peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2025-07-15 15:21:23 +02:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: peter:v0.25
Branches Tags
peter:master
peter:v0.46 peter:v0.45 peter:v0.44 peter:v0.43 peter:v0.42 peter:v0.41 peter:v0.40 peter:v0.39 peter:v0.38 peter:v0.37 peter:v0.36 peter:v0.35 peter:v0.34 peter:v0.33 peter:v0.32 peter:v0.31 peter:v0.30 peter:v0.29 peter:v0.28 peter:v0.27 peter:v0.26 peter:v0.25 peter:v0.24 peter:v0.23 peter:v0.22 peter:v0.21 peter:v0.20 peter:v0.19 peter:v0.18 peter:v0.17 peter:v0.16 peter:v0.15 peter:v0.14 peter:v0.13 peter:v0.12 peter:v0.11 peter:v0.10 peter:v0.09 peter:v0.08 peter:v0.07 peter:v0.06 peter:v0.05 peter:v0.04 peter:v0.03 peter:v0.02 peter:v0.01
..
compare: peter:v0.29
Branches Tags
peter:master
peter:v0.46 peter:v0.45 peter:v0.44 peter:v0.43 peter:v0.42 peter:v0.41 peter:v0.40 peter:v0.39 peter:v0.38 peter:v0.37 peter:v0.36 peter:v0.35 peter:v0.34 peter:v0.33 peter:v0.32 peter:v0.31 peter:v0.30 peter:v0.29 peter:v0.28 peter:v0.27 peter:v0.26 peter:v0.25 peter:v0.24 peter:v0.23 peter:v0.22 peter:v0.21 peter:v0.20 peter:v0.19 peter:v0.18 peter:v0.17 peter:v0.16 peter:v0.15 peter:v0.14 peter:v0.13 peter:v0.12 peter:v0.11 peter:v0.10 peter:v0.09 peter:v0.08 peter:v0.07 peter:v0.06 peter:v0.05 peter:v0.04 peter:v0.03 peter:v0.02 peter:v0.01

14 Commits
v0.25 ... v0.29

Author SHA1 Message Date
Stéphane Lesimple
b47d505689 AMD now vuln to variant2 (as per their stmt) 2018-01-13 13:35:31 +01:00
Corey Hickey
4a2d051285 minor is_cpu_vulnerable() changes (#71) 
* correct is_cpu_vulnerable() comment

As far as I can tell, the function and usage are correct for the comment
to be inverted.

Add a clarifying note as to why the value choice makes sense.

* exit on invalid varient

If this happens, it's a bug in the script. None of the calling code
checks for status 255, so don't let a scripting bug cause a false
negative.

* no need to set vulnerable CPUs

According to comment above this code:
'by default, everything is vulnerable, we work in a "whitelist" logic here.'
 2018-01-13 13:16:37 +01:00
Sylvestre Ledru
f3551b9734 Only show the name of the script, not the full path (#72) 2018-01-13 13:14:19 +01:00
Sylvestre Ledru
45b98e125f fix some typos (#73) 2018-01-13 13:13:40 +01:00
Stéphane Lesimple
dce917bfbb add --version, bump to v0.28 2018-01-12 19:10:44 +01:00
Stéphane Lesimple
8f18f53aba add cpu model in output 2018-01-12 19:08:12 +01:00
M. Willis Monroe
d3f102b3b3 Typofix in readme (#61) 2018-01-12 13:58:04 +01:00
M. Willis Monroe
8bd093173d Fixed a few spelling errors (#60) 2018-01-12 11:46:36 +01:00
Stéphane Lesimple
bfe5a3b840 add some debug 2018-01-12 10:53:19 +01:00
Stéphane Lesimple
6a0242eea3 bump to v0.27 2018-01-11 15:36:41 +01:00
Stéphane Lesimple
bc4e39038a fix(opcodes): fix regression introduced in previous commit 
We were saying unknown instead of vulnerable when the count of lfence opcodes was low
This was not impacting batch mode or the final decision, just the human-readable output of the script.
 2018-01-11 15:35:57 +01:00
Stéphane Lesimple
62f8ed6f61 adding support for new /sys interface (#55) 
* adding support for new /sys interface
* fix(objdump): prefer -d instead of -D, some kernels crash objdump otherwise
 2018-01-11 12:23:16 +01:00
Gianluca Varisco
56b67f8082 Typo in README (#54) 2018-01-11 12:01:31 +01:00
Tobias Rüetschi
52a8f78885 send warning to stderr. (#53) 
With --batch json there must not be any other output on stdout, so redirect warnings to stderr will show the warning on the console and only the json output is on stdout.
 2018-01-11 09:55:43 +01:00
2 changed files with 359 additions and 258 deletions
Expand all files Collapse all files

4
README.md
View File

@ -3,7 +3,7 @@ Spectre & Meltdown Checker
A simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018. A simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Without options, it'll inspect you currently running kernel. Without options, it'll inspect your currently running kernel.
You can also specify a kernel image on the command line, if you'd like to inspect a kernel you're not running. You can also specify a kernel image on the command line, if you'd like to inspect a kernel you're not running.
The script will do its best to detect mitigations, including backported non-vanilla patches, regardless of the advertised kernel version number. The script will do its best to detect mitigations, including backported non-vanilla patches, regardless of the advertised kernel version number.
@ -40,6 +40,6 @@ However, some mitigations could also exist in your kernel that this script doesn
Your system exposure also depends on your CPU. As of now, AMD and ARM processors are marked as immune to some or all of these vulnerabilities (except some specific ARM models). All Intel processors manufactured since circa 1995 are thought to be vulnerable. Whatever processor one uses, one might seek more information from the manufacturer of that processor and/or of the device in which it runs. Your system exposure also depends on your CPU. As of now, AMD and ARM processors are marked as immune to some or all of these vulnerabilities (except some specific ARM models). All Intel processors manufactured since circa 1995 are thought to be vulnerable. Whatever processor one uses, one might seek more information from the manufacturer of that processor and/or of the device in which it runs.
The nature of the discovered vulnerabilities being quite new, the landscape of vulnerable processors can be expected to change over time, which is why this script makes the assumption that all CPUs are vulnerable, except if the manufacturer explicitely stated otherwise in a verifiable public announcement. The nature of the discovered vulnerabilities being quite new, the landscape of vulnerable processors can be expected to change over time, which is why this script makes the assumption that all CPUs are vulnerable, except if the manufacturer explicitly stated otherwise in a verifiable public announcement.
This tool has been released in the hope that it'll be useful, but don't use it to jump to conclusions about your security. This tool has been released in the hope that it'll be useful, but don't use it to jump to conclusions about your security.

209
spectre-meltdown-checker.sh
View File

@ -8,21 +8,21 @@
# #
# Stephane Lesimple # Stephane Lesimple
# #
VERSION=0.25 VERSION=0.29
# Script configuration # Script configuration
show_usage() show_usage()
{ {
cat <<EOF cat <<EOF
Usage: Usage:
Live mode: $0 [options] [--live] Live mode: `basename $0` [options] [--live]
Offline mode: $0 [options] [--kernel <vmlinux_file>] [--config <kernel_config>] [--map <kernel_map_file>] Offline mode: `basename $0` [options] [--kernel <vmlinux_file>] [--config <kernel_config>] [--map <kernel_map_file>]
Modes: Modes:
Two modes are available. Two modes are available.
First mode is the "live" mode (default), it does its best to find information about the currently running kernel. First mode is the "live" mode (default), it does its best to find information about the currently running kernel.
To run under this mode, just start the script without any option (you can also use --live explicitely) To run under this mode, just start the script without any option (you can also use --live explicitly)
Second mode is the "offline" mode, where you can inspect a non-running kernel. Second mode is the "offline" mode, where you can inspect a non-running kernel.
You'll need to specify the location of the vmlinux file, and if possible, the corresponding config and System.map files: You'll need to specify the location of the vmlinux file, and if possible, the corresponding config and System.map files:
@ -33,13 +33,15 @@ show_usage()
Options: Options:
--no-color Don't use color codes --no-color Don't use color codes
-v, --verbose Increase verbosity level --verbose, -v Increase verbosity level
--no-sysfs Don't use the /sys interface even if present
--batch text Produce machine readable output, this is the default if --batch is specified alone --batch text Produce machine readable output, this is the default if --batch is specified alone
--batch json Produce JSON output formatted for Puppet, Ansible, Chef... --batch json Produce JSON output formatted for Puppet, Ansible, Chef...
--batch nrpe Produce machine readable output formatted for NRPE --batch nrpe Produce machine readable output formatted for NRPE
--variant [1,2,3] Specify which variant you'd like to check, by default all variants are checked --variant [1,2,3] Specify which variant you'd like to check, by default all variants are checked
Can be specified multiple times (e.g. --variant 2 --variant 3) Can be specified multiple times (e.g. --variant 2 --variant 3)
IMPORTANT: IMPORTANT:
A false sense of security is worse than no security at all. A false sense of security is worse than no security at all.
Please use the --disclaimer option to understand exactly what this script does. Please use the --disclaimer option to understand exactly what this script does.
@ -65,7 +67,7 @@ in which it runs.
The nature of the discovered vulnerabilities being quite new, the landscape of vulnerable processors can be expected The nature of the discovered vulnerabilities being quite new, the landscape of vulnerable processors can be expected
to change over time, which is why this script makes the assumption that all CPUs are vulnerable, except if the manufacturer to change over time, which is why this script makes the assumption that all CPUs are vulnerable, except if the manufacturer
explicitely stated otherwise in a verifiable public announcement. explicitly stated otherwise in a verifiable public announcement.
This tool has been released in the hope that it'll be useful, but don't use it to jump to conclusions about your security. This tool has been released in the hope that it'll be useful, but don't use it to jump to conclusions about your security.
@ -86,6 +88,7 @@ opt_variant1=0
opt_variant2=0 opt_variant2=0
opt_variant3=0 opt_variant3=0
opt_allvariants=1 opt_allvariants=1
opt_no_sysfs=0
nrpe_critical=0 nrpe_critical=0
nrpe_unknown=0 nrpe_unknown=0
@ -95,13 +98,13 @@ __echo()
{ {
opt="$1" opt="$1"
shift shift
msg="$@" _msg="$@"
if [ "$opt_no_color" = 1 ] ; then if [ "$opt_no_color" = 1 ] ; then
# strip ANSI color codes # strip ANSI color codes
msg=$(/bin/echo -e "$msg" | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g") _msg=$(/bin/echo -e "$_msg" | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g")
fi fi
# explicitely call /bin/echo to avoid shell builtins that might not take options # explicitly call /bin/echo to avoid shell builtins that might not take options
/bin/echo $opt -e "$msg" /bin/echo $opt -e "$_msg"
} }
_echo() _echo()
@ -122,7 +125,7 @@ _echo_nol()
_warn() _warn()
{ {
_echo 0 "\033[31m${@}\033[0m" _echo 0 "\033[31m${@}\033[0m" >&2
} }
_info() _info()
@ -142,21 +145,23 @@ _verbose()
_debug() _debug()
{ {
_echo 3 "(debug) $@" _echo 3 "\033[34m(debug) $@\033[0m"
} }
is_cpu_vulnerable() is_cpu_vulnerable()
{ {
# param: 1, 2 or 3 (variant) # param: 1, 2 or 3 (variant)
# returns 1 if vulnerable, 0 if not vulnerable, 255 on error # returns 0 if vulnerable, 1 if not vulnerable
# (note that in shell, a return of 0 is success)
# by default, everything is vulnerable, we work in a "whitelist" logic here. # by default, everything is vulnerable, we work in a "whitelist" logic here.
# usage: is_cpu_vulnerable 2 && do something if vulnerable # usage: is_cpu_vulnerable 2 && do something if vulnerable
variant1=0 variant1=0
variant2=0 variant2=0
variant3=0 variant3=0
if grep -q AMD /proc/cpuinfo; then if grep -q AMD /proc/cpuinfo; then
variant1=0 # AMD revised their statement about variant2 => vulnerable
variant2=1 # https://www.amd.com/en/corporate/speculative-execution
variant3=1 variant3=1
elif grep -qi 'CPU implementer\s*:\s*0x41' /proc/cpuinfo; then elif grep -qi 'CPU implementer\s*:\s*0x41' /proc/cpuinfo; then
# ARM # ARM
@ -171,28 +176,26 @@ is_cpu_vulnerable()
# arch 7? 7? 7 7 7 8 8 8 8 # arch 7? 7? 7 7 7 8 8 8 8
if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -Eq '^0x(c09|c0f|c0e)$'; then if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -Eq '^0x(c09|c0f|c0e)$'; then
# armv7 vulnerable chips # armv7 vulnerable chips
variant1=0 :
variant2=0
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(d07|d08|d09|d0a)$'; then elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(d07|d08|d09|d0a)$'; then
# armv8 vulnerable chips # armv8 vulnerable chips
variant1=0 :
variant2=0
else else
variant1=1 variant1=1
variant2=1 variant2=1
fi fi
# for variant3, only A75 is vulnerable # for variant3, only A75 is vulnerable
if [ "$cpuarch" = 8 -a "$cpupart" = 0xd0a ]; then if ! [ "$cpuarch" = 8 -a "$cpupart" = 0xd0a ]; then
variant3=0
else
variant3=1 variant3=1
fi fi
fi fi
fi fi
[ "$1" = 1 ] && return $variant1 [ "$1" = 1 ] && return $variant1
[ "$1" = 2 ] && return $variant2 [ "$1" = 2 ] && return $variant2
[ "$1" = 3 ] && return $variant3 [ "$1" = 3 ] && return $variant3
return 255 echo "$0: error: invalid variant '$1' passed to is_cpu_vulnerable()" >&2
exit 1
} }
show_header() show_header()
@ -250,6 +253,9 @@ while [ -n "$1" ]; do
elif [ "$1" = "--no-color" ]; then elif [ "$1" = "--no-color" ]; then
opt_no_color=1 opt_no_color=1
shift shift
elif [ "$1" = "--no-sysfs" ]; then
opt_no_sysfs=1
shift
elif [ "$1" = "--batch" ]; then elif [ "$1" = "--batch" ]; then
opt_batch=1 opt_batch=1
opt_verbose=0 opt_verbose=0
@ -285,6 +291,10 @@ while [ -n "$1" ]; do
show_header show_header
show_usage show_usage
exit 0 exit 0
elif [ "$1" = "--version" ]; then
opt_no_color=1
show_header
exit 1
elif [ "$1" = "--disclaimer" ]; then elif [ "$1" = "--disclaimer" ]; then
show_header show_header
show_disclaimer show_disclaimer
@ -452,7 +462,8 @@ if [ "$opt_live" = 1 ]; then
_warn "To run it as root, you can try the following command: sudo $0" _warn "To run it as root, you can try the following command: sudo $0"
_warn _warn
fi fi
_info "Checking for vulnerabilities against live running kernel \033[35m"$(uname -s) $(uname -r) $(uname -v) $(uname -m)"\033[0m" _info "Checking for vulnerabilities against running kernel \033[35m"$(uname -s) $(uname -r) $(uname -v) $(uname -m)"\033[0m"
_info "CPU is\033[35m"$(grep '^model name' /proc/cpuinfo | cut -d: -f2 | head -1)"\033[0m"
# try to find the image of the current running kernel # try to find the image of the current running kernel
# first, look for the BOOT_IMAGE hint in the kernel cmdline # first, look for the BOOT_IMAGE hint in the kernel cmdline
@ -548,46 +559,84 @@ umount_debugfs()
fi fi
} }
sys_interface_check()
{
[ "$opt_live" = 1 -a "$opt_no_sysfs" = 0 -a -r "$1" ] || return 1
_info_nol "* Checking whether we're safe according to the /sys interface: "
if grep -qi '^not affected' "$1"; then
# Not affected
status=OK
pstatus green YES "kernel confirms that your CPU is unaffected"
elif grep -qi '^mitigation' "$1"; then
# Mitigation: PTI
status=OK
pstatus green YES "kernel confirms that the mitigation is active"
elif grep -qi '^vulnerable' "$1"; then
# Vulnerable
status=VULN
pstatus red NO "kernel confirms your system is vulnerable"
else
status=UNK
pstatus yellow UNKNOWN "unknown value reported by kernel"
fi
msg=$(cat "$1")
_debug "sys_interface_check: $1=$msg"
return 0
}
################### ###################
# SPECTRE VARIANT 1 # SPECTRE VARIANT 1
check_variant1() check_variant1()
{ {
_info "\033[1;34mCVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'\033[0m" _info "\033[1;34mCVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'\033[0m"
_info_nol "* Checking count of LFENCE opcodes in kernel: "
status=0 status=UNK
sys_interface_available=0
msg=''
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/spectre_v1"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
else
# no /sys interface (or offline mode), fallback to our own ways
_info_nol "* Checking count of LFENCE opcodes in kernel: "
if [ -n "$vmlinux_err" ]; then if [ -n "$vmlinux_err" ]; then
pstatus yellow UNKNOWN "$vmlinux_err" msg="couldn't check ($vmlinux_err)"
status=UNK
pstatus yellow UNKNOWN
else else
if ! which objdump >/dev/null 2>&1; then if ! which objdump >/dev/null 2>&1; then
pstatus yellow UNKNOWN "missing 'objdump' tool, please install it, usually it's in the binutils package" msg="missing 'objdump' tool, please install it, usually it's in the binutils package"
status=UNK
pstatus yellow UNKNOWN
else else
# here we disassemble the kernel and count the number of occurences of the LFENCE opcode # here we disassemble the kernel and count the number of occurrences of the LFENCE opcode
# in non-patched kernels, this has been empirically determined as being around 40-50 # in non-patched kernels, this has been empirically determined as being around 40-50
# in patched kernels, this is more around 70-80, sometimes way higher (100+) # in patched kernels, this is more around 70-80, sometimes way higher (100+)
# v0.13: 68 found in a 3.10.23-xxxx-std-ipv6-64 (with lots of modules compiled-in directly), which doesn't have the LFENCE patches, # v0.13: 68 found in a 3.10.23-xxxx-std-ipv6-64 (with lots of modules compiled-in directly), which doesn't have the LFENCE patches,
# so let's push the threshold to 70. # so let's push the threshold to 70.
# TODO LKML patch is starting to dump LFENCE in favor of the PAUSE opcode, we might need to check that (patch not stabilized yet) nb_lfence=$(objdump -d "$vmlinux" | grep -wc lfence)
nb_lfence=$(objdump -D "$vmlinux" | grep -wc lfence)
if [ "$nb_lfence" -lt 70 ]; then if [ "$nb_lfence" -lt 70 ]; then
pstatus red NO "only $nb_lfence opcodes found, should be >= 70" msg="only $nb_lfence opcodes found, should be >= 70, heuristic to be improved when official patches become available"
status=1 status=VULN
pstatus red NO
else else
pstatus green YES "$nb_lfence opcodes found, which is >= 70" msg="$nb_lfence opcodes found, which is >= 70, heuristic to be improved when official patches become available"
status=2 status=OK
pstatus green YES
fi
fi fi
fi fi
fi fi
if ! is_cpu_vulnerable 1; then # if we have the /sys interface, don't even check is_cpu_vulnerable ourselves, the kernel already does it
pvulnstatus CVE-2017-5753 OK "your CPU vendor reported your CPU model as not vulnerable" if [ "$sys_interface_available" = 0 ] && ! is_cpu_vulnerable 1; then
else # override status & msg in case CPU is not vulnerable after all
case "$status" in msg="your CPU vendor reported your CPU model as not vulnerable"
0) pvulnstatus CVE-2017-5753 UNK "impossible to check ${vmlinux}";; status=OK
1) pvulnstatus CVE-2017-5753 VULN 'heuristic to be improved when official patches become available';;
2) pvulnstatus CVE-2017-5753 OK 'heuristic to be improved when official patches become available';;
esac
fi fi
# report status
pvulnstatus CVE-2017-5753 "$status" "$msg"
} }
################### ###################
@ -595,11 +644,20 @@ check_variant1()
check_variant2() check_variant2()
{ {
_info "\033[1;34mCVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'\033[0m" _info "\033[1;34mCVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'\033[0m"
status=UNK
sys_interface_available=0
msg=''
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/spectre_v2"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
else
_info "* Mitigation 1" _info "* Mitigation 1"
_info_nol "* Hardware (CPU microcode) support for mitigation: " _info_nol "* Hardware (CPU microcode) support for mitigation: "
if [ ! -e /dev/cpu/0/msr ]; then if [ ! -e /dev/cpu/0/msr ]; then
# try to load the module ourselves (and remember it so we can rmmod it afterwards) # try to load the module ourselves (and remember it so we can rmmod it afterwards)
modprobe msr 2>/dev/null && insmod_msr=1 modprobe msr 2>/dev/null && insmod_msr=1
_debug "attempted to load module msr, ret=$insmod_msr"
fi fi
if [ ! -e /dev/cpu/0/msr ]; then if [ ! -e /dev/cpu/0/msr ]; then
pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?" pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?"
@ -618,6 +676,7 @@ check_variant2()
if [ "$insmod_msr" = 1 ]; then if [ "$insmod_msr" = 1 ]; then
# if we used modprobe ourselves, rmmod the module # if we used modprobe ourselves, rmmod the module
rmmod msr 2>/dev/null rmmod msr 2>/dev/null
_debug "attempted to unload module msr, ret=$?"
fi fi
_info_nol "* Kernel support for IBRS: " _info_nol "* Kernel support for IBRS: "
@ -635,7 +694,10 @@ check_variant2()
pstatus green YES pstatus green YES
ibrs_supported=1 ibrs_supported=1
ibrs_enabled=$(cat "$ibrs_file" 2>/dev/null) ibrs_enabled=$(cat "$ibrs_file" 2>/dev/null)
_debug "ibrs: found $ibrs_file=$ibrs_enabled"
break break
else
_debug "ibrs: file $ibrs_file doesn't exist"
fi fi
done done
fi fi
@ -643,6 +705,7 @@ check_variant2()
if grep -q spec_ctrl "$opt_map"; then if grep -q spec_ctrl "$opt_map"; then
pstatus green YES pstatus green YES
ibrs_supported=1 ibrs_supported=1
_debug "ibrs: found '*spec_ctrl*' symbol in $opt_map"
fi fi
fi fi
if [ "$ibrs_supported" != 1 ]; then if [ "$ibrs_supported" != 1 ]; then
@ -683,6 +746,7 @@ check_variant2()
if grep -q '^CONFIG_RETPOLINE=y' "$opt_config"; then if grep -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
pstatus green YES pstatus green YES
retpoline=1 retpoline=1
_debug "retpoline: found "$(grep '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
else else
pstatus red NO pstatus red NO
fi fi
@ -725,10 +789,15 @@ check_variant2()
else else
pstatus yellow UNKNOWN "couldn't find your kernel image or System.map" pstatus yellow UNKNOWN "couldn't find your kernel image or System.map"
fi fi
fi
if ! is_cpu_vulnerable 2; then # if we have the /sys interface, don't even check is_cpu_vulnerable ourselves, the kernel already does it
if [ "$sys_interface_available" = 0 ] && ! is_cpu_vulnerable 2; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus CVE-2017-5715 OK "your CPU vendor reported your CPU model as not vulnerable" pvulnstatus CVE-2017-5715 OK "your CPU vendor reported your CPU model as not vulnerable"
elif [ "$retpoline" = 1 -a "$retpoline_compiler" = 1 ]; then elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$retpoline" = 1 -a "$retpoline_compiler" = 1 ]; then
pvulnstatus CVE-2017-5715 OK "retpoline mitigate the vulnerability" pvulnstatus CVE-2017-5715 OK "retpoline mitigate the vulnerability"
elif [ "$opt_live" = 1 ]; then elif [ "$opt_live" = 1 ]; then
if [ "$ibrs_enabled" = 1 -o "$ibrs_enabled" = 2 ]; then if [ "$ibrs_enabled" = 1 -o "$ibrs_enabled" = 2 ]; then
@ -743,6 +812,9 @@ check_variant2()
pvulnstatus CVE-2017-5715 VULN "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability" pvulnstatus CVE-2017-5715 VULN "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability"
fi fi
fi fi
else
pvulnstatus CVE-2017-5715 "$status" "$msg"
fi
} }
######################## ########################
@ -750,12 +822,21 @@ check_variant2()
check_variant3() check_variant3()
{ {
_info "\033[1;34mCVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'\033[0m" _info "\033[1;34mCVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'\033[0m"
status=UNK
sys_interface_available=0
msg=''
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/meltdown"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
else
_info_nol "* Kernel supports Page Table Isolation (PTI): " _info_nol "* Kernel supports Page Table Isolation (PTI): "
kpti_support=0 kpti_support=0
kpti_can_tell=0 kpti_can_tell=0
if [ -n "$opt_config" ]; then if [ -n "$opt_config" ]; then
kpti_can_tell=1 kpti_can_tell=1
if grep -Eq '^(CONFIG_PAGE_TABLE_ISOLATION|CONFIG_KAISER)=y' "$opt_config"; then if grep -Eq '^(CONFIG_PAGE_TABLE_ISOLATION|CONFIG_KAISER)=y' "$opt_config"; then
_debug "kpti_support: found option "$(grep -E '^(CONFIG_PAGE_TABLE_ISOLATION|CONFIG_KAISER)=y' "$opt_config")" in $opt_config"
kpti_support=1 kpti_support=1
fi fi
fi fi
@ -764,6 +845,7 @@ check_variant3()
# so we try to find an exported symbol that is part of the PTI patch in System.map # so we try to find an exported symbol that is part of the PTI patch in System.map
kpti_can_tell=1 kpti_can_tell=1
if grep -qw kpti_force_enabled "$opt_map"; then if grep -qw kpti_force_enabled "$opt_map"; then
_debug "kpti_support: found kpti_force_enabled in $opt_map"
kpti_support=1 kpti_support=1
fi fi
fi fi
@ -775,6 +857,7 @@ check_variant3()
pstatus yellow UNKNOWN "missing 'strings' tool, please install it, usually it's in the binutils package" pstatus yellow UNKNOWN "missing 'strings' tool, please install it, usually it's in the binutils package"
else else
if strings "$vmlinux" | grep -qw nopti; then if strings "$vmlinux" | grep -qw nopti; then
_debug "kpti_support: found nopti string in $vmlinux"
kpti_support=1 kpti_support=1
fi fi
fi fi
@ -791,22 +874,31 @@ check_variant3()
mount_debugfs mount_debugfs
_info_nol "* PTI enabled and active: " _info_nol "* PTI enabled and active: "
if [ "$opt_live" = 1 ]; then if [ "$opt_live" = 1 ]; then
dmesg_grep="Kernel/User page tables isolation: enabled"
dmesg_grep="$dmesg_grep|Kernel page table isolation enabled"
dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace"
if grep ^flags /proc/cpuinfo | grep -qw pti; then if grep ^flags /proc/cpuinfo | grep -qw pti; then
# vanilla PTI patch sets the 'pti' flag in cpuinfo # vanilla PTI patch sets the 'pti' flag in cpuinfo
_debug "kpti_enabled: found 'pti' flag in /proc/cpuinfo"
kpti_enabled=1 kpti_enabled=1
elif grep ^flags /proc/cpuinfo | grep -qw kaiser; then elif grep ^flags /proc/cpuinfo | grep -qw kaiser; then
# kernel line 4.9 sets the 'kaiser' flag in cpuinfo # kernel line 4.9 sets the 'kaiser' flag in cpuinfo
_debug "kpti_enabled: found 'kaiser' flag in /proc/cpuinfo"
kpti_enabled=1 kpti_enabled=1
elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then
# RedHat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301 # RedHat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301
kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null) kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
elif dmesg | grep -Eq 'Kernel/User page tables isolation: enabled|Kernel page table isolation enabled'; then _debug "kpti_enabled: file /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled"
elif dmesg | grep -Eq "$dmesg_grep"; then
# if we can't find the flag, grep dmesg output # if we can't find the flag, grep dmesg output
_debug "kpti_enabled: found hint in dmesg: "$(dmesg | grep -E "$dmesg_grep")
kpti_enabled=1 kpti_enabled=1
elif [ -r /var/log/dmesg ] && grep -Eq 'Kernel/User page tables isolation: enabled|Kernel page table isolation enabled' /var/log/dmesg; then elif [ -r /var/log/dmesg ] && grep -Eq "$dmesg_grep" /var/log/dmesg; then
# if we can't find the flag in dmesg output, grep in /var/log/dmesg when readable # if we can't find the flag in dmesg output, grep in /var/log/dmesg when readable
_debug "kpti_enabled: found hint in /var/log/dmesg: "$(grep -E "$dmesg_grep" /var/log/dmesg)
kpti_enabled=1 kpti_enabled=1
else else
_debug "kpti_enabled: couldn't find any hint that PTI is enabled"
kpti_enabled=0 kpti_enabled=0
fi fi
if [ "$kpti_enabled" = 1 ]; then if [ "$kpti_enabled" = 1 ]; then
@ -817,22 +909,31 @@ check_variant3()
else else
pstatus blue N/A "can't verify if PTI is enabled in offline mode" pstatus blue N/A "can't verify if PTI is enabled in offline mode"
fi fi
fi
if ! is_cpu_vulnerable 3; then # if we have the /sys interface, don't even check is_cpu_vulnerable ourselves, the kernel already does it
pvulnstatus CVE-2017-5754 OK "your CPU vendor reported your CPU model as not vulnerable" cve='CVE-2017-5754'
elif [ "$opt_live" = 1 ]; then if [ "$sys_interface_available" = 0 ] && ! is_cpu_vulnerable 3; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable"
elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_live" = 1 ]; then
if [ "$kpti_enabled" = 1 ]; then if [ "$kpti_enabled" = 1 ]; then
pvulnstatus CVE-2017-5754 OK "PTI mitigates the vulnerability" pvulnstatus $cve OK "PTI mitigates the vulnerability"
else else
pvulnstatus CVE-2017-5754 VULN "PTI is needed to mitigate the vulnerability" pvulnstatus $cve VULN "PTI is needed to mitigate the vulnerability"
fi fi
else else
if [ "$kpti_support" = 1 ]; then if [ "$kpti_support" = 1 ]; then
pvulnstatus CVE-2017-5754 OK "offline mode: PTI will mitigate the vulnerability if enabled at runtime" pvulnstatus $cve OK "offline mode: PTI will mitigate the vulnerability if enabled at runtime"
else else
pvulnstatus CVE-2017-5754 VULN "PTI is needed to mitigate the vulnerability" pvulnstatus $cve VULN "PTI is needed to mitigate the vulnerability"
fi fi
fi fi
else
pvulnstatus $cve "$status" "$msg"
fi
} }
# now run the checks the user asked for # now run the checks the user asked for