peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2025-07-15 07:11:22 +02:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: peter:v0.24
Branches Tags
peter:master
peter:v0.46 peter:v0.45 peter:v0.44 peter:v0.43 peter:v0.42 peter:v0.41 peter:v0.40 peter:v0.39 peter:v0.38 peter:v0.37 peter:v0.36 peter:v0.35 peter:v0.34 peter:v0.33 peter:v0.32 peter:v0.31 peter:v0.30 peter:v0.29 peter:v0.28 peter:v0.27 peter:v0.26 peter:v0.25 peter:v0.24 peter:v0.23 peter:v0.22 peter:v0.21 peter:v0.20 peter:v0.19 peter:v0.18 peter:v0.17 peter:v0.16 peter:v0.15 peter:v0.14 peter:v0.13 peter:v0.12 peter:v0.11 peter:v0.10 peter:v0.09 peter:v0.08 peter:v0.07 peter:v0.06 peter:v0.05 peter:v0.04 peter:v0.03 peter:v0.02 peter:v0.01
..
compare: peter:v0.31
Branches Tags
peter:master
peter:v0.46 peter:v0.45 peter:v0.44 peter:v0.43 peter:v0.42 peter:v0.41 peter:v0.40 peter:v0.39 peter:v0.38 peter:v0.37 peter:v0.36 peter:v0.35 peter:v0.34 peter:v0.33 peter:v0.32 peter:v0.31 peter:v0.30 peter:v0.29 peter:v0.28 peter:v0.27 peter:v0.26 peter:v0.25 peter:v0.24 peter:v0.23 peter:v0.22 peter:v0.21 peter:v0.20 peter:v0.19 peter:v0.18 peter:v0.17 peter:v0.16 peter:v0.15 peter:v0.14 peter:v0.13 peter:v0.12 peter:v0.11 peter:v0.10 peter:v0.09 peter:v0.08 peter:v0.07 peter:v0.06 peter:v0.05 peter:v0.04 peter:v0.03 peter:v0.02 peter:v0.01

34 Commits
v0.24 ... v0.31

Author SHA1 Message Date
Stéphane Lesimple
bd18323d79 bump to v0.31 to reflect changes 2018-01-14 22:34:09 +01:00
Stéphane Lesimple
b89d67dd15 meltdown: detecting Xen PV, reporting as not vulnerable 2018-01-14 22:31:21 +01:00
Stéphane Lesimple
704e54019a is_cpu_vulnerable: add check for old Atoms 2018-01-14 21:32:56 +01:00
Stéphane Lesimple
d96093171a verbose: add PCID check for performance impact of PTI 2018-01-14 17:18:34 +01:00
Stéphane Lesimple
dcc4488340 Merge pull request #80 from speed47/cpuid_spec_ctrl 
v0.30, cpuid spec ctrl and other enhancements
 2018-01-14 16:48:02 +01:00
Stéphane Lesimple
32e3fe6c07 bump to v0.30 to reflect changes 2018-01-14 16:45:59 +01:00
Stéphane Lesimple
f488947d43 Merge pull request #79 from andir/add-nixos 
add support for NixOS kernel
 2018-01-14 16:40:10 +01:00
Stéphane Lesimple
71213c11b3 ibrs: check for spec_ctrl_ibrs in cpuinfo 2018-01-14 16:36:51 +01:00
Andreas Rammhold
2964c4ab44 add support for NixOS kernel 
this removes the need to specify the kernel version manually on NixOS
 2018-01-14 16:18:29 +01:00
Stéphane Lesimple
749f432d32 also check for spec_ctrl flag in cpuinfo 2018-01-14 15:47:51 +01:00
Stéphane Lesimple
a422b53d7c also check for cpuinfo flag 2018-01-14 15:47:51 +01:00
Stéphane Lesimple
c483a2cf60 check spec_ctrl support using cpuid 2018-01-14 15:47:51 +01:00
Stéphane Lesimple
dead0054a4 fix: proper detail msg in vuln status 2018-01-14 15:47:22 +01:00
Stéphane Lesimple
8ed7d465aa Merge pull request #77 from speed47/exitcode 
proper return codes regardless of the batch mode
 2018-01-14 14:25:12 +01:00
Stéphane Lesimple
e5e4851d72 proper return codes regardless of the batch mode 2018-01-14 14:24:31 +01:00
Stéphane Lesimple
7f92717a2c add info about accuracy when missing kernel files 2018-01-13 13:59:17 +01:00
Stéphane Lesimple
b47d505689 AMD now vuln to variant2 (as per their stmt) 2018-01-13 13:35:31 +01:00
Corey Hickey
4a2d051285 minor is_cpu_vulnerable() changes (#71) 
* correct is_cpu_vulnerable() comment

As far as I can tell, the function and usage are correct for the comment
to be inverted.

Add a clarifying note as to why the value choice makes sense.

* exit on invalid varient

If this happens, it's a bug in the script. None of the calling code
checks for status 255, so don't let a scripting bug cause a false
negative.

* no need to set vulnerable CPUs

According to comment above this code:
'by default, everything is vulnerable, we work in a "whitelist" logic here.'
 2018-01-13 13:16:37 +01:00
Sylvestre Ledru
f3551b9734 Only show the name of the script, not the full path (#72) 2018-01-13 13:14:19 +01:00
Sylvestre Ledru
45b98e125f fix some typos (#73) 2018-01-13 13:13:40 +01:00
Stéphane Lesimple
dce917bfbb add --version, bump to v0.28 2018-01-12 19:10:44 +01:00
Stéphane Lesimple
8f18f53aba add cpu model in output 2018-01-12 19:08:12 +01:00
M. Willis Monroe
d3f102b3b3 Typofix in readme (#61) 2018-01-12 13:58:04 +01:00
M. Willis Monroe
8bd093173d Fixed a few spelling errors (#60) 2018-01-12 11:46:36 +01:00
Stéphane Lesimple
bfe5a3b840 add some debug 2018-01-12 10:53:19 +01:00
Stéphane Lesimple
6a0242eea3 bump to v0.27 2018-01-11 15:36:41 +01:00
Stéphane Lesimple
bc4e39038a fix(opcodes): fix regression introduced in previous commit 
We were saying unknown instead of vulnerable when the count of lfence opcodes was low
This was not impacting batch mode or the final decision, just the human-readable output of the script.
 2018-01-11 15:35:57 +01:00
Stéphane Lesimple
62f8ed6f61 adding support for new /sys interface (#55) 
* adding support for new /sys interface
* fix(objdump): prefer -d instead of -D, some kernels crash objdump otherwise
 2018-01-11 12:23:16 +01:00
Gianluca Varisco
56b67f8082 Typo in README (#54) 2018-01-11 12:01:31 +01:00
Tobias Rüetschi
52a8f78885 send warning to stderr. (#53) 
With --batch json there must not be any other output on stdout, so redirect warnings to stderr will show the warning on the console and only the json output is on stdout.
 2018-01-11 09:55:43 +01:00
Stéphane Lesimple
a09a5ba38f bump to v0.25 to reflect changes 2018-01-11 09:08:29 +01:00
Abdoul Bah
5a7d8d7edf Produce JSON output formatted for Puppet, Ansible, Chef... (#50) 
Produce JSON output formatted for Puppet, Ansible, Chef...
 2018-01-11 09:04:13 +01:00
Stéphane Lesimple
49fdc6c449 Merge pull request #51 from cowanml/file_read_check_fixup 
fixed file read test
 2018-01-10 21:39:09 +01:00
Matt Cowan
af3de2a862 fixed file read test 2018-01-10 15:17:14 -05:00
2 changed files with 532 additions and 286 deletions
Expand all files Collapse all files

4
README.md
View File

@ -3,7 +3,7 @@ Spectre & Meltdown Checker
A simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Without options, it'll inspect you currently running kernel.
Without options, it'll inspect your currently running kernel.
You can also specify a kernel image on the command line, if you'd like to inspect a kernel you're not running.
The script will do its best to detect mitigations, including backported non-vanilla patches, regardless of the advertised kernel version number.
@ -40,6 +40,6 @@ However, some mitigations could also exist in your kernel that this script doesn
Your system exposure also depends on your CPU. As of now, AMD and ARM processors are marked as immune to some or all of these vulnerabilities (except some specific ARM models). All Intel processors manufactured since circa 1995 are thought to be vulnerable. Whatever processor one uses, one might seek more information from the manufacturer of that processor and/or of the device in which it runs.
The nature of the discovered vulnerabilities being quite new, the landscape of vulnerable processors can be expected to change over time, which is why this script makes the assumption that all CPUs are vulnerable, except if the manufacturer explicitely stated otherwise in a verifiable public announcement.
The nature of the discovered vulnerabilities being quite new, the landscape of vulnerable processors can be expected to change over time, which is why this script makes the assumption that all CPUs are vulnerable, except if the manufacturer explicitly stated otherwise in a verifiable public announcement.
This tool has been released in the hope that it'll be useful, but don't use it to jump to conclusions about your security.

814
spectre-meltdown-checker.sh
View File

File diff suppressed because it is too large Load Diff