3 Commits
v0.25 ... v0.26

Author SHA1 Message Date
62f8ed6f61 adding support for new /sys interface (#55)
* adding support for new /sys interface
* fix(objdump): prefer -d instead of -D, some kernels crash objdump otherwise
2018-01-11 12:23:16 +01:00
56b67f8082 Typo in README (#54) 2018-01-11 12:01:31 +01:00
52a8f78885 send warning to stderr. (#53)
With --batch json there must not be any other output on stdout, so redirect warnings to stderr will show the warning on the console and only the json output is on stdout.
2018-01-11 09:55:43 +01:00
2 changed files with 314 additions and 239 deletions

View File

@ -3,7 +3,7 @@ Spectre & Meltdown Checker
A simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018. A simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Without options, it'll inspect you currently running kernel. Without options, it'll inspect your currently running kernel.
You can also specify a kernel image on the command line, if you'd like to inspect a kernel you're not running. You can also specify a kernel image on the command line, if you'd like to inspect a kernel you're not running.
The script will do its best to detect mitigations, including backported non-vanilla patches, regardless of the advertised kernel version number. The script will do its best to detect mitigations, including backported non-vanilla patches, regardless of the advertised kernel version number.

View File

@ -8,7 +8,7 @@
# #
# Stephane Lesimple # Stephane Lesimple
# #
VERSION=0.25 VERSION=0.26
# Script configuration # Script configuration
show_usage() show_usage()
@ -33,7 +33,8 @@ show_usage()
Options: Options:
--no-color Don't use color codes --no-color Don't use color codes
-v, --verbose Increase verbosity level --verbose, -v Increase verbosity level
--no-sysfs Don't use the /sys interface even if present
--batch text Produce machine readable output, this is the default if --batch is specified alone --batch text Produce machine readable output, this is the default if --batch is specified alone
--batch json Produce JSON output formatted for Puppet, Ansible, Chef... --batch json Produce JSON output formatted for Puppet, Ansible, Chef...
--batch nrpe Produce machine readable output formatted for NRPE --batch nrpe Produce machine readable output formatted for NRPE
@ -86,6 +87,7 @@ opt_variant1=0
opt_variant2=0 opt_variant2=0
opt_variant3=0 opt_variant3=0
opt_allvariants=1 opt_allvariants=1
opt_no_sysfs=0
nrpe_critical=0 nrpe_critical=0
nrpe_unknown=0 nrpe_unknown=0
@ -95,13 +97,13 @@ __echo()
{ {
opt="$1" opt="$1"
shift shift
msg="$@" _msg="$@"
if [ "$opt_no_color" = 1 ] ; then if [ "$opt_no_color" = 1 ] ; then
# strip ANSI color codes # strip ANSI color codes
msg=$(/bin/echo -e "$msg" | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g") _msg=$(/bin/echo -e "$_msg" | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g")
fi fi
# explicitely call /bin/echo to avoid shell builtins that might not take options # explicitely call /bin/echo to avoid shell builtins that might not take options
/bin/echo $opt -e "$msg" /bin/echo $opt -e "$_msg"
} }
_echo() _echo()
@ -122,7 +124,7 @@ _echo_nol()
_warn() _warn()
{ {
_echo 0 "\033[31m${@}\033[0m" _echo 0 "\033[31m${@}\033[0m" >&2
} }
_info() _info()
@ -250,6 +252,9 @@ while [ -n "$1" ]; do
elif [ "$1" = "--no-color" ]; then elif [ "$1" = "--no-color" ]; then
opt_no_color=1 opt_no_color=1
shift shift
elif [ "$1" = "--no-sysfs" ]; then
opt_no_sysfs=1
shift
elif [ "$1" = "--batch" ]; then elif [ "$1" = "--batch" ]; then
opt_batch=1 opt_batch=1
opt_verbose=0 opt_verbose=0
@ -548,46 +553,83 @@ umount_debugfs()
fi fi
} }
sys_interface_check()
{
[ "$opt_live" = 1 -a "$opt_no_sysfs" = 0 -a -r "$1" ] || return 1
_info_nol "* Checking wheter we're safe according to the /sys interface: "
if grep -qi '^not affected' "$1"; then
# Not affected
status=OK
pstatus green YES "kernel confirms that your CPU is unaffected"
elif grep -qi '^mitigation' "$1"; then
# Mitigation: PTI
status=OK
pstatus green YES "kernel confirms that the mitigation is active"
elif grep -qi '^vulnerable' "$1"; then
# Vulnerable
status=VULN
pstatus red NO "kernel confirms your system is vulnerable"
else
status=UNK
pstatus yellow UNKNOWN "unknown value reported by kernel"
fi
msg=$(cat "$1")
return 0
}
################### ###################
# SPECTRE VARIANT 1 # SPECTRE VARIANT 1
check_variant1() check_variant1()
{ {
_info "\033[1;34mCVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'\033[0m" _info "\033[1;34mCVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'\033[0m"
_info_nol "* Checking count of LFENCE opcodes in kernel: "
status=0 status=UNK
sys_interface_available=0
msg=''
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/spectre_v1"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
else
# no /sys interface (or offline mode), fallback to our own ways
_info_nol "* Checking count of LFENCE opcodes in kernel: "
if [ -n "$vmlinux_err" ]; then if [ -n "$vmlinux_err" ]; then
pstatus yellow UNKNOWN "$vmlinux_err" msg="couldn't check ($vmlinux_err)"
status=UNK
pstatus yellow UNKNOWN
else else
if ! which objdump >/dev/null 2>&1; then if ! which objdump >/dev/null 2>&1; then
pstatus yellow UNKNOWN "missing 'objdump' tool, please install it, usually it's in the binutils package" msg="missing 'objdump' tool, please install it, usually it's in the binutils package"
status=UNK
pstatus yellow UNKNOWN
else else
# here we disassemble the kernel and count the number of occurences of the LFENCE opcode # here we disassemble the kernel and count the number of occurences of the LFENCE opcode
# in non-patched kernels, this has been empirically determined as being around 40-50 # in non-patched kernels, this has been empirically determined as being around 40-50
# in patched kernels, this is more around 70-80, sometimes way higher (100+) # in patched kernels, this is more around 70-80, sometimes way higher (100+)
# v0.13: 68 found in a 3.10.23-xxxx-std-ipv6-64 (with lots of modules compiled-in directly), which doesn't have the LFENCE patches, # v0.13: 68 found in a 3.10.23-xxxx-std-ipv6-64 (with lots of modules compiled-in directly), which doesn't have the LFENCE patches,
# so let's push the threshold to 70. # so let's push the threshold to 70.
# TODO LKML patch is starting to dump LFENCE in favor of the PAUSE opcode, we might need to check that (patch not stabilized yet) nb_lfence=$(objdump -d "$vmlinux" | grep -wc lfence)
nb_lfence=$(objdump -D "$vmlinux" | grep -wc lfence)
if [ "$nb_lfence" -lt 70 ]; then if [ "$nb_lfence" -lt 70 ]; then
pstatus red NO "only $nb_lfence opcodes found, should be >= 70" msg="only $nb_lfence opcodes found, should be >= 70, heuristic to be improved when official patches become available"
status=1 status=VULN
pstatus yellow UNKNOWN
else else
pstatus green YES "$nb_lfence opcodes found, which is >= 70" msg="$nb_lfence opcodes found, which is >= 70, heuristic to be improved when official patches become available"
status=2 status=OK
pstatus green YES
fi
fi fi
fi fi
fi fi
if ! is_cpu_vulnerable 1; then # if we have the /sys interface, don't even check is_cpu_vulnerable ourselves, the kernel already does it
pvulnstatus CVE-2017-5753 OK "your CPU vendor reported your CPU model as not vulnerable" if [ "$sys_interface_available" = 0 ] && ! is_cpu_vulnerable 1; then
else # override status & msg in case CPU is not vulnerable after all
case "$status" in msg="your CPU vendor reported your CPU model as not vulnerable"
0) pvulnstatus CVE-2017-5753 UNK "impossible to check ${vmlinux}";; status=OK
1) pvulnstatus CVE-2017-5753 VULN 'heuristic to be improved when official patches become available';;
2) pvulnstatus CVE-2017-5753 OK 'heuristic to be improved when official patches become available';;
esac
fi fi
# report status
pvulnstatus CVE-2017-5753 "$status" "$msg"
} }
################### ###################
@ -595,6 +637,14 @@ check_variant1()
check_variant2() check_variant2()
{ {
_info "\033[1;34mCVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'\033[0m" _info "\033[1;34mCVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'\033[0m"
status=UNK
sys_interface_available=0
msg=''
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/spectre_v2"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
else
_info "* Mitigation 1" _info "* Mitigation 1"
_info_nol "* Hardware (CPU microcode) support for mitigation: " _info_nol "* Hardware (CPU microcode) support for mitigation: "
if [ ! -e /dev/cpu/0/msr ]; then if [ ! -e /dev/cpu/0/msr ]; then
@ -725,10 +775,15 @@ check_variant2()
else else
pstatus yellow UNKNOWN "couldn't find your kernel image or System.map" pstatus yellow UNKNOWN "couldn't find your kernel image or System.map"
fi fi
fi
if ! is_cpu_vulnerable 2; then # if we have the /sys interface, don't even check is_cpu_vulnerable ourselves, the kernel already does it
if [ "$sys_interface_available" = 0 ] && ! is_cpu_vulnerable 2; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus CVE-2017-5715 OK "your CPU vendor reported your CPU model as not vulnerable" pvulnstatus CVE-2017-5715 OK "your CPU vendor reported your CPU model as not vulnerable"
elif [ "$retpoline" = 1 -a "$retpoline_compiler" = 1 ]; then elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$retpoline" = 1 -a "$retpoline_compiler" = 1 ]; then
pvulnstatus CVE-2017-5715 OK "retpoline mitigate the vulnerability" pvulnstatus CVE-2017-5715 OK "retpoline mitigate the vulnerability"
elif [ "$opt_live" = 1 ]; then elif [ "$opt_live" = 1 ]; then
if [ "$ibrs_enabled" = 1 -o "$ibrs_enabled" = 2 ]; then if [ "$ibrs_enabled" = 1 -o "$ibrs_enabled" = 2 ]; then
@ -743,6 +798,9 @@ check_variant2()
pvulnstatus CVE-2017-5715 VULN "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability" pvulnstatus CVE-2017-5715 VULN "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability"
fi fi
fi fi
else
pvulnstatus CVE-2017-5715 "$status" "$msg"
fi
} }
######################## ########################
@ -750,6 +808,14 @@ check_variant2()
check_variant3() check_variant3()
{ {
_info "\033[1;34mCVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'\033[0m" _info "\033[1;34mCVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'\033[0m"
status=UNK
sys_interface_available=0
msg=''
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/meltdown"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
else
_info_nol "* Kernel supports Page Table Isolation (PTI): " _info_nol "* Kernel supports Page Table Isolation (PTI): "
kpti_support=0 kpti_support=0
kpti_can_tell=0 kpti_can_tell=0
@ -817,22 +883,31 @@ check_variant3()
else else
pstatus blue N/A "can't verify if PTI is enabled in offline mode" pstatus blue N/A "can't verify if PTI is enabled in offline mode"
fi fi
fi
if ! is_cpu_vulnerable 3; then # if we have the /sys interface, don't even check is_cpu_vulnerable ourselves, the kernel already does it
pvulnstatus CVE-2017-5754 OK "your CPU vendor reported your CPU model as not vulnerable" cve='CVE-2017-5754'
elif [ "$opt_live" = 1 ]; then if [ "$sys_interface_available" = 0 ] && ! is_cpu_vulnerable 3; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable"
elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_live" = 1 ]; then
if [ "$kpti_enabled" = 1 ]; then if [ "$kpti_enabled" = 1 ]; then
pvulnstatus CVE-2017-5754 OK "PTI mitigates the vulnerability" pvulnstatus $cve OK "PTI mitigates the vulnerability"
else else
pvulnstatus CVE-2017-5754 VULN "PTI is needed to mitigate the vulnerability" pvulnstatus $cve VULN "PTI is needed to mitigate the vulnerability"
fi fi
else else
if [ "$kpti_support" = 1 ]; then if [ "$kpti_support" = 1 ]; then
pvulnstatus CVE-2017-5754 OK "offline mode: PTI will mitigate the vulnerability if enabled at runtime" pvulnstatus $cve OK "offline mode: PTI will mitigate the vulnerability if enabled at runtime"
else else
pvulnstatus CVE-2017-5754 VULN "PTI is needed to mitigate the vulnerability" pvulnstatus $cve VULN "PTI is needed to mitigate the vulnerability"
fi fi
fi fi
else
pvulnstatus $cve "$status" "$msg"
fi
} }
# now run the checks the user asked for # now run the checks the user asked for