: variant1=$affected_variant1 variant2=$affected_variant2 variant3=$affected_variant3 variant3a=$affected_variant3a"
pr_debug "is_cpu_affected: final results: variant4=$affected_variant4 variantl1tf=$affected_variantl1tf msbds=$affected_msbds mfbds=$affected_mfbds"
pr_debug "is_cpu_affected: final results: mlpds=$affected_mlpds mdsum=$affected_mdsum taa=$affected_taa itlbmh=$affected_itlbmh srbds=$affected_srbds"
pr_debug "is_cpu_affected: final results: zenbleed=$affected_zenbleed inception=$affected_inception tsa=$affected_tsa downfall=$affected_downfall reptar=$affected_reptar"
}
pr_debug "is_cpu_affected: temp results are <$affected_variant1> <$affected_variant2> <$affected_variant3> <$affected_variant3a> <$affected_variant4> <$affected_variantl1tf>"
[ "$affected_variant1" = "immune" ] && affected_variant1=1 || affected_variant1=0
[ "$affected_variant2" = "immune" ] && affected_variant2=1 || affected_variant2=0
[ "$affected_variant3" = "immune" ] && affected_variant3=1 || affected_variant3=0
[ "$affected_variant3a" = "immune" ] && affected_variant3a=1 || affected_variant3a=0
[ "$affected_variant4" = "immune" ] && affected_variant4=1 || affected_variant4=0
[ "$affected_variantl1tf" = "immune" ] && affected_variantl1tf=1 || affected_variantl1tf=0
[ "$affected_msbds" = "immune" ] && affected_msbds=1 || affected_msbds=0
[ "$affected_mfbds" = "immune" ] && affected_mfbds=1 || affected_mfbds=0
[ "$affected_mlpds" = "immune" ] && affected_mlpds=1 || affected_mlpds=0
[ "$affected_mdsum" = "immune" ] && affected_mdsum=1 || affected_mdsum=0
[ "$affected_taa" = "immune" ] && affected_taa=1 || affected_taa=0
[ "$affected_itlbmh" = "immune" ] && affected_itlbmh=1 || affected_itlbmh=0
[ "$affected_srbds" = "immune" ] && affected_srbds=1 || affected_srbds=0
[ "$affected_zenbleed" = "immune" ] && affected_zenbleed=1 || affected_zenbleed=0
[ "$affected_downfall" = "immune" ] && affected_downfall=1 || affected_downfall=0
[ "$affected_inception" = "immune" ] && affected_inception=1 || affected_inception=0
[ "$affected_reptar" = "immune" ] && affected_reptar=1 || affected_reptar=0
[ "$affected_tsa" = "immune" ] && affected_tsa=1 || affected_tsa=0
affected_variantl1tf_sgx="$affected_variantl1tf"
# even if we are affected to L1TF, if there's no SGX, we're not affected to the original foreshadow
[ "$cap_sgx" = 0 ] && _set_immune variantl1tf_sgx
pr_debug "is_cpu_affected: variantl1tf_sgx=<$affected_variantl1tf_sgx>"
[ "$cap_sgx" = 0 ] && affected_variantl1tf_sgx=1
pr_debug "is_cpu_affected: final results are <$affected_variant1> <$affected_variant2> <$affected_variant3> <$affected_variant3a> <$affected_variant4> <$affected_variantl1tf> <$affected_variantl1tf_sgx>"
g_is_cpu_affected_cached=1
_is_cpu_affected_cached "$1"
return $?
src/libs/400_hw_check.sh
+52 -98
View File
@@ -481,27 +481,26 @@ check_cpu() {
pr_info_nol " * CPU indicates STIBP capability: "
# intel: A processor supports STIBP if it enumerates CPUID (EAX=7H,ECX=0):EDX[27] as 1
# amd: 8000_0008 EBX[15]=1
cap_stibp=''
if is_intel; then
read_cpuid 0x7 0x0 $EDX 27 1 1
ret=$?
if [ $ret = $READ_CPUID_RET_OK ]; then
pstatus green YES "Intel STIBP feature bit"
cap_stibp='Intel STIBP'
#cpuid_stibp='Intel STIBP'
fi
elif is_amd; then
read_cpuid 0x80000008 0x0 $EBX 15 1 1
ret=$?
if [ $ret = $READ_CPUID_RET_OK ]; then
pstatus green YES "AMD STIBP feature bit"
cap_stibp='AMD STIBP'
#cpuid_stibp='AMD STIBP'
fi
elif is_hygon; then
read_cpuid 0x80000008 0x0 $EBX 15 1 1
ret=$?
if [ $ret = $READ_CPUID_RET_OK ]; then
pstatus green YES "HYGON STIBP feature bit"
cap_stibp='HYGON STIBP'
#cpuid_stibp='HYGON STIBP'
fi
else
ret=invalid
@@ -663,8 +662,6 @@ check_cpu() {
pr_info_nol " * Indirect Predictor Disable feature is available: "
read_cpuid 0x7 0x2 $EDX 1 1 1
ret=$?
# cap_ipred is not yet used in verdict logic (no kernel sysfs/config to cross-reference)
# shellcheck disable=SC2034
if [ $ret = $READ_CPUID_RET_OK ]; then
cap_ipred=1
pstatus green YES "IPRED_CTRL feature bit"
@@ -703,6 +700,9 @@ check_cpu() {
cap_bhi=-1
pstatus yellow UNKNOWN "$ret_read_cpuid_msg"
fi
# make shellcheck happy while we're not yet using these new cpuid values in our checks
export cap_ipred cap_rrsba cap_bhi
fi
if is_intel; then
@@ -1006,20 +1006,6 @@ check_cpu() {
else
pstatus yellow UNKNOWN "$ret_read_cpuid_msg"
fi
pr_info_nol " * CPU indicates AutoIBRS capability: "
cap_autoibrs=''
read_cpuid 0x80000021 0x0 $EAX 8 1 1
ret=$?
if [ $ret = $READ_CPUID_RET_OK ]; then
pstatus green YES
cap_autoibrs=1
elif [ $ret = $READ_CPUID_RET_KO ]; then
pstatus yellow NO
cap_autoibrs=0
else
pstatus yellow UNKNOWN "$ret_read_cpuid_msg"
fi
fi
pr_info_nol " * CPU supports Transactional Synchronization Extensions (TSX): "
@@ -1173,92 +1159,60 @@ check_redhat_canonical_spectre() {
fi
}
# Detect whether this system is hosting virtual machines (hypervisor check).
# Detection runs only on the first call; subsequent calls reuse the cached
# result. The status line is always printed so each CVE section shows the
# hypervisor context to the user.
# Sets: g_has_vmm, g_has_vmm_reason
# Detect whether this system is hosting virtual machines (hypervisor check)
# Sets: g_has_vmm
check_has_vmm() {
local binary pid
pr_info_nol "* This system is a host running a hypervisor: "
if [ "$g_has_vmm_cached" != 1 ]; then
g_has_vmm=$opt_vmm
if [ "$g_has_vmm" != -1 ]; then
# --vmm was explicitly set on the command line
g_has_vmm_reason="forced from command line"
elif [ "$opt_paranoid" = 1 ]; then
# In paranoid mode, if --vmm was not specified on the command-line,
# we want to be secure before everything else, so assume we're running
# a hypervisor, as this requires more mitigations
g_has_vmm=1
g_has_vmm_reason="paranoid mode"
else
# Here, we want to know if we are hosting a hypervisor, and running some VMs on it.
# If we find no evidence that this is the case, assume we're not (to avoid scaring users),
# this can always be overridden with --vmm in any case.
g_has_vmm=0
if command -v pgrep >/dev/null 2>&1; then
# Exclude xenbus/xenwatch (present inside domU guests) and
# libvirtd (also manages containers, not just VMs).
# Use pgrep -x (exact match) for most binaries. QEMU is
# special: the binary is almost never just "qemu" — it is
# "qemu-system-x86_64", "qemu-system-aarch64", etc. We
# keep "qemu" for the rare wrapper/symlink case and add
# "qemu-system-" as a substring match via a separate pgrep
# call (without -x) to catch all qemu-system-* variants.
# Kernel threads (e.g. [kvm-irqfd-clean]) are filtered out
# below via the /proc/$pid/exe symlink check.
# Note: the kernel truncates process names to 15 chars
# (TASK_COMM_LEN), so pgrep -x can't match longer names.
# "cloud-hypervisor" (16 chars) is handled in the substring
# block below alongside qemu-system-*.
for binary in qemu kvm xenstored xenconsoled \
VBoxHeadless VBoxSVC vmware-vmx firecracker bhyve; do
for pid in $(pgrep -x "$binary"); do
# resolve the exe symlink, if it doesn't resolve with -m,
# which doesn't even need the dest to exist, it means the symlink
# is null, which is the case for kernel threads: ignore those to
# avoid false positives (such as [kvm-irqfd-clean] under at least RHEL 7.6/7.7)
if ! [ "$(readlink -m "/proc/$pid/exe")" = "/proc/$pid/exe" ]; then
pr_debug "g_has_vmm: found PID $pid ($binary)"
g_has_vmm=1
g_has_vmm_reason="$binary process found (PID $pid)"
fi
done
g_has_vmm=$opt_vmm
if [ "$g_has_vmm" = -1 ] && [ "$opt_paranoid" = 1 ]; then
# In paranoid mode, if --vmm was not specified on the command-line,
# we want to be secure before everything else, so assume we're running
# a hypervisor, as this requires more mitigations
g_has_vmm=2
elif [ "$g_has_vmm" = -1 ]; then
# Here, we want to know if we are hosting a hypervisor, and running some VMs on it.
# If we find no evidence that this is the case, assume we're not (to avoid scaring users),
# this can always be overridden with --vmm in any case.
g_has_vmm=0
if command -v pgrep >/dev/null 2>&1; then
# remove xenbus and xenwatch, also present inside domU
# remove libvirtd as it can also be used to manage containers and not VMs
# for each binary we want to grep, get the pids
for binary in qemu kvm xenstored xenconsoled; do
for pid in $(pgrep -x "$binary"); do
# resolve the exe symlink, if it doesn't resolve with -m,
# which doesn't even need the dest to exist, it means the symlink
# is null, which is the case for kernel threads: ignore those to
# avoid false positives (such as [kvm-irqfd-clean] under at least RHEL 7.6/7.7)
if ! [ "$(readlink -m "/proc/$pid/exe")" = "/proc/$pid/exe" ]; then
pr_debug "g_has_vmm: found PID $pid"
g_has_vmm=1
fi
done
# substring matches for names that pgrep -x can't handle:
# - qemu-system-*: variable suffix (x86_64, aarch64, ...)
# - cloud-hypervisor: 16 chars, exceeds TASK_COMM_LEN (15)
if [ "$g_has_vmm" = 0 ]; then
for binary in "qemu-system-" "cloud-hyperviso"; do
for pid in $(pgrep "$binary"); do
if ! [ "$(readlink -m "/proc/$pid/exe")" = "/proc/$pid/exe" ]; then
pr_debug "g_has_vmm: found PID $pid ($binary*)"
g_has_vmm=1
g_has_vmm_reason="$binary* process found (PID $pid)"
fi
done
done
fi
unset binary pid
else
# ignore SC2009 as `ps ax` is actually used as a fallback if `pgrep` isn't installed
# shellcheck disable=SC2009
if command -v ps >/dev/null && ps ax | grep -vw grep | grep -q \
-e '\<qemu' -e '/qemu' -e '\<kvm' -e '/kvm' \
-e '/xenstored' -e '/xenconsoled' \
-e '\<VBoxHeadless' -e '\<VBoxSVC' -e '\<vmware-vmx' \
-e '\<firecracker' -e '\<cloud-hypervisor' -e '\<bhyve'; then
g_has_vmm=1
g_has_vmm_reason="hypervisor process found"
fi
done
unset binary pid
else
# ignore SC2009 as `ps ax` is actually used as a fallback if `pgrep` isn't installed
# shellcheck disable=SC2009
if command -v ps >/dev/null && ps ax | grep -vw grep | grep -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then
g_has_vmm=1
fi
fi
g_has_vmm_cached=1
fi
if [ "$g_has_vmm" = 0 ]; then
pstatus green NO "$g_has_vmm_reason"
if [ "$opt_vmm" != -1 ]; then
pstatus green NO "forced from command line"
else
pstatus green NO
fi
else
pstatus blue YES "$g_has_vmm_reason"
if [ "$opt_vmm" != -1 ]; then
pstatus blue YES "forced from command line"
elif [ "$g_has_vmm" = 2 ]; then
pstatus blue YES "paranoid mode"
else
pstatus blue YES
fi
fi
}
src/vulns/CVE-2017-5715.sh
+136 -730
View File
@@ -3,224 +3,22 @@
# SPECTRE 2 SECTION
# CVE-2017-5715 Spectre Variant 2 (branch target injection) - entry point
# Sets: vulnstatus
check_CVE_2017_5715() {
check_cve 'CVE-2017-5715'
}
# CVE-2017-5715 Spectre Variant 2 (branch target injection) - Linux mitigation check
# Sets: g_ibrs_can_tell, g_ibrs_supported, g_ibrs_enabled, g_ibrs_fw_enabled,
# g_ibpb_can_tell, g_ibpb_supported, g_ibpb_enabled, g_specex_knob_dir
check_CVE_2017_5715_linux() {
local status sys_interface_available msg dir bp_harden_can_tell bp_harden retpoline retpoline_compiler retpoline_compiler_reason retp_enabled rsb_filling
local v2_base_mode v2_stibp_status v2_pbrsb_status v2_bhi_status v2_ibpb_mode v2_vuln_module v2_is_autoibrs smt_enabled
local status sys_interface_available msg dir bp_harden_can_tell bp_harden retpoline retpoline_compiler retpoline_compiler_reason retp_enabled rsb_filling explain_hypervisor
status=UNK
sys_interface_available=0
msg=''
if sys_interface_check "$VULN_SYSFS_BASE/spectre_v2"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
status=$ret_sys_interface_check_status
#
# Complete sysfs message inventory for spectre_v2, traced via git blame
# on mainline (~/linux) and stable (~/linux-stable):
#
# all versions:
# "Not affected" (cpu_show_common, 61dc0f555b5c)
# "Vulnerable" (cpu_show_common fallthrough / spectre_v2_strings[NONE], 61dc0f555b5c)
#
# The output is a composite string: <base>[<ibpb>][<ibrs_fw>][<stibp>][<rsb>][<pbrsb>][<bhi>][<module>]
# where <base> comes from spectre_v2_strings[] (or an early-return override),
# and the remaining fields are appended by helper functions.
# Before v6.9-rc4 (0cd01ac5dcb1), fields were separated by ", ".
# From v6.9-rc4 onward, fields are separated by "; ".
#
# --- base string (spectre_v2_strings[]) ---
#
# da285121560e (v4.15, initial spectre_v2 sysfs):
# "Vulnerable"
# "Mitigation: None" (documented in spectre.rst 5ad3eb113245,
# not found in code but listed as a possible value; treat as vulnerable / sysfs override)
# "Vulnerable: Minimal generic ASM retpoline"
# "Vulnerable: Minimal AMD ASM retpoline"
# "Mitigation: Full generic retpoline"
# "Mitigation: Full AMD retpoline"
# 706d51681d63 (v4.19, added Enhanced IBRS):
# + "Mitigation: Enhanced IBRS"
# ef014aae8f1c (v4.20-rc5, removed minimal retpoline):
# - "Vulnerable: Minimal generic ASM retpoline"
# - "Vulnerable: Minimal AMD ASM retpoline"
# d45476d98324 (v5.17-rc8, renamed retpoline variants):
# "Mitigation: Full generic retpoline" -> "Mitigation: Retpolines"
# "Mitigation: Full AMD retpoline" -> "Mitigation: LFENCE" (in array)
# NOTE: "Mitigation: LFENCE" was the actual sysfs output for a brief window
# (between d45476d98324 and eafd987d4a82, both in v5.17-rc8) before the
# show_state override reclassified it as "Vulnerable: LFENCE". LFENCE alone
# is now considered an insufficient mitigation for Spectre v2. Any kernel
# reporting "Mitigation: LFENCE" is from this narrow window and should be
# treated as vulnerable.
# 1e19da8522c8 (v5.17-rc8, split Enhanced IBRS into 3 modes):
# "Mitigation: Enhanced IBRS" -> "Mitigation: Enhanced IBRS" (EIBRS alone)
# + "Mitigation: Enhanced IBRS + LFENCE"
# + "Mitigation: Enhanced IBRS + Retpolines"
# 7c693f54c873 (v5.19-rc7, added kernel IBRS):
# + "Mitigation: IBRS"
# e7862eda309e (v6.3-rc1, AMD Automatic IBRS):
# "Mitigation: Enhanced IBRS" -> "Mitigation: Enhanced / Automatic IBRS"
# "Mitigation: Enhanced IBRS + LFENCE" -> "Mitigation: Enhanced / Automatic IBRS + LFENCE"
# "Mitigation: Enhanced IBRS + Retpolines" -> "Mitigation: Enhanced / Automatic IBRS + Retpolines"
# d1cc1baef67a (v6.18-rc1, fixed LFENCE in array):
# "Mitigation: LFENCE" -> "Vulnerable: LFENCE" (in array, matching the
# show_state override that had been correcting the sysfs output since v5.17)
#
# --- early-return overrides in spectre_v2_show_state() ---
#
# These bypass the base string + suffix format entirely.
#
# eafd987d4a82 (v5.17-rc8, LFENCE override):
# "Vulnerable: LFENCE"
# (overrode the array's "Mitigation: LFENCE"; removed in v6.18-rc1 when the array
# was fixed to say "Vulnerable: LFENCE" directly)
# 44a3918c8245 (v5.17-rc8, created spectre_v2_show_state, eIBRS+eBPF):
# "Vulnerable: Unprivileged eBPF enabled"
# (immediately renamed below)
# 0de05d056afd (v5.17-rc8, renamed + added eIBRS+LFENCE case):
# "Vulnerable: Unprivileged eBPF enabled" -> "Vulnerable: eIBRS with unprivileged eBPF"
# + "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT"
#
# --- <ibpb> suffix (ibpb_state()) ---
#
# 20ffa1caecca (v4.16-rc1, initial IBPB):
# ", IBPB" (present/absent)
# a8f76ae41cd6 (v4.20-rc5, extracted ibpb_state()):
# ", IBPB: disabled" | ", IBPB: always-on"
# 7cc765a67d8e (v4.20-rc5, conditional IBPB):
# + ", IBPB: conditional"
# 0cd01ac5dcb1 (v6.9-rc4, separator change):
# ", IBPB: ..." -> "; IBPB: ..."
#
# --- <ibrs_fw> suffix ---
#
# dd84441a7971 (v4.16-rc4):
# ", IBRS_FW" (present/absent)
# 0cd01ac5dcb1 (v6.9-rc4, separator change):
# ", IBRS_FW" -> "; IBRS_FW"
#
# --- <stibp> suffix (stibp_state()) ---
#
# 53c613fe6349 (v4.20-rc1, initial STIBP):
# ", STIBP" (present/absent)
# a8f76ae41cd6 (v4.20-rc5, extracted stibp_state()):
# ", STIBP: disabled" | ", STIBP: forced"
# 9137bb27e60e (v4.20-rc5, added prctl):
# + ", STIBP: conditional" (when prctl/seccomp + switch_to_cond_stibp)
# 20c3a2c33e9f (v5.0-rc1, added always-on preferred):
# + ", STIBP: always-on"
# 34bce7c9690b (v4.20-rc5, eIBRS suppresses STIBP):
# returns "" when eIBRS is in use
# fd470a8beed8 (v6.5-rc4, AutoIBRS exception):
# returns "" only when eIBRS AND not AutoIBRS (AutoIBRS shows STIBP)
# 0cd01ac5dcb1 (v6.9-rc4, separator change):
# ", STIBP: ..." -> "; STIBP: ..."
#
# --- <rsb> suffix ---
#
# bb4b3b776273 (v4.20-rc1):
# ", RSB filling" (present/absent)
# 53c613fe6349 (v4.20-rc1, temporarily removed, re-added in a8f76ae41cd6)
# 0cd01ac5dcb1 (v6.9-rc4, separator change):
# ", RSB filling" -> "; RSB filling"
#
# --- <pbrsb> suffix (pbrsb_eibrs_state()) ---
#
# 2b1299322016 (v6.0-rc1):
# ", PBRSB-eIBRS: Not affected" | ", PBRSB-eIBRS: SW sequence" | ", PBRSB-eIBRS: Vulnerable"
# 0cd01ac5dcb1 (v6.9-rc4, separator change):
# ", PBRSB-eIBRS: ..." -> "; PBRSB-eIBRS: ..."
#
# --- <bhi> suffix (spectre_bhi_state()) ---
#
# ec9404e40e8f (v6.9-rc4):
# "; BHI: Not affected" | "; BHI: BHI_DIS_S" | "; BHI: SW loop, KVM: SW loop"
# | "; BHI: Retpoline" | "; BHI: Vulnerable"
# 95a6ccbdc719 (v6.9-rc4, KVM default):
# + "; BHI: Vulnerable, KVM: SW loop"
# 5f882f3b0a8b (v6.9-rc4, clarified syscall hardening):
# removed "; BHI: Vulnerable (Syscall hardening enabled)"
# removed "; BHI: Syscall hardening, KVM: SW loop"
# (both replaced by "; BHI: Vulnerable" / "; BHI: Vulnerable, KVM: SW loop")
#
# --- <module> suffix (spectre_v2_module_string()) ---
#
# caf7501a1b4e (v4.16-rc1):
# " - vulnerable module loaded" (present/absent)
#
# --- stable backports ---
#
# 3.2.y: old-style base strings ("Full generic/AMD retpoline", "Minimal generic/AMD
# ASM retpoline"). Suffixes: ", IBPB" only (no STIBP/IBRS_FW/RSB). Format: %s%s\n.
# Has "Mitigation: Enhanced IBRS" (no "/ Automatic") in later releases.
# 3.16.y, 4.4.y: old-style base strings. ibpb_state()/stibp_state()/IBRS_FW/RSB filling.
# 3.16.y lacks STIBP "always-on". Comma separators.
# Both have "Mitigation: Enhanced IBRS" (no "/ Automatic"). No LFENCE/EIBRS modes.
# 4.9.y: has spectre_v2_show_state() with LFENCE override ("Vulnerable: LFENCE"),
# eIBRS+eBPF overrides. "Mitigation: Enhanced IBRS" (no "/ Automatic").
# No SPECTRE_V2_IBRS. No pbrsb or BHI. Comma separators.
# 4.14.y: like 4.9.y but also has SPECTRE_V2_IBRS and pbrsb_eibrs_state().
# "Mitigation: Enhanced IBRS" (no "/ Automatic"). No BHI. Comma separators.
# 4.19.y: like 4.14.y but has "Enhanced / Automatic IBRS". No BHI. Comma separators.
# 5.4.y, 5.10.y: like 4.19.y. No BHI. Comma separators.
# 5.15.y, 6.1.y, 6.6.y, 6.12.y: match mainline (semicolons, BHI, all fields).
#
# --- Red Hat / CentOS / Rocky kernels ---
#
# Red Hat kernels carry their own spectre_v2 mitigation implementation that differs
# significantly from mainline. The following strings are unique to Red Hat kernels:
#
# centos6 (RHEL 6, kernel 2.6.32): base strings are a superset of mainline v4.15:
# "Vulnerable: Minimal ASM retpoline" (no "generic" qualifier)
# "Vulnerable: Minimal AMD ASM retpoline"
# "Vulnerable: Retpoline without IBPB"
# "Vulnerable: Retpoline on Skylake+" (removed in later centos6 releases)
# "Vulnerable: Retpoline with unsafe module(s)"
# "Mitigation: Full AMD retpoline"
# "Mitigation: Full retpoline" (no "generic" qualifier)
# "Mitigation: Full retpoline and IBRS (user space)"
# "Mitigation: IBRS (kernel)"
# "Mitigation: IBRS (kernel and user space)"
# "Mitigation: IBP disabled"
# Suffixes: ", IBPB" only. Format: %s%s\n.
#
# centos7 (RHEL 7, kernel 3.10): early releases have all centos6 strings plus
# "Vulnerable: Retpoline on Skylake+". Later releases removed Skylake+ and
# Minimal AMD, and changed AMD retpoline to:
# "Vulnerable: AMD retpoline (LFENCE/JMP)"
# Added "Mitigation: Enhanced IBRS". Suffixes: ibpb_state() + stibp_state()
# with simple ", IBPB" / ", STIBP" strings. No IBRS_FW/RSB/pbrsb/BHI.
#
# centos8 (RHEL 8, kernel 4.18): uses mainline v5.17+ style enum names
# (RETPOLINE/LFENCE/EIBRS) but retains RHEL-specific entries:
# "Mitigation: IBRS (kernel)" (SPECTRE_V2_IBRS)
# "Mitigation: Full retpoline and IBRS (user space)" (SPECTRE_V2_RETPOLINE_IBRS_USER)
# "Mitigation: IBRS (kernel and user space)" (SPECTRE_V2_IBRS_ALWAYS)
# "Mitigation: Enhanced IBRS" (no "/ Automatic"). spectre_v2_show_state() with
# LFENCE/eIBRS+eBPF overrides. Comma separators. No pbrsb/BHI.
#
# rocky9 (RHEL 9, kernel 5.14): matches mainline. Semicolons, BHI, all fields.
# rocky10 (RHEL 10, kernel 6.12): matches mainline.
#
# all messages start with either "Not affected", "Mitigation", or "Vulnerable"
fi
if [ "$opt_sysfs_only" != 1 ]; then
check_has_vmm
v2_base_mode=''
v2_stibp_status=''
v2_pbrsb_status=''
v2_bhi_status=''
v2_ibpb_mode=''
v2_vuln_module=''
v2_is_autoibrs=0
pr_info "* Mitigation 1"
g_ibrs_can_tell=0
@@ -599,233 +397,6 @@ check_CVE_2017_5715_linux() {
fi
fi
# Mitigation 3: derive structured mitigation variables for the verdict.
# These are set from sysfs fields (when available) with hardware fallbacks.
pr_info "* Mitigation 3 (sub-mitigations)"
# --- v2_base_mode: which base Spectre v2 mitigation is active ---
pr_info_nol " * Base Spectre v2 mitigation mode: "
if [ -n "$ret_sys_interface_check_fullmsg" ]; then
# Parse from sysfs (handle all mainline, stable, and RHEL variants)
case "$ret_sys_interface_check_fullmsg" in
*"Enhanced / Automatic IBRS + LFENCE"* | *"Enhanced IBRS + LFENCE"*) v2_base_mode=eibrs_lfence ;;
*"Enhanced / Automatic IBRS + Retpolines"* | *"Enhanced IBRS + Retpolines"*) v2_base_mode=eibrs_retpoline ;;
*"Enhanced / Automatic IBRS"* | *"Enhanced IBRS"*) v2_base_mode=eibrs ;;
*"Mitigation: IBRS (kernel and user space)"*) v2_base_mode=ibrs ;;
*"Mitigation: IBRS (kernel)"*) v2_base_mode=ibrs ;;
*"Mitigation: IBRS"*) v2_base_mode=ibrs ;;
*"Mitigation: Retpolines"* | *"Full generic retpoline"* | *"Full retpoline"* | *"Full AMD retpoline"*) v2_base_mode=retpoline ;;
*"Vulnerable: LFENCE"* | *"Mitigation: LFENCE"*) v2_base_mode=lfence ;;
*"Vulnerable"*) v2_base_mode=none ;;
*) v2_base_mode=unknown ;;
esac
fi
# Fallback to existing variables if sysfs didn't provide a base mode
if [ -z "$v2_base_mode" ] || [ "$v2_base_mode" = "unknown" ]; then
if [ "$g_ibrs_enabled" = 4 ]; then
v2_base_mode=eibrs
elif [ -n "$g_ibrs_enabled" ] && [ "$g_ibrs_enabled" -ge 1 ] 2>/dev/null; then
v2_base_mode=ibrs
elif [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ]; then
v2_base_mode=retpoline
elif [ "$retpoline" = 1 ]; then
v2_base_mode=retpoline
fi
fi
case "$v2_base_mode" in
eibrs) pstatus green "Enhanced / Automatic IBRS" ;;
eibrs_lfence) pstatus green "Enhanced / Automatic IBRS + LFENCE" ;;
eibrs_retpoline) pstatus green "Enhanced / Automatic IBRS + Retpolines" ;;
ibrs) pstatus green "IBRS" ;;
retpoline) pstatus green "Retpolines" ;;
lfence) pstatus red "LFENCE (insufficient)" ;;
none) pstatus yellow "None" ;;
*) pstatus yellow UNKNOWN ;;
esac
# --- v2_is_autoibrs: AMD AutoIBRS vs Intel eIBRS ---
case "$v2_base_mode" in
eibrs | eibrs_lfence | eibrs_retpoline)
if [ "$cap_autoibrs" = 1 ] || { (is_amd || is_hygon) && [ "$cap_ibrs_all" != 1 ]; }; then
v2_is_autoibrs=1
fi
;;
esac
# --- v2_ibpb_mode ---
pr_info_nol " * IBPB mode: "
if [ -n "$ret_sys_interface_check_fullmsg" ]; then
case "$ret_sys_interface_check_fullmsg" in
*"IBPB: always-on"*) v2_ibpb_mode=always-on ;;
*"IBPB: conditional"*) v2_ibpb_mode=conditional ;;
*"IBPB: disabled"*) v2_ibpb_mode=disabled ;;
*", IBPB"* | *"; IBPB"*) v2_ibpb_mode=conditional ;;
*) v2_ibpb_mode=disabled ;;
esac
elif [ "$opt_live" = 1 ]; then
case "$g_ibpb_enabled" in
2) v2_ibpb_mode=always-on ;;
1) v2_ibpb_mode=conditional ;;
0) v2_ibpb_mode=disabled ;;
*) v2_ibpb_mode=unknown ;;
esac
else
v2_ibpb_mode=unknown
fi
case "$v2_ibpb_mode" in
always-on) pstatus green YES "always-on" ;;
conditional) pstatus green YES "conditional" ;;
disabled) pstatus yellow NO "disabled" ;;
*) pstatus yellow UNKNOWN ;;
esac
# --- v2_stibp_status ---
pr_info_nol " * STIBP status: "
if [ -n "$ret_sys_interface_check_fullmsg" ]; then
case "$ret_sys_interface_check_fullmsg" in
*"STIBP: always-on"*) v2_stibp_status=always-on ;;
*"STIBP: forced"*) v2_stibp_status=forced ;;
*"STIBP: conditional"*) v2_stibp_status=conditional ;;
*"STIBP: disabled"*) v2_stibp_status=disabled ;;
*", STIBP"* | *"; STIBP"*) v2_stibp_status=forced ;;
*)
# No STIBP field: Intel eIBRS suppresses it (implicit cross-thread protection)
case "$v2_base_mode" in
eibrs | eibrs_lfence | eibrs_retpoline)
if [ "$v2_is_autoibrs" != 1 ]; then
v2_stibp_status=eibrs-implicit
else
v2_stibp_status=unknown
fi
;;
*) v2_stibp_status=unknown ;;
esac
;;
esac
else
# No sysfs: use hardware capability + context to infer STIBP status
if [ "$smt_enabled" != 0 ]; then
# SMT disabled or unknown: STIBP is not needed
v2_stibp_status=not-needed
else
case "$v2_base_mode" in
eibrs | eibrs_lfence | eibrs_retpoline)
if [ "$v2_is_autoibrs" != 1 ]; then
# Intel eIBRS provides implicit cross-thread protection
v2_stibp_status=eibrs-implicit
elif [ -n "$cap_stibp" ]; then
# AMD AutoIBRS: CPU supports STIBP but can't confirm runtime state
v2_stibp_status=unknown
else
# No STIBP support on this CPU
v2_stibp_status=unavailable
fi
;;
*)
if [ -n "$cap_stibp" ]; then
# CPU supports STIBP but can't confirm runtime state without sysfs
v2_stibp_status=unknown
else
# CPU does not support STIBP at all
v2_stibp_status=unavailable
fi
;;
esac
fi
fi
case "$v2_stibp_status" in
always-on) pstatus green YES "always-on" ;;
forced) pstatus green YES "forced" ;;
conditional) pstatus green YES "conditional" ;;
eibrs-implicit) pstatus green YES "implicit via eIBRS" ;;
not-needed) pstatus green YES "not needed (SMT disabled)" ;;
unavailable) pstatus red NO "CPU does not support STIBP" ;;
disabled) pstatus yellow NO "disabled" ;;
*) pstatus yellow UNKNOWN ;;
esac
# --- v2_pbrsb_status (only relevant for eIBRS) ---
case "$v2_base_mode" in
eibrs | eibrs_lfence | eibrs_retpoline)
pr_info_nol " * PBRSB-eIBRS mitigation: "
if [ -n "$ret_sys_interface_check_fullmsg" ]; then
case "$ret_sys_interface_check_fullmsg" in
*"PBRSB-eIBRS: Not affected"*) v2_pbrsb_status=not-affected ;;
*"PBRSB-eIBRS: SW sequence"*) v2_pbrsb_status=sw-sequence ;;
*"PBRSB-eIBRS: Vulnerable"*) v2_pbrsb_status=vulnerable ;;
*) v2_pbrsb_status=unknown ;;
esac
elif [ "$opt_live" != 1 ] && [ -n "$g_kernel" ]; then
if grep -q 'PBRSB-eIBRS' "$g_kernel" 2>/dev/null; then
v2_pbrsb_status=sw-sequence
else
v2_pbrsb_status=unknown
fi
else
v2_pbrsb_status=unknown
fi
case "$v2_pbrsb_status" in
not-affected) pstatus green "Not affected" ;;
sw-sequence) pstatus green "SW sequence" ;;
vulnerable) pstatus red "Vulnerable" ;;
*) pstatus yellow UNKNOWN ;;
esac
;;
*) v2_pbrsb_status=n/a ;;
esac
# --- v2_bhi_status ---
pr_info_nol " * BHI mitigation: "
if [ -n "$ret_sys_interface_check_fullmsg" ]; then
case "$ret_sys_interface_check_fullmsg" in
*"BHI: Not affected"*) v2_bhi_status=not-affected ;;
*"BHI: BHI_DIS_S"*) v2_bhi_status=bhi_dis_s ;;
*"BHI: SW loop"*) v2_bhi_status=sw-loop ;;
*"BHI: Retpoline"*) v2_bhi_status=retpoline ;;
*"BHI: Vulnerable, KVM: SW loop"*) v2_bhi_status=vuln-kvm-loop ;;
*"BHI: Vulnerable"*) v2_bhi_status=vulnerable ;;
*) v2_bhi_status=unknown ;;
esac
elif [ "$opt_live" != 1 ] && [ -n "$opt_config" ] && [ -r "$opt_config" ]; then
if grep -q '^CONFIG_\(MITIGATION_\)\?SPECTRE_BHI' "$opt_config"; then
if [ "$cap_bhi" = 1 ]; then
v2_bhi_status=bhi_dis_s
else
v2_bhi_status=sw-loop
fi
else
v2_bhi_status=unknown
fi
else
v2_bhi_status=unknown
fi
case "$v2_bhi_status" in
not-affected) pstatus green "Not affected" ;;
bhi_dis_s) pstatus green "BHI_DIS_S (hardware)" ;;
sw-loop) pstatus green "SW loop" ;;
retpoline) pstatus green "Retpoline" ;;
vuln-kvm-loop) pstatus yellow "Vulnerable (KVM: SW loop)" ;;
vulnerable) pstatus red "Vulnerable" ;;
*) pstatus yellow UNKNOWN ;;
esac
# --- v2_vuln_module ---
if [ "$opt_live" = 1 ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then
pr_info_nol " * Non-retpoline module loaded: "
if echo "$ret_sys_interface_check_fullmsg" | grep -q 'vulnerable module loaded'; then
v2_vuln_module=1
pstatus red YES
else
v2_vuln_module=0
pstatus green NO
fi
fi
# --- SMT state (used in verdict) ---
is_cpu_smt_enabled
smt_enabled=$?
# smt_enabled: 0=enabled, 1=disabled, 2=unknown
elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only!
msg="/sys vulnerability interface use forced, but it's not available!"
@@ -835,310 +406,145 @@ check_CVE_2017_5715_linux() {
if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ -z "$msg" ]; then
if [ "$opt_sysfs_only" != 1 ]; then
# --- own logic using Phase 2 variables ---
# Helper: collect caveats for the verdict message
_v2_caveats=''
_v2_add_caveat() { _v2_caveats="${_v2_caveats:+$_v2_caveats; }$1"; }
# ARM branch predictor hardening (unchanged)
if [ -n "$bp_harden" ]; then
pvulnstatus "$cve" OK "Branch predictor hardening mitigates the vulnerability"
elif [ -z "$bp_harden" ] && [ "$cpu_vendor" = ARM ]; then
pvulnstatus "$cve" VULN "Branch predictor hardening is needed to mitigate the vulnerability"
explain "Your kernel has not been compiled with the CONFIG_UNMAP_KERNEL_AT_EL0 option, recompile it with this option enabled."
# LFENCE-only is always VULN (reclassified in v5.17)
elif [ "$v2_base_mode" = "lfence" ]; then
pvulnstatus "$cve" VULN "LFENCE alone is not a sufficient Spectre v2 mitigation"
explain "LFENCE-based indirect branch mitigation was reclassified as vulnerable starting with Linux v5.17. Use retpoline (spectre_v2=retpoline) or IBRS-based mitigations (spectre_v2=eibrs or spectre_v2=ibrs) instead. If your CPU supports Enhanced IBRS, that is the preferred option."
# eIBRS paths (eibrs / eibrs_lfence / eibrs_retpoline)
elif [ "$v2_base_mode" = "eibrs" ] || [ "$v2_base_mode" = "eibrs_lfence" ] || [ "$v2_base_mode" = "eibrs_retpoline" ]; then
_v2_caveats=''
_v2_ok=1
# BHI check: eIBRS alone doesn't protect against BHI
if [ "$v2_bhi_status" = "vulnerable" ]; then
_v2_ok=0
_v2_add_caveat "BHI vulnerable"
elif [ "$v2_bhi_status" = "unknown" ] && is_intel; then
if [ "$cap_bhi" = 0 ]; then
_v2_ok=0
_v2_add_caveat "BHI vulnerable (no BHI_DIS_S hardware support, no kernel mitigation detected)"
elif [ "$cap_rrsba" != 0 ]; then
_v2_add_caveat "BHI status unknown (kernel may lack BHI mitigation)"
fi
fi
# PBRSB check (only matters for VMM hosts)
if [ "$v2_pbrsb_status" = "vulnerable" ]; then
if [ "$g_has_vmm" != 0 ] || [ "$opt_paranoid" = 1 ]; then
_v2_ok=0
_v2_add_caveat "PBRSB-eIBRS vulnerable"
fi
fi
# AutoIBRS: needs explicit STIBP (does NOT provide implicit cross-thread protection)
if [ "$v2_is_autoibrs" = 1 ] && [ "$smt_enabled" = 0 ]; then
if [ "$v2_stibp_status" = "disabled" ] || [ "$v2_stibp_status" = "unavailable" ]; then
_v2_ok=0
_v2_add_caveat "STIBP not active with SMT on AMD AutoIBRS"
fi
fi
# Vulnerable module check
if [ "$v2_vuln_module" = 1 ]; then
_v2_add_caveat "non-retpoline module loaded"
fi
# Paranoid mode
if [ "$opt_paranoid" = 1 ]; then
if [ "$v2_ibpb_mode" != "always-on" ]; then
_v2_ok=0
_v2_add_caveat "IBPB not always-on"
fi
if [ "$smt_enabled" = 0 ]; then
_v2_ok=0
_v2_add_caveat "SMT enabled"
fi
fi
# eBPF caveat: eIBRS without retpoline is insufficient when unprivileged eBPF is enabled
_ebpf_disabled=''
if [ "$v2_base_mode" = "eibrs" ] || [ "$v2_base_mode" = "eibrs_lfence" ]; then
# shellcheck disable=SC2154
if [ -n "${SMC_MOCK_UNPRIVILEGED_BPF_DISABLED:-}" ]; then
_ebpf_disabled="$SMC_MOCK_UNPRIVILEGED_BPF_DISABLED"
g_mocked=1
elif [ "$opt_live" = 1 ] && [ -r "$g_procfs/sys/kernel/unprivileged_bpf_disabled" ]; then
_ebpf_disabled=$(cat "$g_procfs/sys/kernel/unprivileged_bpf_disabled" 2>/dev/null)
g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_UNPRIVILEGED_BPF_DISABLED='$_ebpf_disabled'")
fi
# In paranoid mode, enabled unprivileged eBPF makes eIBRS insufficient
if [ "$_v2_ok" = 1 ] && [ "$_ebpf_disabled" = 0 ] && [ "$opt_paranoid" = 1 ]; then
_v2_ok=0
_v2_add_caveat "unprivileged eBPF enabled (eIBRS insufficient)"
fi
fi
# Build the base description
case "$v2_base_mode" in
eibrs) _v2_desc="Enhanced / Automatic IBRS" ;;
eibrs_lfence) _v2_desc="Enhanced / Automatic IBRS + LFENCE" ;;
eibrs_retpoline) _v2_desc="Enhanced / Automatic IBRS + Retpolines" ;;
esac
if [ "$_v2_ok" = 1 ]; then
if [ -n "$_v2_caveats" ]; then
pvulnstatus "$cve" OK "$_v2_desc mitigates the vulnerability ($_v2_caveats)"
else
pvulnstatus "$cve" OK "$_v2_desc mitigates the vulnerability"
fi
if [ "$v2_base_mode" = "eibrs" ] || [ "$v2_base_mode" = "eibrs_lfence" ]; then
pr_info " NOTE: eIBRS is considered vulnerable by the kernel when unprivileged eBPF is enabled."
if [ "$_ebpf_disabled" = 0 ]; then
pr_info " Unprivileged eBPF is currently ENABLED (kernel.unprivileged_bpf_disabled=0): this system may be vulnerable!"
elif [ "$_ebpf_disabled" = 1 ] || [ "$_ebpf_disabled" = 2 ]; then
pr_info " Unprivileged eBPF is currently disabled (kernel.unprivileged_bpf_disabled=$_ebpf_disabled): eIBRS is sufficient."
else
pr_info " Could not read kernel.unprivileged_bpf_disabled, check it manually with \`sysctl kernel.unprivileged_bpf_disabled\`."
fi
fi
else
pvulnstatus "$cve" VULN "$_v2_desc active but insufficient: $_v2_caveats"
explain "Your system uses $_v2_desc but has gaps in sub-mitigations: $_v2_caveats. Update your kernel and microcode to the latest versions. If BHI is vulnerable, a kernel with CONFIG_MITIGATION_SPECTRE_BHI or BHI_DIS_S microcode support is needed. If PBRSB-eIBRS is vulnerable, update the kernel for RSB VM exit mitigation. If STIBP is disabled on AMD AutoIBRS with SMT, add \`spectre_v2_user=on\` or disable SMT with \`nosmt\`. If unprivileged eBPF is enabled, disable it with \`sysctl -w kernel.unprivileged_bpf_disabled=1\`. In paranoid mode, disable SMT with \`nosmt\` and set \`spectre_v2_user=on\` for IBPB always-on."
fi
# Kernel IBRS path
elif [ "$v2_base_mode" = "ibrs" ]; then
_v2_caveats=''
_v2_ok=1
# IBRS needs IBPB for cross-process protection
if [ "$v2_ibpb_mode" = "disabled" ]; then
_v2_ok=0
_v2_add_caveat "IBPB disabled"
fi
# IBRS needs STIBP or SMT-off for cross-thread protection
if [ "$smt_enabled" = 0 ] && { [ "$v2_stibp_status" = "disabled" ] || [ "$v2_stibp_status" = "unavailable" ]; }; then
_v2_ok=0
_v2_add_caveat "STIBP not active with SMT enabled"
fi
# RSB filling on Skylake+
if is_vulnerable_to_empty_rsb && [ "$rsb_filling" != 1 ]; then
_v2_ok=0
_v2_add_caveat "RSB filling missing on Skylake+"
fi
# BHI check
if [ "$v2_bhi_status" = "vulnerable" ]; then
_v2_ok=0
_v2_add_caveat "BHI vulnerable"
elif [ "$v2_bhi_status" = "unknown" ] && is_intel && [ "$cap_bhi" = 0 ]; then
_v2_ok=0
_v2_add_caveat "BHI vulnerable (no BHI_DIS_S hardware support, no kernel mitigation detected)"
fi
# Vulnerable module check
if [ "$v2_vuln_module" = 1 ]; then
_v2_add_caveat "non-retpoline module loaded"
fi
# Paranoid mode
if [ "$opt_paranoid" = 1 ]; then
if [ "$v2_ibpb_mode" != "always-on" ]; then
_v2_ok=0
_v2_add_caveat "IBPB not always-on"
fi
if [ "$smt_enabled" = 0 ]; then
_v2_ok=0
_v2_add_caveat "SMT enabled"
fi
fi
if [ "$_v2_ok" = 1 ]; then
pvulnstatus "$cve" OK "IBRS mitigates the vulnerability"
else
pvulnstatus "$cve" VULN "IBRS active but insufficient: $_v2_caveats"
explain "Your system uses kernel IBRS but has gaps: $_v2_caveats. Ensure IBPB is enabled (spectre_v2_user=on or spectre_v2_user=prctl,ibpb). If STIBP is disabled with SMT, add spectre_v2_user=on or disable SMT with \`nosmt\`. If RSB filling is missing, update the kernel. If BHI is vulnerable, update kernel/microcode for BHI mitigation."
fi
# Retpoline path
elif [ "$v2_base_mode" = "retpoline" ]; then
_v2_caveats=''
_v2_ok=1
# Retpoline compiler check
if [ "$retpoline_compiler" = 0 ]; then
_v2_ok=0
_v2_add_caveat "not compiled with retpoline-aware compiler"
fi
# Red Hat runtime disable check
if [ "$retp_enabled" = 0 ]; then
_v2_ok=0
_v2_add_caveat "retpoline disabled at runtime"
fi
# RSB filling on Skylake+ (empty RSB falls back to BTB)
if is_vulnerable_to_empty_rsb && [ "$rsb_filling" != 1 ]; then
_v2_ok=0
_v2_add_caveat "RSB filling missing on Skylake+"
fi
# BHI: retpoline only mitigates BHI if RRSBA is disabled
if [ "$v2_bhi_status" = "vulnerable" ]; then
_v2_ok=0
_v2_add_caveat "BHI vulnerable"
elif [ "$v2_bhi_status" = "unknown" ] && is_intel; then
if [ "$cap_bhi" = 0 ] && [ "$cap_rrsba" = 1 ]; then
_v2_ok=0
_v2_add_caveat "BHI vulnerable (no BHI_DIS_S hardware support, RRSBA bypasses retpoline)"
elif [ "$cap_rrsba" = 1 ]; then
_v2_add_caveat "BHI status unknown with RRSBA"
fi
fi
# Vulnerable module
if [ "$v2_vuln_module" = 1 ]; then
_v2_ok=0
_v2_add_caveat "non-retpoline module loaded"
fi
# IBPB check: retpoline without IBPB is weaker
if [ "$v2_ibpb_mode" = "disabled" ] || { [ -z "$g_ibpb_enabled" ] || [ "$g_ibpb_enabled" = 0 ]; }; then
if [ "$opt_paranoid" = 1 ]; then
_v2_ok=0
_v2_add_caveat "IBPB disabled"
else
_v2_add_caveat "IBPB disabled (recommended)"
fi
fi
# Paranoid mode: require SMT off, IBPB always-on
if [ "$opt_paranoid" = 1 ]; then
if [ "$v2_ibpb_mode" != "always-on" ] && [ "$v2_ibpb_mode" != "disabled" ]; then
_v2_ok=0
_v2_add_caveat "IBPB not always-on"
fi
if [ "$smt_enabled" = 0 ]; then
_v2_ok=0
_v2_add_caveat "SMT enabled"
fi
fi
if [ "$_v2_ok" = 1 ]; then
if [ -n "$_v2_caveats" ]; then
pvulnstatus "$cve" OK "Retpolines mitigate the vulnerability ($_v2_caveats)"
if echo "$_v2_caveats" | grep -q 'IBPB'; then
if [ -n "$cap_ibpb" ]; then
pr_warn "You should enable IBPB to complete retpoline as a Variant 2 mitigation"
else
pr_warn "IBPB is considered as a good addition to retpoline for Variant 2 mitigation, but your CPU microcode doesn't support it"
fi
fi
else
pvulnstatus "$cve" OK "Retpolines + IBPB mitigate the vulnerability"
fi
else
pvulnstatus "$cve" VULN "Retpoline active but insufficient: $_v2_caveats"
explain "Your system uses retpoline but has gaps: $_v2_caveats. Ensure the kernel was compiled with a retpoline-aware compiler. Enable IBPB (spectre_v2_user=on). If RSB filling is missing on Skylake+, update the kernel. If BHI is vulnerable, update kernel/microcode. In paranoid mode, disable SMT with \`nosmt\` and set \`spectre_v2_user=on\`."
fi
# Legacy fallback: IBRS+IBPB from debugfs on old systems without sysfs
elif [ -n "$g_ibrs_enabled" ] && [ "$g_ibrs_enabled" -ge 1 ] 2>/dev/null && [ -n "$g_ibpb_enabled" ] && [ "$g_ibpb_enabled" -ge 1 ] 2>/dev/null; then
if [ "$g_ibrs_enabled" = 4 ]; then
pvulnstatus "$cve" OK "Enhanced IBRS + IBPB are mitigating the vulnerability"
else
pvulnstatus "$cve" OK "IBRS + IBPB are mitigating the vulnerability"
fi
elif [ "$g_ibpb_enabled" = 2 ] && [ "$smt_enabled" != 0 ]; then
pvulnstatus "$cve" OK "Full IBPB is mitigating the vulnerability"
# Offline mode fallback
elif [ "$opt_live" != 1 ]; then
if [ "$retpoline" = 1 ] && [ -n "$g_ibpb_supported" ]; then
pvulnstatus "$cve" OK "offline mode: kernel supports retpoline + IBPB to mitigate the vulnerability"
elif [ -n "$g_ibrs_supported" ] && [ -n "$g_ibpb_supported" ]; then
pvulnstatus "$cve" OK "offline mode: kernel supports IBRS + IBPB to mitigate the vulnerability"
elif [ "$cap_ibrs_all" = 1 ] || [ "$cap_autoibrs" = 1 ]; then
pvulnstatus "$cve" OK "offline mode: CPU supports Enhanced / Automatic IBRS"
elif [ "$g_ibrs_can_tell" != 1 ]; then
pvulnstatus "$cve" UNK "offline mode: not enough information"
explain "Re-run this script with root privileges, and give it the kernel image (--kernel), the kernel configuration (--config) and the System.map file (--map) corresponding to the kernel you would like to inspect."
fi
fi
# Catch-all: if no verdict was reached above, it's VULN
if [ "$g_pvulnstatus_last_cve" != "$cve" ]; then
if is_intel || is_amd || is_hygon; then
pvulnstatus "$cve" VULN "Your CPU is affected and no sufficient mitigation was detected"
explain "To mitigate this vulnerability, you need one of: (1) Enhanced IBRS / Automatic IBRS (eIBRS) -- requires CPU microcode support; preferred for modern CPUs. (2) Kernel IBRS (spectre_v2=ibrs) + IBPB -- requires IBRS-capable microcode. (3) Retpoline (spectre_v2=retpoline) + IBPB -- requires a retpoline-aware compiler and IBPB-capable microcode. For Skylake+ CPUs, options 1 or 2 are preferred as retpoline needs RSB filling. Update your kernel and CPU microcode to the latest versions."
else
if [ "$sys_interface_available" = 1 ]; then
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
else
pvulnstatus "$cve" VULN "no known mitigation exists for your CPU vendor ($cpu_vendor)"
fi
fi
fi
else
# --sysfs-only: Phase 2 variables are unset, fall back to the
# raw sysfs result (status + fullmsg were set in Phase 1).
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
fi
else
# msg was explicitly set by the "sysfs not available" elif above.
pvulnstatus "$cve" "$status" "$msg"
if [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ] && [ "$retp_enabled" != 0 ] && [ -n "$g_ibpb_enabled" ] && [ "$g_ibpb_enabled" -ge 1 ] && (! is_vulnerable_to_empty_rsb || [ "$rsb_filling" = 1 ]); then
pvulnstatus "$cve" OK "Full retpoline + IBPB are mitigating the vulnerability"
elif [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ] && [ "$retp_enabled" != 0 ] && [ "$opt_paranoid" = 0 ] && (! is_vulnerable_to_empty_rsb || [ "$rsb_filling" = 1 ]); then
pvulnstatus "$cve" OK "Full retpoline is mitigating the vulnerability"
if [ -n "$cap_ibpb" ]; then
pr_warn "You should enable IBPB to complete retpoline as a Variant 2 mitigation"
else
pr_warn "IBPB is considered as a good addition to retpoline for Variant 2 mitigation, but your CPU microcode doesn't support it"
fi
elif [ -n "$g_ibrs_enabled" ] && [ -n "$g_ibpb_enabled" ] && [ "$g_ibrs_enabled" -ge 1 ] && [ "$g_ibpb_enabled" -ge 1 ]; then
if [ "$g_ibrs_enabled" = 4 ]; then
pvulnstatus "$cve" OK "Enhanced IBRS + IBPB are mitigating the vulnerability"
else
pvulnstatus "$cve" OK "IBRS + IBPB are mitigating the vulnerability"
fi
elif [ "$g_ibpb_enabled" = 2 ] && ! is_cpu_smt_enabled; then
pvulnstatus "$cve" OK "Full IBPB is mitigating the vulnerability"
elif [ -n "$bp_harden" ]; then
pvulnstatus "$cve" OK "Branch predictor hardening mitigates the vulnerability"
elif [ -z "$bp_harden" ] && [ "$cpu_vendor" = ARM ]; then
pvulnstatus "$cve" VULN "Branch predictor hardening is needed to mitigate the vulnerability"
explain "Your kernel has not been compiled with the CONFIG_UNMAP_KERNEL_AT_EL0 option, recompile it with this option enabled."
elif [ "$opt_live" != 1 ]; then
if [ "$retpoline" = 1 ] && [ -n "$g_ibpb_supported" ]; then
pvulnstatus "$cve" OK "offline mode: kernel supports retpoline + IBPB to mitigate the vulnerability"
elif [ -n "$g_ibrs_supported" ] && [ -n "$g_ibpb_supported" ]; then
pvulnstatus "$cve" OK "offline mode: kernel supports IBRS + IBPB to mitigate the vulnerability"
elif [ "$g_ibrs_can_tell" != 1 ]; then
pvulnstatus "$cve" UNK "offline mode: not enough information"
explain "Re-run this script with root privileges, and give it the kernel image (--kernel), the kernel configuration (--config) and the System.map file (--map) corresponding to the kernel you would like to inspect."
fi
fi
# if we arrive here and didn't already call pvulnstatus, then it's VULN, let's explain why
if [ "$g_pvulnstatus_last_cve" != "$cve" ]; then
# explain what's needed for this CPU
if is_vulnerable_to_empty_rsb; then
pvulnstatus "$cve" VULN "IBRS+IBPB or retpoline+IBPB+RSB filling, is needed to mitigate the vulnerability"
explain "To mitigate this vulnerability, you need either IBRS + IBPB, both requiring hardware support from your CPU microcode in addition to kernel support, or a kernel compiled with retpoline and IBPB, with retpoline requiring a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware) and IBPB requiring hardware support from your CPU microcode. You also need a recent-enough kernel that supports RSB filling if you plan to use retpoline. For Skylake+ CPUs, the IBRS + IBPB approach is generally preferred as it guarantees complete protection, and the performance impact is not as high as with older CPUs in comparison with retpoline. More information about how to enable the missing bits for those two possible mitigations on your system follow. You only need to take one of the two approaches."
elif is_zen_cpu || is_moksha_cpu; then
pvulnstatus "$cve" VULN "retpoline+IBPB is needed to mitigate the vulnerability"
explain "To mitigate this vulnerability, You need a kernel compiled with retpoline + IBPB support, with retpoline requiring a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware) and IBPB requiring hardware support from your CPU microcode."
elif is_intel || is_amd || is_hygon; then
pvulnstatus "$cve" VULN "IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability"
explain "To mitigate this vulnerability, you need either IBRS + IBPB, both requiring hardware support from your CPU microcode in addition to kernel support, or a kernel compiled with retpoline and IBPB, with retpoline requiring a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware) and IBPB requiring hardware support from your CPU microcode. The retpoline + IBPB approach is generally preferred as the performance impact is lower. More information about how to enable the missing bits for those two possible mitigations on your system follow. You only need to take one of the two approaches."
else
# in that case, we might want to trust sysfs if it's there
if [ -n "$msg" ]; then
[ "$msg" = Vulnerable ] && msg="no known mitigation exists for your CPU vendor ($cpu_vendor)"
pvulnstatus "$cve" "$status" "$msg"
else
pvulnstatus "$cve" VULN "no known mitigation exists for your CPU vendor ($cpu_vendor)"
fi
fi
fi
# if we are in live mode, we can check for a lot more stuff and explain further
if [ "$opt_live" = 1 ] && [ "$vulnstatus" != "OK" ]; then
explain_hypervisor="An updated CPU microcode will have IBRS/IBPB capabilities indicated in the Hardware Check section above. If you're running under a hypervisor (KVM, Xen, VirtualBox, VMware, ...), the hypervisor needs to be up to date to be able to export the new host CPU flags to the guest. You can run this script on the host to check if the host CPU is IBRS/IBPB. If it is, and it doesn't show up in the guest, upgrade the hypervisor. You may need to reconfigure your VM to use a CPU model that has IBRS capability; in Libvirt, such CPUs are listed with an IBRS suffix."
# IBPB (amd & intel)
if { [ -z "$g_ibpb_enabled" ] || [ "$g_ibpb_enabled" = 0 ]; } && { is_intel || is_amd || is_hygon; }; then
if [ -z "$cap_ibpb" ]; then
explain "The microcode of your CPU needs to be upgraded to be able to use IBPB. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). $explain_hypervisor"
fi
if [ -z "$g_ibpb_supported" ]; then
explain "Your kernel doesn't have IBPB support, so you need to either upgrade your kernel (if you're using a distro) or recompiling a more recent kernel."
fi
if [ -n "$cap_ibpb" ] && [ -n "$g_ibpb_supported" ]; then
if [ -e "$g_specex_knob_dir/g_ibpb_enabled" ]; then
# newer (April 2018) Red Hat kernels have g_ibpb_enabled as ro, and automatically enables it with retpoline
if [ ! -w "$g_specex_knob_dir/g_ibpb_enabled" ] && [ -e "$g_specex_knob_dir/retp_enabled" ]; then
explain "Both your CPU and your kernel have IBPB support, but it is currently disabled. You kernel should enable IBPB automatically if you enable retpoline. You may enable it with \`echo 1 > $g_specex_knob_dir/retp_enabled\`."
else
explain "Both your CPU and your kernel have IBPB support, but it is currently disabled. You may enable it with \`echo 1 > $g_specex_knob_dir/g_ibpb_enabled\`."
fi
else
explain "Both your CPU and your kernel have IBPB support, but it is currently disabled. You may enable it. Check in your distro's documentation on how to do this."
fi
fi
elif [ "$g_ibpb_enabled" = 2 ] && is_cpu_smt_enabled; then
explain "You have g_ibpb_enabled set to 2, but it only offers sufficient protection when simultaneous multi-threading (aka SMT or HyperThreading) is disabled. You should reboot your system with the kernel parameter \`nosmt\`."
fi
# /IBPB
# IBRS (amd & intel)
if { [ -z "$g_ibrs_enabled" ] || [ "$g_ibrs_enabled" = 0 ]; } && { is_intel || is_amd || is_hygon; }; then
if [ -z "$cap_ibrs" ]; then
explain "The microcode of your CPU needs to be upgraded to be able to use IBRS. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). $explain_hypervisor"
fi
if [ -z "$g_ibrs_supported" ]; then
explain "Your kernel doesn't have IBRS support, so you need to either upgrade your kernel (if you're using a distro) or recompiling a more recent kernel."
fi
if [ -n "$cap_ibrs" ] && [ -n "$g_ibrs_supported" ]; then
if [ -e "$g_specex_knob_dir/g_ibrs_enabled" ]; then
explain "Both your CPU and your kernel have IBRS support, but it is currently disabled. You may enable it with \`echo 1 > $g_specex_knob_dir/g_ibrs_enabled\`."
else
explain "Both your CPU and your kernel have IBRS support, but it is currently disabled. You may enable it. Check in your distro's documentation on how to do this."
fi
fi
fi
# /IBRS
unset explain_hypervisor
# RETPOLINE (amd & intel &hygon )
if is_amd || is_intel || is_hygon; then
if [ "$retpoline" = 0 ]; then
explain "Your kernel is not compiled with retpoline support, so you need to either upgrade your kernel (if you're using a distro) or recompile your kernel with the CONFIG_MITIGATION_RETPOLINE option enabled (was named CONFIG_RETPOLINE before kernel 6.9-rc1). You also need to compile your kernel with a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware)."
elif [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 0 ]; then
explain "Your kernel is compiled with retpoline, but without a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware)."
elif [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ] && [ "$retp_enabled" = 0 ]; then
explain "Your kernel has retpoline support and has been compiled with a retpoline-aware compiler, but retpoline is disabled. You should enable it with \`echo 1 > $g_specex_knob_dir/retp_enabled\`."
fi
fi
# /RETPOLINE
fi
fi
# sysfs msgs:
#1 "Vulnerable"
#2 "Vulnerable: Minimal generic ASM retpoline"
#2 "Vulnerable: Minimal AMD ASM retpoline"
# "Mitigation: Full generic retpoline"
# "Mitigation: Full AMD retpoline"
# $MITIGATION + ", IBPB"
# $MITIGATION + ", IBRS_FW"
#5 $MITIGATION + " - vulnerable module loaded"
# Red Hat only:
#2 "Vulnerable: Minimal ASM retpoline",
#3 "Vulnerable: Retpoline without IBPB",
#4 "Vulnerable: Retpoline on Skylake+",
#5 "Vulnerable: Retpoline with unsafe module(s)",
# "Mitigation: Full retpoline",
# "Mitigation: Full retpoline and IBRS (user space)",
# "Mitigation: IBRS (kernel)",
# "Mitigation: IBRS (kernel and user space)",
# "Mitigation: IBP disabled",
}
# CVE-2017-5715 Spectre Variant 2 (branch target injection) - BSD mitigation check
# Sets: vulnstatus
check_CVE_2017_5715_bsd() {
local ibrs_disabled ibrs_active retpoline nb_thunks
pr_info "* Mitigation 1"
src/vulns/CVE-2017-5753.sh
+97 -151
View File
@@ -3,15 +3,13 @@
# SPECTRE 1 SECTION
# CVE-2017-5753 Spectre Variant 1 (bounds check bypass) - entry point
# Sets: (none directly, delegates to check_cve)
check_CVE_2017_5753() {
check_cve 'CVE-2017-5753'
}
# CVE-2017-5753 Spectre Variant 1 (bounds check bypass) - Linux mitigation check
# Sets: g_redhat_canonical_spectre (via check_redhat_canonical_spectre)
check_CVE_2017_5753_linux() {
local status sys_interface_available msg v1_kernel_mitigated v1_kernel_mitigated_err v1_mask_nospec ret explain_text
local status sys_interface_available msg v1_mask_nospec nb_lfence v1_lfence ret explain_text
status=UNK
sys_interface_available=0
msg=''
@@ -21,140 +19,62 @@ check_CVE_2017_5753_linux() {
# modifying the vulnerabilities/spectre_v1 file. that's bad. we can't trust it when it says Vulnerable :(
# see "silent backport" detection at the bottom of this func
sys_interface_available=1
#
# Complete sysfs message inventory for spectre_v1, traced via git blame:
#
# all versions:
# "Not affected" (cpu_show_common, pre-existing)
#
# --- x86 mainline ---
# 61dc0f555b5c (v4.15, initial spectre_v1 sysfs):
# "Vulnerable"
# edfbae53dab8 (v4.16, report get_user mitigation):
# "Mitigation: __user pointer sanitization"
# a2059825986a (v5.3, swapgs awareness via spectre_v1_strings[]):
# "Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers"
# "Mitigation: usercopy/swapgs barriers and __user pointer sanitization"
# ca01c0d8d030 (v6.12, CONFIG_MITIGATION_SPECTRE_V1 controls default):
# same strings as v5.3+
# All stable branches (4.4.y through 6.12.y) have v5.3+ strings backported.
#
# --- x86 RHEL (centos6, centos7 branches) ---
# "Vulnerable: Load fences, __user pointer sanitization and usercopy barriers only; no swapgs barriers"
# "Mitigation: Load fences, usercopy/swapgs barriers and __user pointer sanitization"
#
# --- ARM64 ---
# 3891ebccace1 (v5.2, first arm64 spectre_v1 sysfs, backported to 4.14.y+):
# "Mitigation: __user pointer sanitization" (hardcoded)
# 455697adefdb (v5.10, moved to proton-pack.c):
# same string
# Before v5.2: no sysfs override (generic "Not affected" fallback).
# Actual mitigation (array_index_mask_nospec with CSDB) landed in v4.16.
#
# --- ARM32 ---
# 9dd78194a372 (v5.17+):
# "Mitigation: __user pointer sanitization" (hardcoded)
#
# all messages start with either "Not affected", "Mitigation", or "Vulnerable"
status=$ret_sys_interface_check_status
fi
if [ "$opt_sysfs_only" != 1 ]; then
# no /sys interface (or offline mode), fallback to our own ways
# Primary detection: grep for sysfs mitigation strings in the kernel binary.
# The string "__user pointer sanitization" is present in all kernel versions
# that have spectre_v1 sysfs support (x86 v4.16+, ARM64 v5.2+, ARM32 v5.17+),
# including RHEL "Load fences" variants. This is cheap and works offline.
pr_info_nol "* Kernel has spectre_v1 mitigation (kernel image): "
v1_kernel_mitigated=''
v1_kernel_mitigated_err=''
pr_info_nol "* Kernel has array_index_mask_nospec: "
# vanilla: look for the Linus' mask aka array_index_mask_nospec()
# that is inlined at least in raw_copy_from_user (__get_user_X symbols)
#mov PER_CPU_VAR(current_task), %_ASM_DX
#cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX
#jae bad_get_user
# /* array_index_mask_nospec() are the 2 opcodes that follow */
#+sbb %_ASM_DX, %_ASM_DX
#+and %_ASM_DX, %_ASM_AX
#ASM_STAC
# x86 64bits: jae(0x0f 0x83 0x?? 0x?? 0x?? 0x??) sbb(0x48 0x19 0xd2) and(0x48 0x21 0xd0)
# x86 32bits: cmp(0x3b 0x82 0x?? 0x?? 0x00 0x00) jae(0x73 0x??) sbb(0x19 0xd2) and(0x21 0xd0)
#
# arm32
##ifdef CONFIG_THUMB2_KERNEL
##define CSDB ".inst.w 0xf3af8014"
##else
##define CSDB ".inst 0xe320f014" e320f014
##endif
#asm volatile(
# "cmp %1, %2\n" e1500003
#" sbc %0, %1, %1\n" e0c03000
#CSDB
#: "=r" (mask)
#: "r" (idx), "Ir" (sz)
#: "cc");
#
# http://git.arm.linux.org.uk/cgit/linux-arm.git/commit/?h=spectre&id=a78d156587931a2c3b354534aa772febf6c9e855
v1_mask_nospec=''
if [ -n "$g_kernel_err" ]; then
v1_kernel_mitigated_err="$g_kernel_err"
elif grep -q '__user pointer sanitization' "$g_kernel"; then
if grep -q 'usercopy/swapgs barriers' "$g_kernel"; then
v1_kernel_mitigated="usercopy/swapgs barriers and target sanitization"
elif grep -q 'Load fences' "$g_kernel"; then
v1_kernel_mitigated="RHEL Load fences mitigation"
else
v1_kernel_mitigated="__user pointer sanitization"
fi
fi
if [ -z "$v1_kernel_mitigated" ] && [ -r "$opt_config" ]; then
if grep -q '^CONFIG_MITIGATION_SPECTRE_V1=y' "$opt_config"; then
v1_kernel_mitigated="CONFIG_MITIGATION_SPECTRE_V1 found in kernel config"
fi
fi
if [ -z "$v1_kernel_mitigated" ] && [ -n "$opt_map" ]; then
if grep -q 'spectre_v1_select_mitigation' "$opt_map"; then
v1_kernel_mitigated="found spectre_v1_select_mitigation in System.map"
fi
fi
if [ -n "$v1_kernel_mitigated" ]; then
pstatus green YES "$v1_kernel_mitigated"
elif [ -n "$v1_kernel_mitigated_err" ]; then
pstatus yellow UNKNOWN "couldn't check ($v1_kernel_mitigated_err)"
pstatus yellow UNKNOWN "couldn't check ($g_kernel_err)"
elif ! command -v perl >/dev/null 2>&1; then
pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
else
pstatus yellow NO
fi
# Fallback for v4.15-era kernels: binary pattern matching for array_index_mask_nospec().
# The sysfs mitigation strings were not present in the kernel image until v4.16 (x86)
# and v5.2 (ARM64), but the actual mitigation code landed in v4.15 (x86) and v4.16 (ARM64).
# For offline analysis of these old kernels, match the specific instruction patterns.
if [ -z "$v1_kernel_mitigated" ]; then
pr_info_nol "* Kernel has array_index_mask_nospec (v4.15 binary pattern): "
# vanilla: look for the Linus' mask aka array_index_mask_nospec()
# that is inlined at least in raw_copy_from_user (__get_user_X symbols)
#mov PER_CPU_VAR(current_task), %_ASM_DX
#cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX
#jae bad_get_user
# /* array_index_mask_nospec() are the 2 opcodes that follow */
#+sbb %_ASM_DX, %_ASM_DX
#+and %_ASM_DX, %_ASM_AX
#ASM_STAC
# x86 64bits: jae(0x0f 0x83 0x?? 0x?? 0x?? 0x??) sbb(0x48 0x19 0xd2) and(0x48 0x21 0xd0)
# x86 32bits: cmp(0x3b 0x82 0x?? 0x?? 0x00 0x00) jae(0x73 0x??) sbb(0x19 0xd2) and(0x21 0xd0)
#
# arm32
##ifdef CONFIG_THUMB2_KERNEL
##define CSDB ".inst.w 0xf3af8014"
##else
##define CSDB ".inst 0xe320f014" e320f014
##endif
#asm volatile(
# "cmp %1, %2\n" e1500003
#" sbc %0, %1, %1\n" e0c03000
#CSDB
#: "=r" (mask)
#: "r" (idx), "Ir" (sz)
#: "cc");
#
# http://git.arm.linux.org.uk/cgit/linux-arm.git/commit/?h=spectre&id=a78d156587931a2c3b354534aa772febf6c9e855
v1_mask_nospec=''
if [ -n "$g_kernel_err" ]; then
pstatus yellow UNKNOWN "couldn't check ($g_kernel_err)"
elif ! command -v perl >/dev/null 2>&1; then
pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
perl -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$g_kernel"
ret=$?
if [ "$ret" -gt 0 ]; then
pstatus green YES "$ret occurrence(s) found of x86 64 bits array_index_mask_nospec()"
v1_mask_nospec="x86 64 bits array_index_mask_nospec"
else
perl -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found ? 0 : 1) }' "$g_kernel"
perl -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$g_kernel"
ret=$?
if [ "$ret" -eq 0 ]; then
pstatus green YES "x86 64 bits array_index_mask_nospec()"
v1_mask_nospec="x86 64 bits array_index_mask_nospec"
if [ "$ret" -gt 0 ]; then
pstatus green YES "$ret occurrence(s) found of x86 32 bits array_index_mask_nospec()"
v1_mask_nospec="x86 32 bits array_index_mask_nospec"
else
perl -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found ? 0 : 1) }' "$g_kernel"
ret=$?
if [ "$ret" -eq 0 ]; then
pstatus green YES "x86 32 bits array_index_mask_nospec()"
v1_mask_nospec="x86 32 bits array_index_mask_nospec"
ret=$("${opt_arch_prefix}objdump" "$g_objdump_options" "$g_kernel" | grep -w -e f3af8014 -e e320f014 -B2 | grep -B1 -w sbc | grep -w -c cmp)
if [ "$ret" -gt 0 ]; then
pstatus green YES "$ret occurrence(s) found of arm 32 bits array_index_mask_nospec()"
v1_mask_nospec="arm 32 bits array_index_mask_nospec"
else
ret=$("${opt_arch_prefix}objdump" "$g_objdump_options" "$g_kernel" | grep -w -e f3af8014 -e e320f014 -B2 | grep -B1 -w sbc | grep -w -c cmp)
if [ "$ret" -gt 0 ]; then
pstatus green YES "$ret occurrence(s) found of arm 32 bits array_index_mask_nospec()"
v1_mask_nospec="arm 32 bits array_index_mask_nospec"
else
pstatus yellow NO
fi
pstatus yellow NO
fi
fi
fi
@@ -188,8 +108,8 @@ check_CVE_2017_5753_linux() {
#ffffff8008082e50: d503229f hint #0x14
# /!\ can also just be "csdb" instead of "hint #0x14" for native objdump
#
# if we already have a detection, don't bother disassembling the kernel, the answer is no.
if [ -n "$v1_kernel_mitigated" ] || [ -n "$v1_mask_nospec" ] || [ "$g_redhat_canonical_spectre" -gt 0 ]; then
# if we have v1_mask_nospec or g_redhat_canonical_spectre>0, don't bother disassembling the kernel, the answer is no.
if [ -n "$v1_mask_nospec" ] || [ "$g_redhat_canonical_spectre" -gt 0 ]; then
pstatus yellow NO
elif [ -n "$g_kernel_err" ]; then
pstatus yellow UNKNOWN "couldn't check ($g_kernel_err)"
@@ -216,8 +136,8 @@ check_CVE_2017_5753_linux() {
# ffffff8008090a58: d503229f hint #0x14
# /!\ can also just be "csdb" instead of "hint #0x14" for native objdump
#
# if we already have a detection, don't bother disassembling the kernel, the answer is no.
if [ -n "$v1_kernel_mitigated" ] || [ -n "$v1_mask_nospec" ] || [ "$g_redhat_canonical_spectre" -gt 0 ]; then
# if we have v1_mask_nospec or g_redhat_canonical_spectre>0, don't bother disassembling the kernel, the answer is no.
if [ -n "$v1_mask_nospec" ] || [ "$g_redhat_canonical_spectre" -gt 0 ]; then
pstatus yellow NO
elif [ -n "$g_kernel_err" ]; then
pstatus yellow UNKNOWN "couldn't check ($g_kernel_err)"
@@ -226,7 +146,7 @@ check_CVE_2017_5753_linux() {
elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
else
"${opt_arch_prefix}objdump" "$g_objdump_options" "$g_kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'
"${opt_arch_prefix}objdump" -d "$g_kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'
ret=$?
if [ "$ret" -eq 9 ]; then
pstatus green YES "array_index_nospec macro is present and used"
@@ -236,7 +156,36 @@ check_CVE_2017_5753_linux() {
fi
fi
elif [ "$sys_interface_available" = 0 ]; then
if [ "$opt_verbose" -ge 2 ] || { [ -z "$v1_mask_nospec" ] && [ "$g_redhat_canonical_spectre" != 1 ] && [ "$g_redhat_canonical_spectre" != 2 ]; }; then
# this is a slow heuristic and we don't need it if we already know the kernel is patched
# but still show it in verbose mode
pr_info_nol "* Checking count of LFENCE instructions following a jump in kernel... "
if [ -n "$g_kernel_err" ]; then
pstatus yellow UNKNOWN "couldn't check ($g_kernel_err)"
else
if ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
else
# here we disassemble the kernel and count the number of occurrences of the LFENCE opcode
# in non-patched kernels, this has been empirically determined as being around 40-50
# in patched kernels, this is more around 70-80, sometimes way higher (100+)
# v0.13: 68 found in a 3.10.23-xxxx-std-ipv6-64 (with lots of modules compiled-in directly), which doesn't have the LFENCE patches,
# so let's push the threshold to 70.
# v0.33+: now only count lfence opcodes after a jump, way less error-prone
# non patched kernel have between 0 and 20 matches, patched ones have at least 40-45
nb_lfence=$("${opt_arch_prefix}objdump" "$g_objdump_options" "$g_kernel" 2>/dev/null | grep -w -B1 lfence | grep -Ewc 'jmp|jne|je')
if [ "$nb_lfence" -lt 30 ]; then
pstatus yellow NO "only $nb_lfence jump-then-lfence instructions found, should be >= 30 (heuristic)"
else
v1_lfence=1
pstatus green YES "$nb_lfence jump-then-lfence instructions found, which is >= 30 (heuristic)"
fi
fi
fi
fi
else
# we have no sysfs but were asked to use it only!
msg="/sys vulnerability interface use forced, but it's not available!"
status=UNK
fi
@@ -247,26 +196,22 @@ check_CVE_2017_5753_linux() {
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_sysfs_only" != 1 ]; then
if [ -n "$v1_kernel_mitigated" ]; then
pvulnstatus "$cve" OK "Kernel source has been patched to mitigate the vulnerability ($v1_kernel_mitigated)"
elif [ -n "$v1_mask_nospec" ]; then
pvulnstatus "$cve" OK "Kernel source has been patched to mitigate the vulnerability ($v1_mask_nospec)"
elif [ "$g_redhat_canonical_spectre" = 1 ] || [ "$g_redhat_canonical_spectre" = 2 ]; then
pvulnstatus "$cve" OK "Kernel source has been patched to mitigate the vulnerability (Red Hat/Ubuntu patch)"
elif [ -n "$g_kernel_err" ]; then
pvulnstatus "$cve" UNK "Couldn't find kernel image or tools missing to execute the checks"
explain "Re-run this script with root privileges, after installing the missing tools indicated above"
else
pvulnstatus "$cve" VULN "Kernel source needs to be patched to mitigate the vulnerability"
explain "Your kernel is too old to have the mitigation for Variant 1, you should upgrade to a newer kernel. If you're using a Linux distro and didn't compile the kernel yourself, you should upgrade your distro to get a newer kernel."
fi
if [ -n "$v1_mask_nospec" ]; then
pvulnstatus "$cve" OK "Kernel source has been patched to mitigate the vulnerability ($v1_mask_nospec)"
elif [ "$g_redhat_canonical_spectre" = 1 ] || [ "$g_redhat_canonical_spectre" = 2 ]; then
pvulnstatus "$cve" OK "Kernel source has been patched to mitigate the vulnerability (Red Hat/Ubuntu patch)"
elif [ "$v1_lfence" = 1 ]; then
pvulnstatus "$cve" OK "Kernel source has PROBABLY been patched to mitigate the vulnerability (jump-then-lfence instructions heuristic)"
elif [ -n "$g_kernel_err" ]; then
pvulnstatus "$cve" UNK "Couldn't find kernel image or tools missing to execute the checks"
explain "Re-run this script with root privileges, after installing the missing tools indicated above"
else
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
pvulnstatus "$cve" VULN "Kernel source needs to be patched to mitigate the vulnerability"
explain "Your kernel is too old to have the mitigation for Variant 1, you should upgrade to a newer kernel. If you're using a Linux distro and didn't compile the kernel yourself, you should upgrade your distro to get a newer kernel."
fi
else
if [ "$msg" = "Vulnerable" ] && { [ -n "$v1_kernel_mitigated" ] || [ -n "$v1_mask_nospec" ]; }; then
pvulnstatus "$cve" OK "Kernel source has been patched to mitigate the vulnerability (silent backport of spectre_v1 mitigation)"
if [ "$msg" = "Vulnerable" ] && [ -n "$v1_mask_nospec" ]; then
pvulnstatus "$cve" OK "Kernel source has been patched to mitigate the vulnerability (silent backport of array_index_mask_nospec)"
else
if [ "$msg" = "Vulnerable" ]; then
msg="Kernel source needs to be patched to mitigate the vulnerability"
@@ -282,8 +227,9 @@ check_CVE_2017_5753_linux() {
# CVE-2017-5753 Spectre Variant 1 (bounds check bypass) - BSD mitigation check
check_CVE_2017_5753_bsd() {
if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
else
pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
pvulnstatus "$cve" VULN "no mitigation for BSD yet"
fi
}
src/vulns/CVE-2018-12207.sh
+8 -14
View File
@@ -64,23 +64,17 @@ check_CVE_2018_12207_linux() {
pvulnstatus "$cve" OK "this system is not running a hypervisor"
elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_sysfs_only" != 1 ]; then
if [ "$opt_live" = 1 ]; then
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it"
else
if [ -n "$kernel_itlbmh" ]; then
pvulnstatus "$cve" OK "Your kernel supports iTLB Multihit mitigation"
else
pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it"
fi
fi
if [ "$opt_live" = 1 ]; then
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it"
else
# --sysfs-only: sysfs was available (otherwise msg would be set), use its result
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
if [ -n "$kernel_itlbmh" ]; then
pvulnstatus "$cve" OK "Your kernel supports iTLB Multihit mitigation"
else
pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it"
fi
fi
else
# msg was set explicitly: either sysfs-not-available error, or a sysfs override
pvulnstatus "$cve" "$status" "$msg"
fi
}
src/vulns/CVE-2018-3620.sh
+5 -12
View File
@@ -14,7 +14,6 @@ check_CVE_2018_3620_linux() {
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
status=$ret_sys_interface_check_status
msg=$ret_sys_interface_check_fullmsg
fi
if [ "$opt_sysfs_only" != 1 ]; then
pr_info_nol "* Kernel supports PTE inversion: "
@@ -63,22 +62,16 @@ check_CVE_2018_3620_linux() {
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_sysfs_only" != 1 ]; then
if [ "$pteinv_supported" = 1 ]; then
if [ "$pteinv_active" = 1 ] || [ "$opt_live" != 1 ]; then
pvulnstatus "$cve" OK "PTE inversion mitigates the vulnerability"
else
pvulnstatus "$cve" VULN "Your kernel supports PTE inversion but it doesn't seem to be enabled"
fi
if [ "$pteinv_supported" = 1 ]; then
if [ "$pteinv_active" = 1 ] || [ "$opt_live" != 1 ]; then
pvulnstatus "$cve" OK "PTE inversion mitigates the vulnerability"
else
pvulnstatus "$cve" VULN "Your kernel doesn't support PTE inversion, update it"
pvulnstatus "$cve" VULN "Your kernel supports PTE inversion but it doesn't seem to be enabled"
fi
else
# --sysfs-only: sysfs was available (otherwise msg would be set), use its result
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
pvulnstatus "$cve" VULN "Your kernel doesn't support PTE inversion, update it"
fi
else
# msg was set explicitly: either sysfs-not-available error, or a sysfs override
pvulnstatus "$cve" "$status" "$msg"
fi
}
src/vulns/CVE-2018-3646.sh
+30 -85
View File
@@ -13,53 +13,6 @@ check_CVE_2018_3646_linux() {
if sys_interface_check "$VULN_SYSFS_BASE/l1tf" '.*' quiet; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
# quiet mode doesn't set ret_sys_interface_check_status, derive it ourselves.
#
# Complete sysfs message inventory for l1tf, traced via git blame
# on mainline (~/linux) and stable (~/linux-stable):
#
# all versions:
# "Not affected" (cpu_show_common, d1059518b4789)
# "Vulnerable" (cpu_show_common fallthrough, d1059518b4789)
#
# --- mainline ---
# 17dbca119312 (v4.18-rc1, initial l1tf sysfs):
# "Mitigation: Page Table Inversion"
# 72c6d2db64fa (v4.18-rc1, renamed + added VMX reporting):
# "Mitigation: PTE Inversion" (no KVM_INTEL, or VMX=AUTO)
# "Mitigation: PTE Inversion; VMX: SMT <smt>, L1D <flush>" (KVM_INTEL enabled)
# <flush>: auto | vulnerable | conditional cache flushes | cache flushes
# a7b9020b06ec (v4.18-rc1, added EPT disabled state):
# <flush>: + EPT disabled
# ea156d192f52 (v4.18-rc7, reordered VMX/SMT fields):
# "Mitigation: PTE Inversion; VMX: EPT disabled" (no SMT part)
# "Mitigation: PTE Inversion; VMX: vulnerable" (NEVER + SMT active, no SMT part)
# "Mitigation: PTE Inversion; VMX: <flush>, SMT <smt>" (all other cases)
# 8e0b2b916662 (v4.18, added flush not necessary):
# <flush>: + flush not necessary
# 130d6f946f6f (v4.20-rc4, no string change):
# SMT detection changed from cpu_smt_control to sched_smt_active()
#
# --- stable backports ---
# 4.4.y: no VMX reporting (only "PTE Inversion" / "Vulnerable" / "Not affected").
# initially backported as "Page Table Inversion" (bf0cca01b873),
# renamed to "PTE Inversion" in stable-only commit 6db8c0882912 (May 2019).
# 4.9.y, 4.14.y: full VMX reporting, post-reorder format.
# the pre-reorder format ("SMT <smt>, L1D <flush>") and the post-reorder
# format ("VMX: <flush>, SMT <smt>") landed in the same stable release
# (4.9.120, 4.14.63), so no stable release ever shipped the pre-reorder format.
# sched_smt_active() backported (same strings, different runtime behavior).
# 4.17.y, 4.18.y: full VMX reporting, post-reorder format.
# still uses cpu_smt_control (sched_smt_active() not backported to these EOL branches).
#
# <smt> is one of: vulnerable | disabled
#
# all messages start with either "Not affected", "Mitigation", or "Vulnerable"
if echo "$ret_sys_interface_check_fullmsg" | grep -qEi '^(Not affected|Mitigation)'; then
status=OK
elif echo "$ret_sys_interface_check_fullmsg" | grep -qi '^Vulnerable'; then
status=VULN
fi
fi
l1d_mode=-1
if [ "$opt_sysfs_only" != 1 ]; then
@@ -189,48 +142,40 @@ check_CVE_2018_3646_linux() {
elif [ "$ret_sys_interface_check_fullmsg" = "Not affected" ]; then
# just in case a very recent kernel knows better than we do
pvulnstatus "$cve" OK "your kernel reported your CPU model as not affected"
elif [ -z "$msg" ]; then
if [ "$opt_sysfs_only" != 1 ]; then
if [ "$g_has_vmm" = 0 ]; then
pvulnstatus "$cve" OK "this system is not running a hypervisor"
elif [ "$ept_disabled" = 1 ]; then
pvulnstatus "$cve" OK "EPT is disabled which mitigates the vulnerability"
elif [ "$opt_paranoid" = 0 ]; then
if [ "$l1d_mode" -ge 1 ]; then
pvulnstatus "$cve" OK "L1D flushing is enabled and mitigates the vulnerability"
else
pvulnstatus "$cve" VULN "disable EPT or enable L1D flushing to mitigate the vulnerability"
fi
elif [ "$g_has_vmm" = 0 ]; then
pvulnstatus "$cve" OK "this system is not running a hypervisor"
else
if [ "$ept_disabled" = 1 ]; then
pvulnstatus "$cve" OK "EPT is disabled which mitigates the vulnerability"
elif [ "$opt_paranoid" = 0 ]; then
if [ "$l1d_mode" -ge 1 ]; then
pvulnstatus "$cve" OK "L1D flushing is enabled and mitigates the vulnerability"
else
if [ "$l1d_mode" -ge 2 ]; then
if [ "$smt_enabled" = 1 ]; then
pvulnstatus "$cve" OK "L1D unconditional flushing and Hyper-Threading disabled are mitigating the vulnerability"
else
pvulnstatus "$cve" VULN "Hyper-Threading must be disabled to fully mitigate the vulnerability"
fi
else
if [ "$smt_enabled" = 1 ]; then
pvulnstatus "$cve" VULN "L1D unconditional flushing should be enabled to fully mitigate the vulnerability"
else
pvulnstatus "$cve" VULN "enable L1D unconditional flushing and disable Hyper-Threading to fully mitigate the vulnerability"
fi
fi
fi
if [ "$l1d_mode" -gt 3 ]; then
pr_warn
pr_warn "This host is a Xen Dom0. Please make sure that you are running your DomUs"
pr_warn "with a kernel which contains CVE-2018-3646 mitigations."
pr_warn
pr_warn "See https://www.suse.com/support/kb/doc/?id=7023078 and XSA-273 for details."
pvulnstatus "$cve" VULN "disable EPT or enable L1D flushing to mitigate the vulnerability"
fi
else
# --sysfs-only: sysfs was available (otherwise msg would be set), use its result
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
if [ "$l1d_mode" -ge 2 ]; then
if [ "$smt_enabled" = 1 ]; then
pvulnstatus "$cve" OK "L1D unconditional flushing and Hyper-Threading disabled are mitigating the vulnerability"
else
pvulnstatus "$cve" VULN "Hyper-Threading must be disabled to fully mitigate the vulnerability"
fi
else
if [ "$smt_enabled" = 1 ]; then
pvulnstatus "$cve" VULN "L1D unconditional flushing should be enabled to fully mitigate the vulnerability"
else
pvulnstatus "$cve" VULN "enable L1D unconditional flushing and disable Hyper-Threading to fully mitigate the vulnerability"
fi
fi
fi
if [ "$l1d_mode" -gt 3 ]; then
pr_warn
pr_warn "This host is a Xen Dom0. Please make sure that you are running your DomUs"
pr_warn "with a kernel which contains CVE-2018-3646 mitigations."
pr_warn
pr_warn "See https://www.suse.com/support/kb/doc/?id=7023078 and XSA-273 for details."
fi
else
# msg was set explicitly: either sysfs-not-available error, or a sysfs override
pvulnstatus "$cve" "$status" "$msg"
fi
}
src/vulns/CVE-2019-11135.sh
+2 -49
View File
@@ -87,57 +87,10 @@ check_CVE_2019_11135_linux() {
# CVE-2019-11135 TAA (TSX asynchronous abort) - BSD mitigation check
check_CVE_2019_11135_bsd() {
local taa_enable taa_state mds_disable kernel_taa kernel_mds
pr_info_nol "* Kernel supports TAA mitigation (machdep.mitigations.taa.enable): "
taa_enable=$(sysctl -n machdep.mitigations.taa.enable 2>/dev/null)
if [ -n "$taa_enable" ]; then
kernel_taa=1
case "$taa_enable" in
0) pstatus yellow YES "disabled" ;;
1) pstatus green YES "TSX disabled via MSR" ;;
2) pstatus green YES "VERW mitigation" ;;
3) pstatus green YES "auto" ;;
*) pstatus yellow YES "unknown value: $taa_enable" ;;
esac
else
kernel_taa=0
pstatus yellow NO
fi
pr_info_nol "* TAA mitigation state: "
taa_state=$(sysctl -n machdep.mitigations.taa.state 2>/dev/null)
if [ -n "$taa_state" ]; then
if echo "$taa_state" | grep -qi 'not.affected\|mitigation'; then
pstatus green YES "$taa_state"
else
pstatus yellow NO "$taa_state"
fi
else
# fallback: TAA is also mitigated by MDS VERW if enabled
mds_disable=$(sysctl -n hw.mds_disable 2>/dev/null)
if [ -z "$mds_disable" ]; then
mds_disable=$(sysctl -n machdep.mitigations.mds.disable 2>/dev/null)
fi
if [ -n "$mds_disable" ] && [ "$mds_disable" != 0 ]; then
kernel_mds=1
pstatus green YES "MDS VERW mitigation active (also covers TAA)"
else
kernel_mds=0
pstatus yellow NO "no TAA or MDS sysctl found"
fi
fi
if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ "$kernel_taa" = 1 ] && [ "$taa_enable" != 0 ]; then
pvulnstatus "$cve" OK "TAA mitigation is enabled"
elif [ "$kernel_mds" = 1 ]; then
pvulnstatus "$cve" OK "MDS VERW mitigation is active and also covers TAA"
elif [ "$kernel_taa" = 1 ] && [ "$taa_enable" = 0 ]; then
pvulnstatus "$cve" VULN "TAA mitigation is supported but disabled"
explain "To enable TAA mitigation, run \`sysctl machdep.mitigations.taa.enable=3' for auto mode.\n " \
"To make this persistent, add 'machdep.mitigations.taa.enable=3' to /etc/sysctl.conf."
else
pvulnstatus "$cve" VULN "your kernel doesn't support TAA mitigation, update it"
pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
fi
}
src/vulns/CVE-2020-0543.sh
+2 -35
View File
@@ -105,44 +105,11 @@ check_CVE_2020_0543_linux() {
}
# CVE-2020-0543 SRBDS (special register buffer data sampling) - BSD mitigation check
# FreeBSD uses the name "rngds" (Random Number Generator Data Sampling) for SRBDS
check_CVE_2020_0543_bsd() {
local rngds_enable rngds_state kernel_rngds
pr_info_nol "* Kernel supports SRBDS mitigation (machdep.mitigations.rngds.enable): "
rngds_enable=$(sysctl -n machdep.mitigations.rngds.enable 2>/dev/null)
if [ -n "$rngds_enable" ]; then
kernel_rngds=1
case "$rngds_enable" in
0) pstatus yellow YES "optimized (RDRAND/RDSEED not locked, faster but vulnerable)" ;;
1) pstatus green YES "mitigated" ;;
*) pstatus yellow YES "unknown value: $rngds_enable" ;;
esac
else
kernel_rngds=0
pstatus yellow NO
fi
pr_info_nol "* SRBDS mitigation state: "
rngds_state=$(sysctl -n machdep.mitigations.rngds.state 2>/dev/null)
if [ -n "$rngds_state" ]; then
if echo "$rngds_state" | grep -qi 'not.affected\|mitigat'; then
pstatus green YES "$rngds_state"
else
pstatus yellow NO "$rngds_state"
fi
else
pstatus yellow NO "sysctl not available"
fi
if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ "$kernel_rngds" = 1 ] && [ "$rngds_enable" = 1 ]; then
pvulnstatus "$cve" OK "SRBDS mitigation is enabled"
elif [ "$kernel_rngds" = 1 ] && [ "$rngds_enable" = 0 ]; then
pvulnstatus "$cve" VULN "SRBDS mitigation is supported but set to optimized mode (disabled for RDRAND/RDSEED)"
explain "To enable full SRBDS mitigation, run \`sysctl machdep.mitigations.rngds.enable=1'.\n " \
"To make this persistent, add 'machdep.mitigations.rngds.enable=1' to /etc/sysctl.conf."
else
pvulnstatus "$cve" VULN "your kernel doesn't support SRBDS mitigation, update it"
pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
fi
}
src/vulns/CVE-2022-40982.sh
-9
View File
@@ -97,12 +97,3 @@ check_CVE_2022_40982_linux() {
pvulnstatus "$cve" "$status" "$msg"
fi
}
# CVE-2022-40982 Downfall (gather data sampling) - BSD mitigation check
check_CVE_2022_40982_bsd() {
if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
else
pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
fi
}
src/vulns/CVE-2023-20569.sh
+30 -76
View File
@@ -18,15 +18,6 @@ check_CVE_2023_20569_linux() {
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
status=$ret_sys_interface_check_status
# kernels before the fix from dc6306ad5b0d (v6.6-rc6, backported to v6.5.6)
# incorrectly reported "Mitigation: safe RET, no microcode" as mitigated,
# when in fact userspace is still vulnerable because IBPB doesn't flush
# branch type predictions without the extending microcode.
# override the sysfs status in that case.
if echo "$ret_sys_interface_check_fullmsg" | grep -qi 'Mitigation:.*safe RET.*no microcode'; then
status=VULN
msg="Vulnerable: Safe RET, no microcode (your kernel incorrectly reports this as mitigated, it was fixed in more recent kernels)"
fi
fi
if [ "$opt_sysfs_only" != 1 ]; then
@@ -63,9 +54,9 @@ check_CVE_2023_20569_linux() {
# if it's present, then SRSO is NOT compiled in
pstatus yellow NO "kernel not compiled with (CPU|MITIGATION)_SRSO"
else
# if it's not present, then SRSO is compiled in IF kernel_sro is set, otherwise we're just
# if it's not present, then SRSO is compiled in IF kernel_sro==1, otherwise we're just
# in front of an old kernel that doesn't have the mitigation logic at all
if [ -n "$kernel_sro" ]; then
if [ "$kernel_sro" = 1 ]; then
kernel_srso="SRSO mitigation logic is compiled in the kernel"
pstatus green OK "$kernel_srso"
else
@@ -74,21 +65,6 @@ check_CVE_2023_20569_linux() {
fi
fi
# check whether the running kernel has the corrected SRSO reporting
# (dc6306ad5b0d, v6.6-rc6, backported to v6.5.6): kernels with the fix
# contain the string "Vulnerable: Safe RET, no microcode" in their image,
# while older kernels only have "safe RET" (and append ", no microcode" dynamically).
pr_info_nol "* Kernel has accurate SRSO reporting: "
if [ -n "$g_kernel_err" ]; then
pstatus yellow UNKNOWN "$g_kernel_err"
elif grep -q 'Vulnerable: Safe RET, no microcode' "$g_kernel"; then
pstatus green YES
elif [ -n "$kernel_sro" ]; then
pstatus yellow NO "your kernel reports partial SRSO mitigations as fully mitigated, upgrade recommended"
else
pstatus yellow NO "your kernel is too old and doesn't have the SRSO mitigation logic"
fi
pr_info_nol "* Kernel compiled with IBPB_ENTRY support: "
if [ -r "$opt_config" ]; then
# CONFIG_CPU_IBPB_ENTRY: Linux < 6.9
@@ -108,9 +84,9 @@ check_CVE_2023_20569_linux() {
# if it's present, then IBPB_ENTRY is NOT compiled in
pstatus yellow NO "kernel not compiled with (CPU|MITIGATION)_IBPB_ENTRY"
else
# if it's not present, then IBPB_ENTRY is compiled in IF kernel_sro is set, otherwise we're just
# if it's not present, then IBPB_ENTRY is compiled in IF kernel_sro==1, otherwise we're just
# in front of an old kernel that doesn't have the mitigation logic at all
if [ -n "$kernel_sro" ]; then
if [ "$kernel_sro" = 1 ]; then
kernel_ibpb_entry="IBPB_ENTRY mitigation logic is compiled in the kernel"
pstatus green OK "$kernel_ibpb_entry"
else
@@ -158,59 +134,37 @@ check_CVE_2023_20569_linux() {
# override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_sysfs_only" != 1 ]; then
# Zen/Zen2
if [ "$cpu_family" = $((0x17)) ]; then
if [ "$smt_enabled" = 0 ]; then
pvulnstatus "$cve" VULN "SMT is enabled on your Zen/Zen2 CPU, which makes mitigation ineffective"
explain "For Zen/Zen2 CPUs, proper mitigation needs an up to date microcode, and SMT needs to be disabled (this can be done by adding \`nosmt\` to your kernel command line)"
elif [ -z "$kernel_sro" ]; then
pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the SRSO mitigation logic"
elif [ -n "$cap_ibpb" ]; then
pvulnstatus "$cve" OK "SMT is disabled and both your kernel and microcode support mitigation"
else
pvulnstatus "$cve" VULN "Your microcode is too old"
fi
# Zen3/Zen4
elif [ "$cpu_family" = $((0x19)) ]; then
if [ -z "$kernel_sro" ]; then
pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the SRSO mitigation logic"
elif [ -z "$kernel_srso" ] && [ -z "$kernel_ibpb_entry" ]; then
pvulnstatus "$cve" VULN "Your kernel doesn't have either SRSO or IBPB_ENTRY compiled-in"
elif [ "$cap_sbpb" = 3 ]; then
pvulnstatus "$cve" UNK "Couldn't verify if your microcode supports IBPB (rerun with --allow-msr-write)"
elif [ "$cap_sbpb" = 2 ]; then
pvulnstatus "$cve" VULN "Your microcode doesn't support SBPB"
else
pvulnstatus "$cve" OK "Your kernel and microcode both support mitigation"
fi
# if msg is empty, sysfs check didn't fill it, so we rely on our own logic
# Zen/Zen2
if [ "$cpu_family" = $((0x17)) ]; then
if [ "$smt_enabled" = 0 ]; then
pvulnstatus "$cve" VULN "SMT is enabled on your Zen/Zen2 CPU, which makes mitigation ineffective"
explain "For Zen/Zen2 CPUs, proper mitigation needs an up to date microcode, and SMT needs to be disabled (this can be done by adding \`nosmt\` to your kernel command line)"
elif [ -z "$kernel_sro" ]; then
pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the SRSO mitigation logic"
elif [ -n "$cap_ibpb" ]; then
pvulnstatus "$cve" OK "SMT is disabled and both your kernel and microcode support mitigation"
else
# not supposed to happen, as normally this CPU should not be affected and not run this code
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
pvulnstatus "$cve" VULN "Your microcode is too old"
fi
# Zen3/Zen4
elif [ "$cpu_family" = $((0x19)) ]; then
if [ -z "$kernel_sro" ]; then
pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the SRSO mitigation logic"
elif [ -z "$kernel_srso" ] && [ -z "$kernel_ibpb_entry" ]; then
pvulnstatus "$cve" VULN "Your kernel doesn't have either SRSO or IBPB_ENTRY compiled-in"
elif [ "$cap_sbpb" = 3 ]; then
pvulnstatus "$cve" UNK "Couldn't verify if your microcode supports IBPB (rerun with --allow-msr-write)"
elif [ "$cap_sbpb" = 2 ]; then
pvulnstatus "$cve" VULN "Your microcode doesn't support SBPB"
else
pvulnstatus "$cve" OK "Your kernel and microcode both support mitigation"
fi
else
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
# not supposed to happen, as normally this CPU should not be affected and not run this code
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
fi
else
pvulnstatus "$cve" "$status" "$msg"
if echo "$msg" | grep -qi 'your kernel incorrectly reports this as mitigated'; then
explain "Your kernel's /sys interface reports 'Mitigation: safe RET, no microcode' for the SRSO vulnerability.\n" \
"This was a bug in the kernel's reporting (fixed in v6.5.6/v6.6-rc6, commit dc6306ad5b0d):\n" \
"the Safe RET mitigation alone only protects the kernel from userspace attacks, but without\n" \
"the IBPB-extending microcode, userspace itself remains vulnerable because IBPB doesn't flush\n" \
"branch type predictions. Newer kernels correctly report this as 'Vulnerable: Safe RET, no microcode'.\n" \
"To fully mitigate, you need both the Safe RET kernel support AND an updated CPU microcode.\n" \
"Updating your kernel to v6.5.6+ or v6.6+ will also give you accurate vulnerability reporting."
fi
fi
}
# CVE-2023-20569 Inception (SRSO, speculative return stack overflow) - BSD mitigation check
check_CVE_2023_20569_bsd() {
if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
else
pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
fi
}
src/vulns/CVE-2023-20593.sh
-54
View File
@@ -118,57 +118,3 @@ check_CVE_2023_20593_linux() {
pvulnstatus "$cve" "$status" "$msg"
fi
}
# CVE-2023-20593 Zenbleed (cross-process information leak via AVX2) - BSD mitigation check
check_CVE_2023_20593_bsd() {
local zenbleed_enable zenbleed_state kernel_zenbleed
pr_info_nol "* Kernel supports Zenbleed mitigation (machdep.mitigations.zenbleed.enable): "
zenbleed_enable=$(sysctl -n machdep.mitigations.zenbleed.enable 2>/dev/null)
if [ -n "$zenbleed_enable" ]; then
kernel_zenbleed=1
case "$zenbleed_enable" in
0) pstatus yellow YES "force disabled" ;;
1) pstatus green YES "force enabled" ;;
2) pstatus green YES "automatic (default)" ;;
*) pstatus yellow YES "unknown value: $zenbleed_enable" ;;
esac
else
kernel_zenbleed=0
pstatus yellow NO
fi
pr_info_nol "* Zenbleed mitigation state: "
zenbleed_state=$(sysctl -n machdep.mitigations.zenbleed.state 2>/dev/null)
if [ -n "$zenbleed_state" ]; then
if echo "$zenbleed_state" | grep -qi 'not.applicable\|mitigation.enabled'; then
pstatus green YES "$zenbleed_state"
elif echo "$zenbleed_state" | grep -qi 'mitigation.disabled'; then
pstatus yellow NO "$zenbleed_state"
else
pstatus yellow UNKNOWN "$zenbleed_state"
fi
else
pstatus yellow NO "sysctl not available"
fi
if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ "$kernel_zenbleed" = 1 ] && [ "$zenbleed_enable" != 0 ]; then
if [ -n "$zenbleed_state" ] && echo "$zenbleed_state" | grep -qi 'mitigation.enabled'; then
pvulnstatus "$cve" OK "Zenbleed mitigation is enabled ($zenbleed_state)"
elif [ -n "$zenbleed_state" ] && echo "$zenbleed_state" | grep -qi 'not.applicable'; then
pvulnstatus "$cve" OK "Zenbleed mitigation not applicable to this CPU ($zenbleed_state)"
else
pvulnstatus "$cve" OK "Zenbleed mitigation is enabled"
fi
elif [ "$kernel_zenbleed" = 1 ] && [ "$zenbleed_enable" = 0 ]; then
pvulnstatus "$cve" VULN "Zenbleed mitigation is supported but force disabled"
explain "To re-enable Zenbleed mitigation, run \`sysctl machdep.mitigations.zenbleed.enable=2' for automatic mode.\n " \
"To make this persistent, add 'machdep.mitigations.zenbleed.enable=2' to /etc/sysctl.conf."
else
pvulnstatus "$cve" VULN "your kernel doesn't support Zenbleed mitigation, update it"
explain "Your CPU vendor may also have a new microcode for your CPU model that mitigates this issue.\n " \
"Updating to FreeBSD 14.0 or later will provide kernel-level Zenbleed mitigation via the\n " \
"machdep.mitigations.zenbleed sysctl."
fi
}
src/vulns/CVE-2023-23583.sh
-9
View File
@@ -30,12 +30,3 @@ check_CVE_2023_23583_linux() {
fi
fi
}
# CVE-2023-23583 Reptar (redundant prefix issue) - BSD mitigation check
check_CVE_2023_23583_bsd() {
if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
else
pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
fi
}
src/vulns/CVE-2024-36350.sh
+3 -64
View File
@@ -9,7 +9,7 @@ check_CVE_2024_36350() {
# CVE-2024-36350 TSA-SQ (transient scheduler attack - store queue) - Linux mitigation check
check_CVE_2024_36350_linux() {
local status sys_interface_available msg kernel_tsa kernel_tsa_err smt_enabled
local status sys_interface_available msg kernel_tsa kernel_tsa_err smt_enabled ret
status=UNK
sys_interface_available=0
msg=''
@@ -17,57 +17,10 @@ check_CVE_2024_36350_linux() {
if sys_interface_check "$VULN_SYSFS_BASE/tsa"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
#
# Complete sysfs message inventory for tsa
#
# all versions:
# "Not affected" (cpu_show_common, pre-existing)
#
# --- mainline ---
# d8010d4ba43e (v6.16-rc6, initial TSA sysfs):
# "Vulnerable" (TSA_MITIGATION_NONE)
# "Vulnerable: No microcode" (TSA_MITIGATION_UCODE_NEEDED)
# "Mitigation: Clear CPU buffers: user/kernel boundary" (TSA_MITIGATION_USER_KERNEL)
# "Mitigation: Clear CPU buffers: VM" (TSA_MITIGATION_VM)
# "Mitigation: Clear CPU buffers" (TSA_MITIGATION_FULL)
# 6b21d2f0dc73 (v6.17-rc1, attack vector controls):
# no string changes; only mitigation selection logic changed
# (AUTO can now resolve to USER_KERNEL or VM based on attack vector config)
#
# --- stable backports ---
# 6.16.y: d8010d4ba43e (same as mainline), same strings.
# 6.17.y: has 6b21d2f0dc73 (attack vector controls), same strings.
# 5.10.y (78192f511f40), 5.15.y (f2b75f1368af), 6.1.y (d12145e8454f),
# 6.6.y (90293047df18), 6.12.y (7a0395f6607a), 6.15.y (ab0f6573b211):
# different UCODE_NEEDED string:
# "Vulnerable: Clear CPU buffers attempted, no microcode" (TSA_MITIGATION_UCODE_NEEDED)
# all other strings identical to mainline.
# default is FULL (no AUTO enum); USER_KERNEL/VM only via cmdline tsa=user/tsa=vm.
# VM-forced mitigation: when UCODE_NEEDED and running in a VM, forces FULL
# (stable-only logic, not in mainline).
#
# --- RHEL/CentOS ---
# rocky9 (5.14-based), rocky10 (6.12-based): same strings as mainline.
# "Vulnerable: No microcode" for UCODE_NEEDED (matches mainline, NOT the stable variant).
# rocky8 (4.18-based), centos7 (3.10-based): no TSA support.
#
# all messages start with either "Not affected", "Mitigation", or "Vulnerable"
status=$ret_sys_interface_check_status
fi
if [ "$opt_sysfs_only" != 1 ]; then
check_has_vmm
# Override: when running as a hypervisor, "user/kernel boundary" mode
# (tsa=user) leaves the VM exit boundary uncovered — guests can exploit
# TSA to leak host data. The kernel correctly reports its own mode, but
# the script must flag this as insufficient for a VMM host.
if [ "$sys_interface_available" = 1 ] && [ "$g_has_vmm" != 0 ]; then
if echo "$ret_sys_interface_check_fullmsg" | grep -q 'user/kernel boundary'; then
status=VULN
msg="Vulnerable: TSA mitigation limited to user/kernel boundary (tsa=user), VM exit boundary is not covered"
fi
fi
pr_info_nol "* Kernel supports TSA mitigation: "
kernel_tsa=''
kernel_tsa_err=''
@@ -82,8 +35,8 @@ check_CVE_2024_36350_linux() {
kernel_tsa="CONFIG_MITIGATION_TSA=y found in kernel config"
fi
fi
if [ -z "$kernel_tsa" ] && [ -n "$opt_map" ]; then
if grep -q 'tsa_select_mitigation' "$opt_map"; then
if [ -z "$kernel_tsa" ] && [ -n "$g_kernel_map" ]; then
if grep -q 'tsa_select_mitigation' "$g_kernel_map"; then
kernel_tsa="found tsa_select_mitigation in System.map"
fi
fi
@@ -159,19 +112,5 @@ check_CVE_2024_36350_linux() {
fi
else
pvulnstatus "$cve" "$status" "$msg"
if echo "$msg" | grep -q 'VM exit boundary'; then
explain "This system runs a hypervisor but TSA mitigation only clears CPU buffers at\n " \
"user/kernel transitions (tsa=user). Guests can exploit TSA to leak host data\n " \
"across VM exit. Use \`tsa=on\` (or remove \`tsa=user\`) to cover both boundaries."
fi
fi
}
# CVE-2024-36350 TSA-SQ (transient scheduler attack - store queue) - BSD mitigation check
check_CVE_2024_36350_bsd() {
if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
else
pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
fi
}
src/vulns/CVE-2024-36357.sh
+3 -71
View File
@@ -9,7 +9,7 @@ check_CVE_2024_36357() {
# CVE-2024-36357 TSA-L1 (transient scheduler attack - L1 cache) - Linux mitigation check
check_CVE_2024_36357_linux() {
local status sys_interface_available msg kernel_tsa kernel_tsa_err
local status sys_interface_available msg kernel_tsa kernel_tsa_err ret
status=UNK
sys_interface_available=0
msg=''
@@ -17,57 +17,10 @@ check_CVE_2024_36357_linux() {
if sys_interface_check "$VULN_SYSFS_BASE/tsa"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
#
# Complete sysfs message inventory for tsa
#
# all versions:
# "Not affected" (cpu_show_common, pre-existing)
#
# --- mainline ---
# d8010d4ba43e (v6.16-rc6, initial TSA sysfs):
# "Vulnerable" (TSA_MITIGATION_NONE)
# "Vulnerable: No microcode" (TSA_MITIGATION_UCODE_NEEDED)
# "Mitigation: Clear CPU buffers: user/kernel boundary" (TSA_MITIGATION_USER_KERNEL)
# "Mitigation: Clear CPU buffers: VM" (TSA_MITIGATION_VM)
# "Mitigation: Clear CPU buffers" (TSA_MITIGATION_FULL)
# 6b21d2f0dc73 (v6.17-rc1, attack vector controls):
# no string changes; only mitigation selection logic changed
# (AUTO can now resolve to USER_KERNEL or VM based on attack vector config)
#
# --- stable backports ---
# 6.16.y: d8010d4ba43e (same as mainline), same strings.
# 6.17.y: has 6b21d2f0dc73 (attack vector controls), same strings.
# 5.10.y (78192f511f40), 5.15.y (f2b75f1368af), 6.1.y (d12145e8454f),
# 6.6.y (90293047df18), 6.12.y (7a0395f6607a), 6.15.y (ab0f6573b211):
# different UCODE_NEEDED string:
# "Vulnerable: Clear CPU buffers attempted, no microcode" (TSA_MITIGATION_UCODE_NEEDED)
# all other strings identical to mainline.
# default is FULL (no AUTO enum); USER_KERNEL/VM only via cmdline tsa=user/tsa=vm.
# VM-forced mitigation: when UCODE_NEEDED and running in a VM, forces FULL
# (stable-only logic, not in mainline).
#
# --- RHEL/CentOS ---
# rocky9 (5.14-based), rocky10 (6.12-based): same strings as mainline.
# "Vulnerable: No microcode" for UCODE_NEEDED (matches mainline, NOT the stable variant).
# rocky8 (4.18-based), centos7 (3.10-based): no TSA support.
#
# all messages start with either "Not affected", "Mitigation", or "Vulnerable"
status=$ret_sys_interface_check_status
fi
if [ "$opt_sysfs_only" != 1 ]; then
check_has_vmm
# Override: when running as a hypervisor, "user/kernel boundary" mode
# (tsa=user) leaves the VM exit boundary uncovered — guests can exploit
# TSA to leak host data. The kernel correctly reports its own mode, but
# the script must flag this as insufficient for a VMM host.
if [ "$sys_interface_available" = 1 ] && [ "$g_has_vmm" != 0 ]; then
if echo "$ret_sys_interface_check_fullmsg" | grep -q 'user/kernel boundary'; then
status=VULN
msg="Vulnerable: TSA mitigation limited to user/kernel boundary (tsa=user), VM exit boundary is not covered"
fi
fi
pr_info_nol "* Kernel supports TSA mitigation: "
kernel_tsa=''
kernel_tsa_err=''
@@ -82,8 +35,8 @@ check_CVE_2024_36357_linux() {
kernel_tsa="CONFIG_MITIGATION_TSA=y found in kernel config"
fi
fi
if [ -z "$kernel_tsa" ] && [ -n "$opt_map" ]; then
if grep -q 'tsa_select_mitigation' "$opt_map"; then
if [ -z "$kernel_tsa" ] && [ -n "$g_kernel_map" ]; then
if grep -q 'tsa_select_mitigation' "$g_kernel_map"; then
kernel_tsa="found tsa_select_mitigation in System.map"
fi
fi
@@ -125,13 +78,6 @@ check_CVE_2024_36357_linux() {
elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_sysfs_only" != 1 ]; then
# No --paranoid SMT check here, unlike TSA-SQ (CVE-2024-36350).
# The kernel's cpu_bugs_smt_update() enables cpu_buf_idle_clear
# (VERW before idle) specifically for TSA-SQ cross-thread leakage,
# with the comment "TSA-SQ can potentially lead to info leakage
# between SMT threads" — TSA-L1 is not mentioned. Until the kernel
# flags TSA-L1 as having cross-thread SMT exposure, we follow its
# assessment and do not require SMT disabled in paranoid mode.
if [ "$cap_verw_clear" = 1 ] && [ -n "$kernel_tsa" ]; then
pvulnstatus "$cve" OK "Both kernel and microcode mitigate the vulnerability"
elif [ "$cap_verw_clear" = 1 ]; then
@@ -152,19 +98,5 @@ check_CVE_2024_36357_linux() {
fi
else
pvulnstatus "$cve" "$status" "$msg"
if echo "$msg" | grep -q 'VM exit boundary'; then
explain "This system runs a hypervisor but TSA mitigation only clears CPU buffers at\n " \
"user/kernel transitions (tsa=user). Guests can exploit TSA to leak host data\n " \
"across VM exit. Use \`tsa=on\` (or remove \`tsa=user\`) to cover both boundaries."
fi
fi
}
# CVE-2024-36357 TSA-L1 (transient scheduler attack - L1 cache) - BSD mitigation check
check_CVE_2024_36357_bsd() {
if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
else
pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
fi
}