update MCEdb from v110 to v111, bump to v0.42

enh: -v -v now implies --dump-mock-data
feat(mds): implement FreeBSD mitigation detection
2025-07-15 07:11:22 +02:00 · 2019-05-24 22:49:45 +02:00 · 2019-05-24 11:36:39 +02:00 · 2019-05-24 11:17:04 +02:00 · 2019-05-24 10:49:40 +02:00 · 2019-05-24 10:20:48 +02:00
3 changed files with 2193 additions and 307 deletions
--- a/README.md
+++ b/README.md
@ -1,12 +1,19 @@
 Spectre & Meltdown Checker
 ==========================

-A shell script to tell if your system is vulnerable against the several "speculative execution" CVEs that were made public in 2018.
- CVE-2017-5753 aka Spectre Variant 1
- CVE-2017-5715 aka Spectre Variant 2
- CVE-2017-5754 aka Meltdown or Variant 3
- CVE-2018-3640 aka Variant 3a
- CVE-2018-3639 aka Variant 4
+A shell script to tell if your system is vulnerable against the several "speculative execution" CVEs that were made public since 2018.
+- CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
+- CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
+- CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
+- CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
+- CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
+- CVE-2018-3615 [L1 terminal fault] aka 'Foreshadow (SGX)'
+- CVE-2018-3620 [L1 terminal fault] aka 'Foreshadow-NG (OS)'
+- CVE-2018-3646 [L1 terminal fault] aka 'Foreshadow-NG (VMM)'
+- CVE-2018-12126 [microarchitectural store buffer data sampling (MSBDS)] aka 'Fallout'
+- CVE-2018-12130 [microarchitectural fill buffer data sampling (MFBDS)] aka 'ZombieLoad'
+- CVE-2018-12127 [microarchitectural load port data sampling (MLPDS)] aka 'RIDL'
+- CVE-2019-11091 [microarchitectural data sampling uncacheable memory (MDSUM)] aka 'RIDL'

 Supported operating systems:
 - Linux (all versions, flavors and distros)
@ -46,9 +53,18 @@ sudo ./spectre-meltdown-checker.sh

 ### Run the script in a docker container

+#### With docker-compose
+
+```shell
+docker-compose build
+docker-compose run --rm spectre-meltdown-checker
+```
+
+#### Without docker-compose
+
 ```shell
 docker build -t spectre-meltdown-checker .
-docker run --rm --privileged -v /boot:/boot:ro -v /lib/modules:/lib/modules:ro -v /dev/cpu:/dev/cpu:ro spectre-meltdown-checker
+docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker
 ```

 ## Example of script output
@ -98,6 +114,37 @@ docker run --rm --privileged -v /boot:/boot:ro -v /lib/modules:/lib/modules:ro -
   - Mitigation: microcode update + kernel update making possible for affected software to protect itself
   - Performance impact of the mitigation: low to medium

+**CVE-2018-3615** l1 terminal fault (Foreshadow-NG SGX)
+
+   - Impact: Kernel & all software (any physical memory address in the system)
+   - Mitigation: microcode update
+   - Performance impact of the mitigation: negligible
+
+**CVE-2018-3620** l1 terminal fault (Foreshadow-NG SMM)
+
+   - Impact: Kernel & System management mode
+   - Mitigation: updated kernel (with PTE inversion)
+   - Performance impact of the mitigation: negligible
+
+**CVE-2018-3646** l1 terminal fault (Foreshadow-NG VMM)
+
+   - Impact: Virtualization software and Virtual Machine Monitors
+   - Mitigation: disable ept (extended page tables), disable hyper-threading (SMT), or updated kernel (with L1d flush)
+   - Performance impact of the mitigation: low to significant
+
+**CVE-2018-12126** [MSBDS] Microarchitectural Store Buffer Data Sampling (Fallout)
+
+**CVE-2018-12130** [MFBDS] Microarchitectural Fill Buffer Data Sampling (ZombieLoad)
+
+**CVE-2018-12127** [MLPDS] Microarchitectural Load Port Data Sampling (RIDL)
+
+**CVE-2019-11091** [MDSUM] Microarchitectural Data Sampling Uncacheable Memory (RIDL)
+
+   - Note: These 4 CVEs are similar and collectively named "MDS" vulnerabilities, the mitigation is identical for all
+   - Impact: Kernel
+   - Mitigation: microcode update + kernel update making possible to protect various CPU internal buffers from unprivileged speculative access to data
+   - Performance impact of the mitigation: low to significant
+
 ## Understanding what this script does and doesn't

 This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the collectively named "speculative execution" vulnerabilities. It doesn't attempt to run any kind of exploit, and can't guarantee that your system is secure, but rather helps you verifying whether your system has the known correct mitigations in place.
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,15 @@
+version: '2'
+
+services:
+  spectre-meltdown-checker:
+    build:
+      context: ./
+      dockerfile: ./Dockerfile
+    image: spectre-meltdown-checker:latest
+    container_name: spectre-meltdown-checker
+    privileged: true
+    network_mode: none
+    volumes:
+      - /boot:/boot:ro
+      - /dev/cpu:/dev/cpu:ro
+      - /lib/modules:/lib/modules:ro
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
Author	SHA1	Message	Date
Stéphane Lesimple	fcc4ff4de2	update MCEdb from v110 to v111, bump to v0.42	2019-05-24 22:49:45 +02:00
Stéphane Lesimple	0bd38ddda0	enh: -v -v now implies --dump-mock-data	2019-05-24 11:36:39 +02:00
Stéphane Lesimple	e83dc818cd	feat(mds): implement FreeBSD mitigation detection	2019-05-24 11:17:04 +02:00
Stéphane Lesimple	d69ea67101	feat(mock): add --dump-mock-data	2019-05-24 10:49:40 +02:00
Stéphane Lesimple	dfe0d10f2a	fix(mds): remove useless display of MD_CLEAR info in non-hw section	2019-05-24 10:20:48 +02:00
Stéphane Lesimple	58a5acfdbb	fix(bsd): read_msr returned data in an incorrect format	2019-05-24 09:33:56 +02:00
Stéphane Lesimple	ccb4dbef7c	enh(mock): avoid reading the sysfs interface outside sys_interface_check() for higher mocking coverage	2019-05-24 09:28:18 +02:00
Stéphane Lesimple	afbb26277f	feat(mock): add mocking functionality to help reproducing issues under specific CPUs	2019-05-24 09:28:18 +02:00
Stéphane Lesimple	77b34d48c6	fix(mds): check MDS_NO bit in is_cpu_mds_free()	2019-05-24 09:28:18 +02:00
Stéphane Lesimple	497efe6a82	fix(l1tf): RDCL_NO bit didn't take precedence for vulnerability check on some Intel CPUs	2019-05-24 09:28:18 +02:00
Stéphane Lesimple	62b46df4e7	fix(l1tf): remove libvirtd from hypervisor detection (#278 )	2019-05-18 14:22:42 +02:00
Stéphane Lesimple	7d1f269bed	fix(mds): AMD confirms they're not vulnerable	2019-05-16 11:31:28 +02:00
Erich Ritz	4f9ca803c8	Fix help text (#285 ) * fix --help message Commit `7b72c20f89` added help text for the --cve switch, and the "can be specified multiple times" note got associated with the --cve switch instead of staying with the --variant switch. Restore the line to belong to the --variant switch help message. * Add new variants to error message Commit `8e870db4f5` added new variants but did not add them to the error message that listed the allowable variants. Add them now.	2019-05-15 19:34:51 +02:00
Stéphane Lesimple	5788cec18b	fix(mds): ARM and CAVIUM are not thought to be vulnerable	2019-05-15 10:56:49 +02:00
Stéphane Lesimple	ae56ec0bc5	bump to v0.41	2019-05-15 09:57:28 +02:00
Stéphane Lesimple	871443c9db	fix typos in README	2019-05-15 00:28:55 +02:00
Stéphane Lesimple	8fd4e3ab01	fix(xen): remove xenbus and xenwatch as they also exist in domU	2019-05-15 00:23:05 +02:00
Stéphane Lesimple	de793a7204	feat(mds): more verbose info about kernel support and microcode support for mitigation	2019-05-15 00:21:08 +02:00
Stéphane Lesimple	11790027d3	feat(mds): add alias ZombieLoad for CVE-2018-12130	2019-05-14 21:42:36 +02:00
Stéphane Lesimple	5939c38c5c	update mcedb from v109 to v110 to better detect MDS microcodes	2019-05-14 20:31:27 +02:00
Stéphane Lesimple	db7d3206fd	feat(mds): add detection of availability of MD_CLEAR instruction	2019-05-14 20:30:47 +02:00
Stéphane Lesimple	1d13a423b8	adjust README	2019-05-14 20:16:01 +02:00
Agata Gruza	8e870db4f5	Added support for MDS related vulnerabilities (#282 )	2019-05-14 19:21:20 +02:00
Stéphane Lesimple	d547ce4ab4	fix(ssb): fix error when no process uses prctl to set ssb mitigation fixes #281	2019-05-13 15:35:58 +02:00
Stéphane Lesimple	d187827841	enh(vmm): add Xen daemons detection	2019-05-08 20:44:54 +02:00
Hans-Joachim Kliemeck	2e304ec617	enh(xen): improvements for xen systems (#270 ) * add mitigation detection for l1tf for xen based systems * add information for hardware mitigation * add xen support for meltdown	2019-05-07 20:35:52 +02:00
Stéphane Lesimple	fcc04437e8	update builtin MCEdb from v96 to v109	2019-05-07 20:29:59 +02:00
Stéphane Lesimple	d31a9810e6	enhance previous commit logic	2019-05-05 20:09:53 +02:00
Stéphane Lesimple	4edb867def	fix(vmm): revert to checking the running processes to detect a hypervisor More information available on #278	2019-05-05 20:04:25 +02:00
Stéphane Lesimple	1264b1c7a3	chore: more shellcheck 0.6 fixes	2019-05-05 18:34:09 +02:00
Stéphane Lesimple	7beca1ac50	fix: invalid names in json batch mode (fixes #279 )	2019-05-05 18:15:41 +02:00
David	8ad10e15d3	chore: Comply with Shellcheck SC2209 (#280 )	2019-05-05 17:31:18 +02:00
Stéphane Lesimple	bfa4de96e6	enh(l1tf): in paranoid mode, assume we're running a hypervisor unless stated otherwise This change ensures we check for SMT and advise the user to disable it for maximum security. Doing this, we'll help users mitigate a whole range of vulnerabilities taking advantage of SMT to attack purely from userland other userland processes, as seen in CVE-2018-5407 (also see #261)	2019-04-21 14:05:43 +02:00
Stéphane Lesimple	b022b27a51	feat(ssbd): in live mode, report whether the mitigation is active (fix #210 )	2019-04-20 20:27:45 +02:00
Dario Faggioli	c4bae6ee6a	IBRS kernel reported active even if sysfs has "IBRS_FW" only (#275 ) (#276 ) On a (pre-SkyLake) system, where /sys/.../vulnerabilities/spectre_v2 is "Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, RSB filling" the tool, incorrectly, reports, a couple of lines above: * IBRS enabled and active: YES (for kernel and firmware code) Use '\<IBRS\>', as suggested by @jirislaby, in upstream issue #275 (https://github.com/speed47/spectre-meltdown-checker/issues/275) when checking whether IBRS is enabled/active for the kernel. With that, the output becomes: * IBRS enabled and active: YES (for firmware code only) which is actually the case. I double checked that, if the same kernel is used on a post-SkyLake hardware, which on openSUSE uses IBRS as, even with this change, the tool (this time correctly) reports: * IBRS enabled and active: YES (for kernel and firmware code)	2019-04-20 14:04:29 +02:00
Stéphane Lesimple	23e7db044e	fix(bsd): load vmm if not already loaded, fixes #274 As we read sysctl values under the vmm hierarchy, the modules needs to be loaded, so if not already done, we load it before testing for CVE-2018-3620 and CVE-2018-3646	2019-04-19 19:47:04 +02:00
Stéphane Lesimple	fc4981bb94	update MCEDB from v84 to v96	2019-01-20 19:52:46 +01:00
Dajiang Zhong	419508758e	add spectre and meltdown mitigation technologies checking for Hygon CPU (#271 ) * add spectre and meltdown mitigation technologies checking for Hygon CPU * update microarhitecture name for Hygon CPU family 24 with moksha	2019-01-20 19:32:36 +01:00
Stéphane Lesimple	d7d2e6934b	fix: typo in bare metal detection (fixes #269 )	2018-12-12 00:24:17 +01:00
Jan	b0083d918e	Remove unneeded volumes in Dockerfile (#266 )	2018-12-10 19:42:13 +01:00
Lily Wilson	904a83c675	Fix Arch kernel image detection (#268 ) currently, the script tries to use the wrong kernel image on Arch if an alternative kernel (hardened, zen, or lts) is in use. Fortunately, all the Arch kernel packages place a symlink to the kernel image as /usr/lib/modules/$(uname -r)/vmlinuz, so simply removing the guess for Arch fixes the issue.	2018-12-10 19:36:58 +01:00
Rob Gill	906f54cf9d	Improved hypervisor detection (#259 ) * Code consistency ``` opt_batch_format="text" ``` replaced by ``` opt_batch_format='text' ``` ```nrpe_vuln='"" ``` replaced by ``` nrpe_vuln='' ``` , as used by other parse options Redundant ``` ! -z ``` replaced by ``` -n ```, as used elsewhere Signed-off-by: Rob Gill <rrobgill@protonmail.com> * Improved hypervisor detection Tests for presence of hypervisor flag in /proc/cpuino Tests for evidence of hypervisor in dmesg Signed-off-by: Rob Gill <rrobgill@protonmail.com> * formatting fix Signed-off-by: Rob Gill <rrobgill@protonmail.com> * Set $l1d_mode to -1 in cases where cpu/vulnerabilities/l1tf is not available (prevents invalid number error when evaluating [ "$l1d_mode" -ge 1 ]) Signed-off-by: Rob Gill <rrobgill@protonmail.com> * Update Intel Atom 6 cpu names to align with kernel Update processor names of atom 6 family processors to align with those from kernel as of October 2018. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/arch/x86/include/asm/intel-family.h?id=f2c4db1bd80720cd8cb2a5aa220d9bc9f374f04e Update list of known immune processors from https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/arch/x86/kernel/cpu/common.c?id=f2c4db1bd80720cd8cb2a5aa220d9bc9f374f04e * Fix unset $l1d_mode Another instance of unset l1d_mode causing error "./spectre-meltdown-checker.sh: 3867: [: Illegal number:" * chore: update readme with brief summary of L1tfs L1tf mitigation and impact details from https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html and https://blogs.oracle.com/oraclesecurity/intel-l1tf * typo	2018-12-10 19:33:07 +01:00
Brett T. Warden	c45a06f414	Warn on missing kernel info (#265 ) Missing kernel information can cause all sorts of false positives or negatives. This is worth at least a warning, and repeating immediately following the status.	2018-11-25 18:37:03 +01:00
Brett T. Warden	4a6fa070a4	Fix misdetection of files under Clear Linux (#264 )	2018-11-25 18:14:04 +01:00
Stéphane Lesimple	c705afe764	bump to v0.40	2018-10-03 20:56:46 +02:00
Stanislav Kholmanskikh	401ccd4b14	Correct aarch64 KPTI dmesg message As it's seen in unmap_kernel_at_el0 (both the function definition and its usage in arm64_features[]) from arch/arm64/kernel/cpufeature.c the kernel reports this string: CPU features: detected: Kernel page table isolation (KPTI) or (before commit e0f6429dc1c0 ("arm64: cpufeature: Remove redundant "feature" in reports")): CPU features: detected feature: Kernel page table isolation (KPTI) if KPTI is enabled on the system. So on let's adjust check_variant3_linux() to make it grep these strings if executed on an aarch64 platform. Tested on a Cavium ThunderX2 machine. Signed-off-by: Stanislav Kholmanskikh <stanislav.kholmanskikh@oracle.com>	2018-10-03 20:49:55 +02:00
Stanislav Kholmanskikh	55120839dd	Fix a typo in check_variant3_linux() Signed-off-by: Stanislav Kholmanskikh <stanislav.kholmanskikh@oracle.com>	2018-10-03 20:49:55 +02:00
Stéphane Lesimple	f5106b3c02	update MCEDB from v83 to v84 (no actual change)	2018-09-30 16:57:35 +02:00
Stéphane Lesimple	68289dae1e	feat: add --update-builtin-mcedb to update the DB inside the script	2018-09-30 16:56:58 +02:00
Stéphane Lesimple	3b2d529654	feat(l1tf): read & report ARCH_CAPABILITIES bit 3 (SKIP_VMENTRY_L1DFLUSH)	2018-09-29 13:16:07 +02:00
Stéphane Lesimple	cbb18cb6b6	fix(l1tf): properly detect status under Red Hat/CentOS kernels	2018-09-29 13:01:13 +02:00
Stéphane Lesimple	299103a3ae	some fixes when script is not started as root	2018-09-29 13:01:13 +02:00
Stéphane Lesimple	dc5402b349	chore: speed optimization of hw check and indentation fixes	2018-09-29 13:01:13 +02:00
Stéphane Lesimple	90c2ae5de2	feat: use the MCExtractor DB as the reference for the microcode versions Use platomav's MCExtractor DB as the reference to decide whether our CPU microcode is the latest or not. We have a builtin version of the DB in the script, but an updated version can be fetched and stored locally with --update-mcedb	2018-09-29 13:01:13 +02:00
Michael Lass	53d6a44754	Fix detection of CVE-2018-3615 (L1TF_SGX) (#253 ) * Add another location of Arch Linux ARM kernel * Fix detection of CVE-2018-3615 We change the value of variantl1tf in the line directly before so its value will never be "immune". Instead we can directly use the value of variantl1tf to initialize variantl1tf_sgx.	2018-09-29 11:35:10 +02:00
Stéphane Lesimple	297d890ce9	fix ucode version check regression introduced by `fbbb19f` under BSD	2018-09-23 15:00:39 +02:00
Stéphane Lesimple	0252e74f94	feat(bsd): implement CVE-2018-3620 and CVE-2018-3646 mitigation detection	2018-09-22 12:26:56 +02:00
Nicolas Sauzede	fbbb19f244	Fix cases where a CPU ucode version is not found in $procfs/cpuinfo. (#246 ) * Fix cases where a CPU ucode version is not found in $procfs/cpuinfo. When running whithin a virtual machine, it seems like $procfs/cpuinfo doesn't contain a 'microcode' line, which triggers a script runtime error. Fall back to '0x0' in this case, as other part of the script seems to already this as a default value anyway. * Double quote to prevent globbing and word splitting.	2018-09-19 22:00:59 +02:00
Stéphane Lesimple	1571a56ce2	feat: add L1D flush cpuid feature bit detection	2018-09-19 09:05:23 +02:00
Stéphane Lesimple	3cf9141601	fix: don't display summary if no CVE was tested (e.g. --hw-only)	2018-09-19 09:04:52 +02:00
Stéphane Lesimple	bff38f1b26	BSD: add not-implemented-yet notice for Foreshadow-NG	2018-09-18 22:06:01 +02:00
Stéphane Lesimple	b419fe7c63	feat(variant4): properly detect SSBD under BSD	2018-09-18 22:00:32 +02:00
alexvong1995	f193484a4a	chore: fix deprecated SPDX license identifier (#249 ) (#251 ) The SPDX license identifier 'GPL-3.0' has been deprecated according to <https://spdx.org/licenses/GPL-3.0.html>.	2018-09-18 20:00:53 +02:00
Laszlo Toth	349d77b3b6	Fix kernel detection when /lib/kernel exists on a distro (#252 ) Commit `b48b2177b7` ("feat: Add Clear Linux Distro (#244)") broke kernel detection for distros using that directory for other purposes than storing the kernel image. Example: # pacman -Qo /lib/kernel /usr/lib/kernel/ is owned by mkinitcpio 24-2 /usr/lib/kernel/ is owned by systemd 239.2-1 Signed-off-by: Laszlo Toth <laszlth@gmail.com>	2018-09-18 20:00:20 +02:00
Stéphane Lesimple	e589ed7f02	fix: don't test SGX again in check_CVE_2018_3615, already done by is_cpu_vulnerable	2018-09-17 22:28:04 +02:00
Stéphane Lesimple	ae1206288f	fix: remove some harcoded /proc paths, use $procfs instead	2018-09-17 22:26:20 +02:00
Stéphane Lesimple	b44d2b5470	chore: remove 'experimental' notice of Foreshadow from README	2018-09-17 21:48:20 +02:00
Stéphane Lesimple	7b72c20f89	feat(l1tf): explode L1TF in its 3 distinct CVEs	2018-09-17 21:44:48 +02:00
Luis Ponce	b48b2177b7	feat: Add Clear Linux Distro (#244 ) Add path of Clear Linux kernel binary and kernel config file.	2018-09-15 15:51:49 +02:00
Pierre Gaxatte	8f31634df6	feat(batch): Add a batch short option for one line result (#243 ) When using this script on a large amount a machine (via clustershell or instance) it can be easier to have a very short result on one line showing only the vulnerabilities	2018-09-15 15:45:10 +02:00
Luis Ponce	96798b1932	chore: add SPDX GPL-3.0 license identifier (#245 ) The spectre-meltdown-checker.sh file is missing licensing information. The SPDX identifier is a legally binding shorthand, which can be used instead of the full boiler plate text.	2018-09-15 15:33:41 +02:00
Stéphane Lesimple	687ce1a7fa	fix: load cpuid module if absent even when /dev/cpu/0/cpuid is there	2018-09-08 23:15:50 +02:00
Stéphane Lesimple	80e0db7cc4	fix: don't show erroneous ucode version when latest version is unknown (fixes #238 )	2018-08-28 20:51:46 +02:00
David Guglielmi	e8890ffac6	feat(config): support for genkernel kernel config file (#239 ) Add support for distributions using genkernel.	2018-08-28 20:24:37 +02:00
Stéphane Lesimple	b2f64e1132	fix README after merge	2018-08-18 12:09:34 +02:00
unrealization	42a3a61f1d	Slightly improved Docker configuration (#230 ) * Listed the required volumes in the Dockerfile. * Added docker-compose.yml for convenience as users won't need to manually specify volumes and stuff when running through docker-compose. Adjusted README.md to reflect this change.	2018-08-18 12:06:16 +02:00
Karsten Weiss	afb36c519d	Fix typo: 'RBS filling' => 'RSB filling' (#237 )	2018-08-18 12:05:17 +02:00
Stéphane Lesimple	0009c0d473	fix: --batch now implies --no-color to avoid colored warnings	2018-08-18 12:04:18 +02:00
Stéphane Lesimple	dd67fd94d7	feat: add FLUSH_CMD MSR availability detection (part of L1TF mitigation)	2018-08-16 19:05:09 +02:00
Stéphane Lesimple	339ad31757	fix: add missing l1tf CPU vulnerability display in hw section	2018-08-16 15:19:29 +02:00
Stéphane Lesimple	794c5be1d2	feat: add optional git describe support to display inter-release version numbers	2018-08-16 15:18:47 +02:00
Stéphane Lesimple	a7afc585a9	fix several incorrect ucode version numbers	2018-08-16 10:51:55 +02:00
Stéphane Lesimple	fc1dffd09a	feat: implement detection of latest known versions of intel microcodes	2018-08-15 12:53:49 +02:00
Stéphane Lesimple	e942616189	feat: initial support for L1TF	2018-08-15 12:05:08 +02:00