update MCEdb from v110 to v111, bump to v0.42

enh: -v -v now implies --dump-mock-data
feat(mds): implement FreeBSD mitigation detection
2025-07-15 15:21:23 +02:00 · 2019-05-24 22:49:45 +02:00 · 2019-05-24 11:36:39 +02:00 · 2019-05-24 11:17:04 +02:00 · 2019-05-24 10:49:40 +02:00 · 2019-05-24 10:20:48 +02:00
3 changed files with 1016 additions and 256 deletions
--- a/4
+++ b/4
@ -5,7 +5,3 @@ RUN apk --update --no-cache add kmod binutils grep perl
 COPY . /check

 ENTRYPOINT ["/check/spectre-meltdown-checker.sh"]
-
-VOLUME /boot
-VOLUME /dev/cpu
-VOLUME /lib/modules
--- a/README.md
+++ b/README.md
@ -1,7 +1,7 @@
 Spectre & Meltdown Checker
 ==========================

-A shell script to tell if your system is vulnerable against the several "speculative execution" CVEs that were made public in 2018.
+A shell script to tell if your system is vulnerable against the several "speculative execution" CVEs that were made public since 2018.
 - CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
 - CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
 - CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
@ -10,6 +10,10 @@ A shell script to tell if your system is vulnerable against the several "specula
 - CVE-2018-3615 [L1 terminal fault] aka 'Foreshadow (SGX)'
 - CVE-2018-3620 [L1 terminal fault] aka 'Foreshadow-NG (OS)'
 - CVE-2018-3646 [L1 terminal fault] aka 'Foreshadow-NG (VMM)'
+- CVE-2018-12126 [microarchitectural store buffer data sampling (MSBDS)] aka 'Fallout'
+- CVE-2018-12130 [microarchitectural fill buffer data sampling (MFBDS)] aka 'ZombieLoad'
+- CVE-2018-12127 [microarchitectural load port data sampling (MLPDS)] aka 'RIDL'
+- CVE-2019-11091 [microarchitectural data sampling uncacheable memory (MDSUM)] aka 'RIDL'

 Supported operating systems:
 - Linux (all versions, flavors and distros)
@ -110,17 +114,36 @@ docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/m
   - Mitigation: microcode update + kernel update making possible for affected software to protect itself
   - Performance impact of the mitigation: low to medium

-**CVE-2018-3615** l1 terminal fault (Foreshadow)
+**CVE-2018-3615** l1 terminal fault (Foreshadow-NG SGX)

-   - TBC
+   - Impact: Kernel & all software (any physical memory address in the system)
+   - Mitigation: microcode update
+   - Performance impact of the mitigation: negligible

-**CVE-2018-3620** l1 terminal fault (Foreshadow-NG)
+**CVE-2018-3620** l1 terminal fault (Foreshadow-NG SMM)

-   - TBC
+   - Impact: Kernel & System management mode
+   - Mitigation: updated kernel (with PTE inversion)
+   - Performance impact of the mitigation: negligible

-**CVE-2018-3646** l1 terminal fault (Foreshadow-NG)
+**CVE-2018-3646** l1 terminal fault (Foreshadow-NG VMM)

-   - TBC
+   - Impact: Virtualization software and Virtual Machine Monitors
+   - Mitigation: disable ept (extended page tables), disable hyper-threading (SMT), or updated kernel (with L1d flush)
+   - Performance impact of the mitigation: low to significant
+
+**CVE-2018-12126** [MSBDS] Microarchitectural Store Buffer Data Sampling (Fallout)
+
+**CVE-2018-12130** [MFBDS] Microarchitectural Fill Buffer Data Sampling (ZombieLoad)
+
+**CVE-2018-12127** [MLPDS] Microarchitectural Load Port Data Sampling (RIDL)
+
+**CVE-2019-11091** [MDSUM] Microarchitectural Data Sampling Uncacheable Memory (RIDL)
+
+   - Note: These 4 CVEs are similar and collectively named "MDS" vulnerabilities, the mitigation is identical for all
+   - Impact: Kernel
+   - Mitigation: microcode update + kernel update making possible to protect various CPU internal buffers from unprivileged speculative access to data
+   - Performance impact of the mitigation: low to significant

 ## Understanding what this script does and doesn't

--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
Author	SHA1	Message	Date
Stéphane Lesimple	fcc4ff4de2	update MCEdb from v110 to v111, bump to v0.42	2019-05-24 22:49:45 +02:00
Stéphane Lesimple	0bd38ddda0	enh: -v -v now implies --dump-mock-data	2019-05-24 11:36:39 +02:00
Stéphane Lesimple	e83dc818cd	feat(mds): implement FreeBSD mitigation detection	2019-05-24 11:17:04 +02:00
Stéphane Lesimple	d69ea67101	feat(mock): add --dump-mock-data	2019-05-24 10:49:40 +02:00
Stéphane Lesimple	dfe0d10f2a	fix(mds): remove useless display of MD_CLEAR info in non-hw section	2019-05-24 10:20:48 +02:00
Stéphane Lesimple	58a5acfdbb	fix(bsd): read_msr returned data in an incorrect format	2019-05-24 09:33:56 +02:00
Stéphane Lesimple	ccb4dbef7c	enh(mock): avoid reading the sysfs interface outside sys_interface_check() for higher mocking coverage	2019-05-24 09:28:18 +02:00
Stéphane Lesimple	afbb26277f	feat(mock): add mocking functionality to help reproducing issues under specific CPUs	2019-05-24 09:28:18 +02:00
Stéphane Lesimple	77b34d48c6	fix(mds): check MDS_NO bit in is_cpu_mds_free()	2019-05-24 09:28:18 +02:00
Stéphane Lesimple	497efe6a82	fix(l1tf): RDCL_NO bit didn't take precedence for vulnerability check on some Intel CPUs	2019-05-24 09:28:18 +02:00
Stéphane Lesimple	62b46df4e7	fix(l1tf): remove libvirtd from hypervisor detection (#278 )	2019-05-18 14:22:42 +02:00
Stéphane Lesimple	7d1f269bed	fix(mds): AMD confirms they're not vulnerable	2019-05-16 11:31:28 +02:00
Erich Ritz	4f9ca803c8	Fix help text (#285 ) * fix --help message Commit `7b72c20f89` added help text for the --cve switch, and the "can be specified multiple times" note got associated with the --cve switch instead of staying with the --variant switch. Restore the line to belong to the --variant switch help message. * Add new variants to error message Commit `8e870db4f5` added new variants but did not add them to the error message that listed the allowable variants. Add them now.	2019-05-15 19:34:51 +02:00
Stéphane Lesimple	5788cec18b	fix(mds): ARM and CAVIUM are not thought to be vulnerable	2019-05-15 10:56:49 +02:00
Stéphane Lesimple	ae56ec0bc5	bump to v0.41	2019-05-15 09:57:28 +02:00
Stéphane Lesimple	871443c9db	fix typos in README	2019-05-15 00:28:55 +02:00
Stéphane Lesimple	8fd4e3ab01	fix(xen): remove xenbus and xenwatch as they also exist in domU	2019-05-15 00:23:05 +02:00
Stéphane Lesimple	de793a7204	feat(mds): more verbose info about kernel support and microcode support for mitigation	2019-05-15 00:21:08 +02:00
Stéphane Lesimple	11790027d3	feat(mds): add alias ZombieLoad for CVE-2018-12130	2019-05-14 21:42:36 +02:00
Stéphane Lesimple	5939c38c5c	update mcedb from v109 to v110 to better detect MDS microcodes	2019-05-14 20:31:27 +02:00
Stéphane Lesimple	db7d3206fd	feat(mds): add detection of availability of MD_CLEAR instruction	2019-05-14 20:30:47 +02:00
Stéphane Lesimple	1d13a423b8	adjust README	2019-05-14 20:16:01 +02:00
Agata Gruza	8e870db4f5	Added support for MDS related vulnerabilities (#282 )	2019-05-14 19:21:20 +02:00
Stéphane Lesimple	d547ce4ab4	fix(ssb): fix error when no process uses prctl to set ssb mitigation fixes #281	2019-05-13 15:35:58 +02:00
Stéphane Lesimple	d187827841	enh(vmm): add Xen daemons detection	2019-05-08 20:44:54 +02:00
Hans-Joachim Kliemeck	2e304ec617	enh(xen): improvements for xen systems (#270 ) * add mitigation detection for l1tf for xen based systems * add information for hardware mitigation * add xen support for meltdown	2019-05-07 20:35:52 +02:00
Stéphane Lesimple	fcc04437e8	update builtin MCEdb from v96 to v109	2019-05-07 20:29:59 +02:00
Stéphane Lesimple	d31a9810e6	enhance previous commit logic	2019-05-05 20:09:53 +02:00
Stéphane Lesimple	4edb867def	fix(vmm): revert to checking the running processes to detect a hypervisor More information available on #278	2019-05-05 20:04:25 +02:00
Stéphane Lesimple	1264b1c7a3	chore: more shellcheck 0.6 fixes	2019-05-05 18:34:09 +02:00
Stéphane Lesimple	7beca1ac50	fix: invalid names in json batch mode (fixes #279 )	2019-05-05 18:15:41 +02:00
David	8ad10e15d3	chore: Comply with Shellcheck SC2209 (#280 )	2019-05-05 17:31:18 +02:00
Stéphane Lesimple	bfa4de96e6	enh(l1tf): in paranoid mode, assume we're running a hypervisor unless stated otherwise This change ensures we check for SMT and advise the user to disable it for maximum security. Doing this, we'll help users mitigate a whole range of vulnerabilities taking advantage of SMT to attack purely from userland other userland processes, as seen in CVE-2018-5407 (also see #261)	2019-04-21 14:05:43 +02:00
Stéphane Lesimple	b022b27a51	feat(ssbd): in live mode, report whether the mitigation is active (fix #210 )	2019-04-20 20:27:45 +02:00
Dario Faggioli	c4bae6ee6a	IBRS kernel reported active even if sysfs has "IBRS_FW" only (#275 ) (#276 ) On a (pre-SkyLake) system, where /sys/.../vulnerabilities/spectre_v2 is "Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, RSB filling" the tool, incorrectly, reports, a couple of lines above: * IBRS enabled and active: YES (for kernel and firmware code) Use '\<IBRS\>', as suggested by @jirislaby, in upstream issue #275 (https://github.com/speed47/spectre-meltdown-checker/issues/275) when checking whether IBRS is enabled/active for the kernel. With that, the output becomes: * IBRS enabled and active: YES (for firmware code only) which is actually the case. I double checked that, if the same kernel is used on a post-SkyLake hardware, which on openSUSE uses IBRS as, even with this change, the tool (this time correctly) reports: * IBRS enabled and active: YES (for kernel and firmware code)	2019-04-20 14:04:29 +02:00
Stéphane Lesimple	23e7db044e	fix(bsd): load vmm if not already loaded, fixes #274 As we read sysctl values under the vmm hierarchy, the modules needs to be loaded, so if not already done, we load it before testing for CVE-2018-3620 and CVE-2018-3646	2019-04-19 19:47:04 +02:00
Stéphane Lesimple	fc4981bb94	update MCEDB from v84 to v96	2019-01-20 19:52:46 +01:00
Dajiang Zhong	419508758e	add spectre and meltdown mitigation technologies checking for Hygon CPU (#271 ) * add spectre and meltdown mitigation technologies checking for Hygon CPU * update microarhitecture name for Hygon CPU family 24 with moksha	2019-01-20 19:32:36 +01:00
Stéphane Lesimple	d7d2e6934b	fix: typo in bare metal detection (fixes #269 )	2018-12-12 00:24:17 +01:00
Jan	b0083d918e	Remove unneeded volumes in Dockerfile (#266 )	2018-12-10 19:42:13 +01:00
Lily Wilson	904a83c675	Fix Arch kernel image detection (#268 ) currently, the script tries to use the wrong kernel image on Arch if an alternative kernel (hardened, zen, or lts) is in use. Fortunately, all the Arch kernel packages place a symlink to the kernel image as /usr/lib/modules/$(uname -r)/vmlinuz, so simply removing the guess for Arch fixes the issue.	2018-12-10 19:36:58 +01:00
Rob Gill	906f54cf9d	Improved hypervisor detection (#259 ) * Code consistency ``` opt_batch_format="text" ``` replaced by ``` opt_batch_format='text' ``` ```nrpe_vuln='"" ``` replaced by ``` nrpe_vuln='' ``` , as used by other parse options Redundant ``` ! -z ``` replaced by ``` -n ```, as used elsewhere Signed-off-by: Rob Gill <rrobgill@protonmail.com> * Improved hypervisor detection Tests for presence of hypervisor flag in /proc/cpuino Tests for evidence of hypervisor in dmesg Signed-off-by: Rob Gill <rrobgill@protonmail.com> * formatting fix Signed-off-by: Rob Gill <rrobgill@protonmail.com> * Set $l1d_mode to -1 in cases where cpu/vulnerabilities/l1tf is not available (prevents invalid number error when evaluating [ "$l1d_mode" -ge 1 ]) Signed-off-by: Rob Gill <rrobgill@protonmail.com> * Update Intel Atom 6 cpu names to align with kernel Update processor names of atom 6 family processors to align with those from kernel as of October 2018. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/arch/x86/include/asm/intel-family.h?id=f2c4db1bd80720cd8cb2a5aa220d9bc9f374f04e Update list of known immune processors from https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/arch/x86/kernel/cpu/common.c?id=f2c4db1bd80720cd8cb2a5aa220d9bc9f374f04e * Fix unset $l1d_mode Another instance of unset l1d_mode causing error "./spectre-meltdown-checker.sh: 3867: [: Illegal number:" * chore: update readme with brief summary of L1tfs L1tf mitigation and impact details from https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html and https://blogs.oracle.com/oraclesecurity/intel-l1tf * typo	2018-12-10 19:33:07 +01:00
Brett T. Warden	c45a06f414	Warn on missing kernel info (#265 ) Missing kernel information can cause all sorts of false positives or negatives. This is worth at least a warning, and repeating immediately following the status.	2018-11-25 18:37:03 +01:00
Brett T. Warden	4a6fa070a4	Fix misdetection of files under Clear Linux (#264 )	2018-11-25 18:14:04 +01:00