peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2025-07-15 15:21:23 +02:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: peter:v0.43
Branches Tags
peter:master
peter:v0.46 peter:v0.45 peter:v0.44 peter:v0.43 peter:v0.42 peter:v0.41 peter:v0.40 peter:v0.39 peter:v0.38 peter:v0.37 peter:v0.36 peter:v0.35 peter:v0.34 peter:v0.33 peter:v0.32 peter:v0.31 peter:v0.30 peter:v0.29 peter:v0.28 peter:v0.27 peter:v0.26 peter:v0.25 peter:v0.24 peter:v0.23 peter:v0.22 peter:v0.21 peter:v0.20 peter:v0.19 peter:v0.18 peter:v0.17 peter:v0.16 peter:v0.15 peter:v0.14 peter:v0.13 peter:v0.12 peter:v0.11 peter:v0.10 peter:v0.09 peter:v0.08 peter:v0.07 peter:v0.06 peter:v0.05 peter:v0.04 peter:v0.03 peter:v0.02 peter:v0.01
..
compare: peter:v0.44
Branches Tags
peter:master
peter:v0.46 peter:v0.45 peter:v0.44 peter:v0.43 peter:v0.42 peter:v0.41 peter:v0.40 peter:v0.39 peter:v0.38 peter:v0.37 peter:v0.36 peter:v0.35 peter:v0.34 peter:v0.33 peter:v0.32 peter:v0.31 peter:v0.30 peter:v0.29 peter:v0.28 peter:v0.27 peter:v0.26 peter:v0.25 peter:v0.24 peter:v0.23 peter:v0.22 peter:v0.21 peter:v0.20 peter:v0.19 peter:v0.18 peter:v0.17 peter:v0.16 peter:v0.15 peter:v0.14 peter:v0.13 peter:v0.12 peter:v0.11 peter:v0.10 peter:v0.09 peter:v0.08 peter:v0.07 peter:v0.06 peter:v0.05 peter:v0.04 peter:v0.03 peter:v0.02 peter:v0.01

24 Commits
v0.43 ... v0.44

Author SHA1 Message Date
Stéphane Lesimple
7fc2ec65b9 bump to v0.44 2020-11-09 18:41:43 +01:00
Stéphane Lesimple
c8cdfd54da chore: fwdb: update to v165.20201021+i20200616 2020-11-08 21:25:18 +01:00
Stéphane Lesimple
f0c33c7a32 fix: fwdb: use the commit date as the intel fwdb version 
fixes #379
 2020-11-08 21:25:18 +01:00
Stéphane Lesimple
9e874397da chore: fwdb: update to v163.20200930+i20200904 2020-10-05 20:06:49 +02:00
Stéphane Lesimple
76cb73f3cb fix: fwdb: update Intel's repository URL 2020-10-05 20:06:49 +02:00
Stéphane Lesimple
90f23d286e chore: update fwdb to v160.20200912+i20200722 2020-09-14 21:45:09 +02:00
Stéphane Lesimple
e41e311a7f feat: add zstd kernel decompression (#370) 2020-09-14 21:42:55 +02:00
Stéphane Lesimple
1f75f01630 fwdb: update MCEdb to v148 & Intel firmwares to 2020-04-27 2020-06-13 18:11:12 +02:00
Stéphane Lesimple
14a53b19da chore: add CVE to the README 2020-06-10 00:07:14 +02:00
Stéphane Lesimple
d8f0ddd7a5 chore: fix indentation 2020-06-10 00:07:14 +02:00
Agata Gruza
62d3448a54 Added support for SRBDS related vulnerabilities 2020-06-10 00:07:14 +02:00
Stéphane Lesimple
cb6d139629 chore: tests: now expect 15 CVEs instead of 14 (fix) 2020-06-09 22:56:25 +02:00
Stéphane Lesimple
7e2db09ed9 chore: tests: now expect 15 CVEs instead of 14 2020-06-09 22:51:50 +02:00
Stéphane Lesimple
33cf1cde79 enh: arm: add experimental support for binary arm images 2020-06-06 17:29:32 +02:00
Stéphane Lesimple
4a3006e196 fix: arm64: cve-2017-5753: kernels 4.19+ use a different nospec macro 2020-06-06 17:29:32 +02:00
Stéphane Lesimple
36f98eff95 fwdb: update MCEdb to v147 & Intel firmwares to 2020-04-27 2020-05-31 13:03:58 +02:00
xaitax
fa7b8f9567 Typo 2020-05-08 16:17:09 +02:00
Stéphane Lesimple
3beefc2587 enh: rsb filling: no longer need the 'strings' tool to check for kernel support in live mode 2020-03-10 22:29:54 +01:00
Stéphane Lesimple
27c36fdb80 fwdb: update to v135.20200303+i20200205 2020-03-10 22:29:39 +01:00
Matt Christian
3d21dae168 Fixes for FreeBSD to parse CPU info. 2020-02-06 19:56:35 +01:00
Stéphane Lesimple
7d2a510146 chore: update fwdb to v132.20200108+i20191124 2020-02-01 18:58:25 +01:00
Stéphane Lesimple
a1a35c9b35 chore: github: add check run on pull requests 2020-01-10 13:19:36 +01:00
Stéphane Lesimple
eec77e1ab9 fix: fwdb update: remove Intel extract tempdir on exit 2019-12-10 20:21:52 +01:00
Stéphane Lesimple
5633d374de fix: has_vmm: ignore kernel threads when looking for a hypervisor (fixes #278) 2019-12-10 19:10:45 +01:00
3 changed files with 424 additions and 89 deletions
Expand all files Collapse all files

27
.github/workflows/check.yml vendored
View File

@ -1,6 +1,6 @@
name: CI
on: [push]
on: [push, pull_request]
jobs:
build:
@ -10,7 +10,7 @@ jobs:
steps:
- uses: actions/checkout@v1
- name: install prerequisites
run: sudo apt-get install -y shellcheck jq
run: sudo apt-get update && sudo apt-get install -y shellcheck jq sqlite3 iucode-tool
- name: shellcheck
run: shellcheck -s sh spectre-meltdown-checker.sh
- name: check indentation
@ -24,7 +24,7 @@ jobs:
fi
- name: check direct execution
run: |
expected=14
expected=15
nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
if [ "$nb" -ne "$expected" ]; then
echo "Invalid number of CVEs reported: $nb instead of $expected"
@ -34,7 +34,7 @@ jobs:
fi
- name: check docker-compose run execution
run: |
expected=14
expected=15
docker-compose build
nb=$(docker-compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
if [ "$nb" -ne "$expected" ]; then
@ -45,7 +45,7 @@ jobs:
fi
- name: check docker run execution
run: |
expected=14
expected=15
docker build -t spectre-meltdown-checker .
nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
if [ "$nb" -ne "$expected" ]; then
@ -54,3 +54,20 @@ jobs:
else
echo "OK $nb CVEs reported"
fi
- name: check fwdb update
run: |
nbtmp1=$(find /tmp 2>/dev/null | wc -l)
./spectre-meltdown-checker.sh --update-fwdb; ret=$?
if [ "$ret" != 0 ]; then
echo "Non-zero return value: $ret"
exit 1
fi
nbtmp2=$(find /tmp 2>/dev/null | wc -l)
if [ "$nbtmp1" != "$nbtmp2" ]; then
echo "Left temporary files!"
exit 1
fi
if ! [ -e ~/.mcedb ]; then
echo "No .mcedb file found after updating fwdb"
exit 1
fi

9
README.md
View File

@ -16,6 +16,7 @@ A shell script to tell if your system is vulnerable against the several "specula
- CVE-2019-11091 [microarchitectural data sampling uncacheable memory (MDSUM)] aka 'RIDL'
- CVE-2019-11135 [TSX asynchronous abort] aka 'TAA' aka 'ZombieLoad V2'
- CVE-2018-12207 [machine check exception on page size changes (MCEPSC)] aka 'No eXcuses' aka 'iTLB Multihit'
- CVE-2020-0543 [Special Register Buffer Data Sampling (SRBDS)]
Supported operating systems:
- Linux (all versions, flavors and distros)
@ -159,9 +160,15 @@ docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/m
- Mitigation: disable hugepages use in hypervisor, or update hypervisor to benefit from mitigation
- Performance impact of the mitigation: low to significant
**CVE-2020-0543** Special Register Buffer Data Sampling (SRBDS)
- Impact: Kernel
- Mitigation: microcode update + kernel update helping to protect various CPU internal buffers from unprivileged speculative access to data
- Performance impact of the mitigation: low
## Understanding what this script does and doesn't
This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the collectively named "speculative execution" vulnerabilities. It doesn't attempt to run any kind of exploit, and can't guarantee that your system is secure, but rather helps you verifying whether your system has the known correct mitigations in place.
This tool does its best to determine whether your system is affected (or has proper mitigations in place) by the collectively named "speculative execution" vulnerabilities. It doesn't attempt to run any kind of exploit, and can't guarantee that your system is secure, but rather helps you verifying whether your system has the known mitigations in place.
However, some mitigations could also exist in your kernel that this script doesn't know (yet) how to detect, or it might falsely detect mitigations that in the end don't work as expected (for example, on backported or modified kernels).
Your system exposure also depends on your CPU. As of now, AMD and ARM processors are marked as immune to some or all of these vulnerabilities (except some specific ARM models). All Intel processors manufactured since circa 1995 are thought to be vulnerable, except some specific/old models, such as some early Atoms. Whatever processor one uses, one might seek more information from the manufacturer of that processor and/or of the device in which it runs.

477
spectre-meltdown-checker.sh
View File

@ -1,5 +1,6 @@
#! /bin/sh
# SPDX-License-Identifier: GPL-3.0-only
# vim: set ts=8 sw=8 sts=4 noet:
#
# Spectre & Meltdown checker
#
@ -11,7 +12,7 @@
#
# Stephane Lesimple
#
VERSION='0.43'
VERSION='0.44'
trap 'exit_cleanup' EXIT
trap '_warn "interrupted, cleaning up..."; exit_cleanup; exit 1' INT
@ -22,7 +23,7 @@ exit_cleanup()
[ -n "$kerneltmp" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp"
[ -n "$kerneltmp2" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2"
[ -n "$mcedb_tmp" ] && [ -f "$mcedb_tmp" ] && rm -f "$mcedb_tmp"
[ -n "$intel_tmp" ] && [ -f "$intel_tmp" ] && rm -rf "$intel_tmp"
[ -n "$intel_tmp" ] && [ -d "$intel_tmp" ] && rm -rf "$intel_tmp"
[ "$mounted_debugfs" = 1 ] && umount /sys/kernel/debug 2>/dev/null
[ "$mounted_procfs" = 1 ] && umount "$procfs" 2>/dev/null
[ "$insmod_cpuid" = 1 ] && rmmod cpuid 2>/dev/null
@ -84,7 +85,7 @@ show_usage()
--batch prometheus produce output for consumption by prometheus-node-exporter
--variant VARIANT specify which variant you'd like to check, by default all variants are checked
VARIANT can be one of 1, 2, 3, 3a, 4, l1tf, msbds, mfbds, mlpds, mdsum, taa, mcepsc
VARIANT can be one of 1, 2, 3, 3a, 4, l1tf, msbds, mfbds, mlpds, mdsum, taa, mcepsc, srbds
can be specified multiple times (e.g. --variant 2 --variant 3)
--cve [cve1,cve2,...] specify which CVE you'd like to check, by default all supported CVEs are checked
--hw-only only check for CPU information, don't check for any variant
@ -163,7 +164,7 @@ global_critical=0
global_unknown=0
nrpe_vuln=''
supported_cve_list='CVE-2017-5753 CVE-2017-5715 CVE-2017-5754 CVE-2018-3640 CVE-2018-3639 CVE-2018-3615 CVE-2018-3620 CVE-2018-3646 CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091 CVE-2019-11135 CVE-2018-12207'
supported_cve_list='CVE-2017-5753 CVE-2017-5715 CVE-2017-5754 CVE-2018-3640 CVE-2018-3639 CVE-2018-3615 CVE-2018-3620 CVE-2018-3646 CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091 CVE-2019-11135 CVE-2018-12207 CVE-2020-0543'
# find a sane command to print colored messages, we prefer `printf` over `echo`
# because `printf` behavior is more standard across Linux/BSD
@ -287,6 +288,7 @@ cve2name()
CVE-2019-11091) echo "RIDL, microarchitectural data sampling uncacheable memory (MDSUM)";;
CVE-2019-11135) echo "ZombieLoad V2, TSX Asynchronous Abort (TAA)";;
CVE-2018-12207) echo "No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)";;
CVE-2020-0543) echo "Special Register Buffer Data Sampling (SRBDS)";;
*) echo "$0: error: invalid CVE '$1' passed to cve2name()" >&2; exit 255;;
esac
}
@ -310,6 +312,7 @@ _is_cpu_vulnerable_cached()
CVE-2019-11091) return $variant_mdsum;;
CVE-2019-11135) return $variant_taa;;
CVE-2018-12207) return $variant_itlbmh;;
CVE-2020-0543) return $variant_srbds;;
*) echo "$0: error: invalid variant '$1' passed to is_cpu_vulnerable()" >&2; exit 255;;
esac
}
@ -338,6 +341,7 @@ is_cpu_vulnerable()
variant_mdsum=''
variant_taa=''
variant_itlbmh=''
variant_srbds=''
if is_cpu_mds_free; then
[ -z "$variant_msbds" ] && variant_msbds=immune
@ -352,6 +356,11 @@ is_cpu_vulnerable()
_debug "is_cpu_vulnerable: cpu not affected by TSX Asynhronous Abort"
fi
if is_cpu_srbds_free; then
[ -z "$variant_srbds" ] && variant_srbds=immune
_debug "is_cpu_vulnerable: cpu not affected by Special Register Buffer Data Sampling"
fi
if is_cpu_specex_free; then
variant1=immune
variant2=immune
@ -364,12 +373,13 @@ is_cpu_vulnerable()
variant_mlpds=immune
variant_mdsum=immune
variant_taa=immune
variant_srbds=immune
elif is_intel; then
# Intel
# https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not vulnerable
# https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => meltdown vulnerable
# model name : Pentium(R) Dual-Core CPU E5200 @ 2.50GHz
if grep -qE '^model name.+ Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K? ' "$procfs/cpuinfo"; then
if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
variant1=vuln
[ -z "$variant2" ] && variant2=immune
variant3=vuln
@ -594,8 +604,9 @@ is_cpu_vulnerable()
[ "$variant_mdsum" = "immune" ] && variant_mdsum=1 || variant_mdsum=0
[ "$variant_taa" = "immune" ] && variant_taa=1 || variant_taa=0
[ "$variant_itlbmh" = "immune" ] && variant_itlbmh=1 || variant_itlbmh=0
[ "$variant_srbds" = "immune" ] && variant_srbds=1 || variant_srbds=0
variantl1tf_sgx="$variantl1tf"
# even if we are vulnerable to L1TF, if there's no SGX, we're safe for the original foreshadow
# even if we are vulnerable to L1TF, if there's no SGX, we're not vulnerable to the original foreshadow
[ "$cpuid_sgx" = 0 ] && variantl1tf_sgx=1
_debug "is_cpu_vulnerable: final results are <$variant1> <$variant2> <$variant3> <$variant3a> <$variant4> <$variantl1tf> <$variantl1tf_sgx>"
is_cpu_vulnerable_cached=1
@ -702,6 +713,64 @@ is_cpu_taa_free()
return 1
}
is_cpu_srbds_free()
{
# return zero (0) if the CPU isn't affected by special register buffer data sampling, one (1) if it is.
# If it's not in the list we know, return one (1).
# source: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/cpu/common.c
#
# A processor is affected by SRBDS if its Family_Model and stepping is in the
# following list, with the exception of the listed processors
# exporting MDS_NO while Intel TSX is available yet not enabled. The
# latter class of processors are only affected when Intel TSX is enabled
# by software using TSX_CTRL_MSR otherwise they are not affected.
#
# ============= ============ ========
# common name Family_Model Stepping
# ============= ============ ========
# IvyBridge 06_3AH All (INTEL_FAM6_IVYBRIDGE)
#
# Haswell 06_3CH All (INTEL_FAM6_HASWELL)
# Haswell_L 06_45H All (INTEL_FAM6_HASWELL_L)
# Haswell_G 06_46H All (INTEL_FAM6_HASWELL_G)
#
# Broadwell_G 06_47H All (INTEL_FAM6_BROADWELL_G)
# Broadwell 06_3DH All (INTEL_FAM6_BROADWELL)
#
# Skylake_L 06_4EH All (INTEL_FAM6_SKYLAKE_L)
# Skylake 06_5EH All (INTEL_FAM6_SKYLAKE)
#
# Kabylake_L 06_8EH <=0xC (MDS_NO) (INTEL_FAM6_KABYLAKE_L)
#
# Kabylake 06_9EH <=0xD (MDS_NO) (INTEL_FAM6_KABYLAKE)
# ============= ============ ========
parse_cpu_details
if is_intel; then
if [ "$cpu_family" = 6 ]; then
if [ "$cpu_model" = "$INTEL_FAM6_IVYBRIDGE" ] || \
[ "$cpu_model" = "$INTEL_FAM6_HASWELL" ] || \
[ "$cpu_model" = "$INTEL_FAM6_HASWELL_L" ] || \
[ "$cpu_model" = "$INTEL_FAM6_HASWELL_G" ] || \
[ "$cpu_model" = "$INTEL_FAM6_BROADWELL_G" ] || \
[ "$cpu_model" = "$INTEL_FAM6_BROADWELL" ] || \
[ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_L" ] || \
[ "$cpu_model" = "$INTEL_FAM6_SKYLAKE" ]; then
return 1
elif [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE_L" ] && [ "$cpu_stepping" -le 12 ] || \
[ "$cpu_model" = "$INTEL_FAM6_KABYLAKE" ] && [ "$cpu_stepping" -le 13 ]; then
if [ "$capabilities_mds_no" -eq 1 ] && { [ "$cpuid_rtm" -eq 0 ] || [ "$tsx_ctrl_msr_rtm_disable" -eq 1 ] ;} ; then
return 0
else
return 1
fi
fi
fi
fi
return 0
}
is_cpu_ssb_free()
{
# return true (0) if the CPU isn't affected by speculative store bypass, false (1) if it does.
@ -788,7 +857,7 @@ update_fwdb()
# second, get the Intel firmwares from GitHub
intel_tmp="$(mktemp -d /tmp/intelfw-XXXXXX)"
intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/master.zip"
intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"
_info_nol "Fetching Intel firmwares... "
## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
if command -v wget >/dev/null 2>&1; then
@ -819,6 +888,8 @@ update_fwdb()
echo ERROR "downloaded file seems invalid"
return 1
fi
sqlite3 "$mcedb_tmp" "alter table Intel add column origin text"
sqlite3 "$mcedb_tmp" "update Intel set origin='mce'"
echo OK "MCExtractor database revision $mcedb_revision dated $mcedb_date"
@ -829,7 +900,7 @@ update_fwdb()
return 1
fi
( cd "$intel_tmp" && unzip fw.zip >/dev/null; )
if ! [ -d "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-master/intel-ucode" ]; then
if ! [ -d "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" ]; then
echo ERROR "expected the 'intel-ucode' folder in the downloaded zip file"
return 1
fi
@ -846,7 +917,7 @@ update_fwdb()
fi
# 079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev 0x0217, size 5120
# 078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev 0x0107, size 5120
$iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-master/intel-ucode" | grep -wF sig | while read -r _line
$iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line
do
_line=$( echo "$_line" | tr -d ',')
_cpuid=$( echo "$_line" | awk '{print $3}')
@ -856,10 +927,17 @@ update_fwdb()
_version=$(echo "$_line" | awk '{print $8}')
_version=$(( _version ))
_version=$(printf "0x%08X" "$_version")
_sqlstm="$(printf "INSERT INTO Intel (cpuid,version,yyyymmdd) VALUES (\"%s\",\"%s\",\"%s\");" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")"
_sqlstm="$(printf "INSERT INTO Intel (origin,cpuid,version,yyyymmdd) VALUES (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")"
sqlite3 "$mcedb_tmp" "$_sqlstm"
done
_intel_latest_date=$(sqlite3 "$mcedb_tmp" "SELECT yyyymmdd from Intel ORDER BY yyyymmdd DESC LIMIT 1;")
_intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null)
if [ -n "$_intel_timestamp" ]; then
# use this date, it matches the last commit date
_intel_latest_date=$(date +%Y%m%d -d @"$_intel_timestamp")
else
echo "Falling back to the latest microcode date"
_intel_latest_date=$(sqlite3 "$mcedb_tmp" "SELECT yyyymmdd from Intel WHERE origin = 'intel' ORDER BY yyyymmdd DESC LIMIT 1;")
fi
echo DONE "(version $_intel_latest_date)"
dbdate=$(echo "$mcedb_date" | tr -d '/')
@ -1041,8 +1119,9 @@ while [ -n "$1" ]; do
l1tf) opt_cve_list="$opt_cve_list CVE-2018-3615 CVE-2018-3620 CVE-2018-3646"; opt_cve_all=0;;
taa) opt_cve_list="$opt_cve_list CVE-2019-11135"; opt_cve_all=0;;
mcepsc) opt_cve_list="$opt_cve_list CVE-2018-12207"; opt_cve_all=0;;
srbds) opt_cve_list="$opt_cve_list CVE-2020-0543"; opt_cve_all=0;;
*)
echo "$0: error: invalid parameter '$2' for --variant, expected either 1, 2, 3, 3a, 4, l1tf, msbds, mfbds, mlpds, mdsum, taa or mcepsc" >&2;
echo "$0: error: invalid parameter '$2' for --variant, expected either 1, 2, 3, 3a, 4, l1tf, msbds, mfbds, mlpds, mdsum, taa, mcepsc or srbds" >&2;
exit 255
;;
esac
@ -1129,6 +1208,7 @@ pvulnstatus()
CVE-2019-11091) aka="MDSUM";;
CVE-2019-11135) aka="TAA";;
CVE-2018-12207) aka="ITLBMH";;
CVE-2020-0543) aka="SRBDS";;
*) echo "$0: error: invalid CVE '$1' passed to pvulnstatus()" >&2; exit 255;;
esac
@ -1199,13 +1279,21 @@ check_kernel()
_mode="$2"
# checking the return code of readelf -h is not enough, we could get
# a damaged ELF file and validate it, check for stderr warnings too
_readelf_warnings=$("${opt_arch_prefix}readelf" -S "$_file" 2>&1 >/dev/null | tr "\n" "/"); ret=$?
# the warning "readelf: Warning: [16]: Link field (0) should index a symtab section./" can appear on valid kernels, ignore it
_readelf_warnings=$("${opt_arch_prefix}readelf" -S "$_file" 2>&1 >/dev/null | grep -v 'should index a symtab section' | tr "\n" "/"); ret=$?
_readelf_sections=$("${opt_arch_prefix}readelf" -S "$_file" 2>/dev/null | grep -c -e data -e text -e init)
_kernel_size=$(stat -c %s "$_file" 2>/dev/null || stat -f %z "$_file" 2>/dev/null || echo 10000)
_debug "check_kernel: ret=$? size=$_kernel_size sections=$_readelf_sections warnings=$_readelf_warnings"
if [ "$_mode" = desperate ]; then
if "${opt_arch_prefix}strings" "$_file" | grep -Eq '^Linux version '; then
_debug "check_kernel (desperate): ... matched!"
if [ "$_readelf_sections" = 0 ] && grep -qF -e armv6 -e armv7 "$_file"; then
_debug "check_kernel (desperate): raw arm binary found, adjusting objdump options"
objdump_options="-D -b binary -marm"
else
objdump_options="-d"
fi
return 0
else
_debug "check_kernel (desperate): ... invalid"
@ -1214,6 +1302,7 @@ check_kernel()
if [ $ret -eq 0 ] && [ -z "$_readelf_warnings" ] && [ "$_readelf_sections" -gt 0 ]; then
if [ "$_kernel_size" -ge 100000 ]; then
_debug "check_kernel: ... file is valid"
objdump_options="-d"
return 0
else
_debug "check_kernel: ... file seems valid but is too small, ignoring"
@ -1296,6 +1385,7 @@ extract_kernel()
try_decompress '\135\0\0\0' xxx unlzma '' xz-utils "$1" "$mode" "$pass" && return 0
try_decompress '\211\114\132' xy 'lzop' '-d' lzop "$1" "$mode" "$pass" && return 0
try_decompress '\177ELF' xxy 'cat' '' cat "$1" "$mode" "$pass" && return 0
try_decompress '(\265/\375' xxy unzstd '' zstd "$1" "$mode" "$pass" && return 0
done
done
kernel_err="kernel compression format is unknown or image is invalid"
@ -1487,7 +1577,13 @@ parse_cpu_details()
cpu_stepping=$(grep '^stepping' "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
cpu_ucode=$( grep '^microcode' "$procfs/cpuinfo" | awk '{print $3}' | head -1)
else
cpu_friendly_name=$(sysctl -n hw.model)
cpu_vendor=$( dmesg | grep -i -m1 'Origin=' | cut -f2 -w | cut -f2 -d= | cut -f2 -d\" )
cpu_family=$( dmesg | grep -i -m1 'Family=' | cut -f4 -w | cut -f2 -d= )
cpu_family=$(( cpu_family ))
cpu_model=$( dmesg | grep -i -m1 'Model=' | cut -f5 -w | cut -f2 -d= )
cpu_model=$(( cpu_model ))
cpu_stepping=$( dmesg | grep -i -m1 'Stepping=' | cut -f6 -w | cut -f2 -d= )
cpu_friendly_name=$(sysctl -n hw.model 2>/dev/null)
fi
if [ -n "$SMC_MOCK_CPU_FRIENDLY_NAME" ]; then
@ -1562,7 +1658,7 @@ parse_cpu_details()
fi
echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$(( cpu_ucode ))
ucode_found=$(printf "model 0x%x family 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x" "$cpu_model" "$cpu_family" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid")
ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x" "$cpu_family" "$cpu_model" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid")
# also define those that we will need in other funcs
# taken from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/include/asm/intel-family.h
@ -2022,6 +2118,8 @@ if [ "$opt_live" = 1 ]; then
if [ -n "$custom_arch_kernel" ] && [ -e "$custom_arch_kernel" ]; then
opt_kernel="$custom_arch_kernel"
fi
# FreeBSD:
[ -e "/boot/kernel/kernel" ] && opt_kernel="/boot/kernel/kernel"
fi
# system.map
@ -2969,6 +3067,37 @@ check_cpu()
pstatus green NO
fi
_info_nol " * CPU supports Special Register Buffer Data Sampling (SRBDS): "
# A processor supports SRBDS if it enumerates CPUID (EAX=7H,ECX=0):EDX[9] as 1
# That means the mitigation disabling SRBDS exists
ret=1
cpuid_srbds=0
srbds_on=0
if is_intel; then
read_cpuid 0x7 $EDX 9 1 1; ret=$?
fi
if [ $ret -eq 0 ]; then
pstatus blue YES
cpuid_srbds=1
read_msr 0x123 0; ret=$?
if [ $ret -eq 0 ]; then
if [ $read_msr_value -eq 0 ]; then
#SRBDS mitigation control exists and is enabled via microcode
srbds_on=1
else
#SRBDS mitigation control exists but is disabled via microcode
srbds_on=0
fi
else
srbds_on=-1
fi
elif [ $ret -eq 2 ]; then
pstatus yellow UNKNOWN "is cpuid kernel module available?"
cpuid_srbds=0
else
pstatus green NO
fi
_info_nol " * CPU microcode is known to cause stability problems: "
if is_ucode_blacklisted; then
pstatus red YES "$ucode_found"
@ -3051,10 +3180,22 @@ check_has_vmm()
if command -v pgrep >/dev/null 2>&1; then
# remove xenbus and xenwatch, also present inside domU
# remove libvirtd as it can also be used to manage containers and not VMs
if pgrep qemu >/dev/null || pgrep kvm >/dev/null || \
pgrep xenstored >/dev/null || pgrep xenconsoled >/dev/null; then
has_vmm=1
fi
# for each binary we want to grep, get the pids
for _binary in qemu kvm xenstored xenconsoled
do
for _pid in $(pgrep $_binary)
do
# resolve the exe symlink, if it doesn't resolve with -m,
# which doesn't even need the dest to exist, it means the symlink
# is null, which is the case for kernel threads: ignore those to
# avoid false positives (such as [kvm-irqfd-clean] under at least RHEL 7.6/7.7)
if ! [ "$(readlink -m "/proc/$_pid/exe")" = "/proc/$_pid/exe" ]; then
_debug "has_vmm: found PID $_pid"
has_vmm=1
fi
done
done
unset _binary _pid
else
# ignore SC2009 as `ps ax` is actually used as a fallback if `pgrep` isn't installed
# shellcheck disable=SC2009
@ -3154,7 +3295,7 @@ check_CVE_2017_5753_linux()
pstatus green YES "$ret occurrence(s) found of x86 32 bits array_index_mask_nospec()"
v1_mask_nospec="x86 32 bits array_index_mask_nospec"
else
ret=$("${opt_arch_prefix}objdump" -d "$kernel" | grep -w -e f3af8014 -e e320f014 -B2 | grep -B1 -w sbc | grep -w -c cmp)
ret=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" | grep -w -e f3af8014 -e e320f014 -B2 | grep -B1 -w sbc | grep -w -c cmp)
if [ "$ret" -gt 0 ]; then
pstatus green YES "$ret occurrence(s) found of arm 32 bits array_index_mask_nospec()"
v1_mask_nospec="arm 32 bits array_index_mask_nospec"
@ -3203,7 +3344,7 @@ check_CVE_2017_5753_linux()
elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
else
"${opt_arch_prefix}objdump" -d "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
"${opt_arch_prefix}objdump" $objdump_options "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
if [ "$ret" -eq 9 ]; then
pstatus green YES "mask_nospec64 macro is present and used"
v1_mask_nospec="arm64 mask_nospec64"
@ -3212,6 +3353,33 @@ check_CVE_2017_5753_linux()
fi
fi
_info_nol "* Kernel has array_index_nospec (arm64): "
# in 4.19+ kernels, the mask_nospec64 asm64 macro is replaced by array_index_nospec, defined in nospec.h, and used in invoke_syscall()
# ffffff8008090a4c: 2a0203e2 mov w2, w2
# ffffff8008090a50: eb0200bf cmp x5, x2
# ffffff8008090a54: da1f03e2 ngc x2, xzr
# ffffff8008090a58: d503229f hint #0x14
# /!\ can also just be "csdb" instead of "hint #0x14" for native objdump
#
# if we have v1_mask_nospec or redhat_canonical_spectre>0, don't bother disassembling the kernel, the answer is no.
if [ -n "$v1_mask_nospec" ] || [ "$redhat_canonical_spectre" -gt 0 ]; then
pstatus yellow NO
elif [ -n "$kernel_err" ]; then
pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
elif ! command -v perl >/dev/null 2>&1; then
pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
else
"${opt_arch_prefix}objdump" -d "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$?
if [ "$ret" -eq 9 ]; then
pstatus green YES "array_index_nospec macro is present and used"
v1_mask_nospec="arm64 array_index_nospec"
else
pstatus yellow NO
fi
fi
if [ "$opt_verbose" -ge 2 ] || { [ -z "$v1_mask_nospec" ] && [ "$redhat_canonical_spectre" != 1 ] && [ "$redhat_canonical_spectre" != 2 ]; }; then
# this is a slow heuristic and we don't need it if we already know the kernel is patched
# but still show it in verbose mode
@ -3229,7 +3397,7 @@ check_CVE_2017_5753_linux()
# so let's push the threshold to 70.
# v0.33+: now only count lfence opcodes after a jump, way less error-prone
# non patched kernel have between 0 and 20 matches, patched ones have at least 40-45
nb_lfence=$("${opt_arch_prefix}objdump" -d "$kernel" 2>/dev/null | grep -w -B1 lfence | grep -Ewc 'jmp|jne|je')
nb_lfence=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" 2>/dev/null | grep -w -B1 lfence | grep -Ewc 'jmp|jne|je')
if [ "$nb_lfence" -lt 30 ]; then
pstatus yellow NO "only $nb_lfence jump-then-lfence instructions found, should be >= 30 (heuristic)"
else
@ -3662,16 +3830,25 @@ check_CVE_2017_5715_linux()
if is_vulnerable_to_empty_rsb || [ "$opt_verbose" -ge 2 ]; then
_info_nol " * Kernel supports RSB filling: "
if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
pstatus yellow UNKNOWN "missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
elif [ -n "$kernel_err" ]; then
pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
else
rsb_filling=$("${opt_arch_prefix}strings" "$kernel" | grep -w 'Filling RSB on context switch')
if [ -n "$rsb_filling" ]; then
rsb_filling=0
if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then
# if we're live and we aren't denied looking into /sys, let's do it
if echo "$msg" | grep -qw RSB; then
rsb_filling=1
pstatus green YES
fi
fi
if [ "$rsb_filling" = 0 ]; then
if [ -n "$kernel_err" ]; then
pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
else
pstatus yellow NO
if grep -qw -e 'Filling RSB on context switch' "$kernel"; then
rsb_filling=1
pstatus green YES
else
rsb_filling=0
pstatus yellow NO
fi
fi
fi
fi
@ -3686,9 +3863,9 @@ check_CVE_2017_5715_linux()
# override status & msg in case CPU is not vulnerable after all
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable"
else
if [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ] && [ "$retp_enabled" != 0 ] && [ -n "$ibpb_enabled" ] && [ "$ibpb_enabled" -ge 1 ] && ( ! is_vulnerable_to_empty_rsb || [ -n "$rsb_filling" ] ); then
if [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ] && [ "$retp_enabled" != 0 ] && [ -n "$ibpb_enabled" ] && [ "$ibpb_enabled" -ge 1 ] && ( ! is_vulnerable_to_empty_rsb || [ "$rsb_filling" = 1 ] ); then
pvulnstatus $cve OK "Full retpoline + IBPB are mitigating the vulnerability"
elif [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ] && [ "$retp_enabled" != 0 ] && [ "$opt_paranoid" = 0 ] && ( ! is_vulnerable_to_empty_rsb || [ -n "$rsb_filling" ] ); then
elif [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ] && [ "$retp_enabled" != 0 ] && [ "$opt_paranoid" = 0 ] && ( ! is_vulnerable_to_empty_rsb || [ "$rsb_filling" = 1 ] ); then
pvulnstatus $cve OK "Full retpoline is mitigating the vulnerability"
if [ -n "$cpuid_ibpb" ]; then
_warn "You should enable IBPB to complete retpoline as a Variant 2 mitigation"
@ -4800,16 +4977,12 @@ check_mds_bsd()
kernel_md_clear=0
fi
else
if command -v "strings" >/dev/null 2>&1; then
if strings /boot/kernel/kernel | grep -Fq hw.mds_disable; then
pstatus green YES
kernel_md_clear=1
else
kernel_md_clear=0
pstatus yellow NO
fi
if grep -Fq hw.mds_disable $opt_kernel; then
pstatus green YES
kernel_md_clear=1
else
pstatus yellow UNKNOWN
kernel_md_clear=0
pstatus yellow NO
fi
fi
@ -4864,7 +5037,7 @@ check_mds_bsd()
if [ "$opt_paranoid" != 1 ] || [ "$kernel_smt_allowed" = 0 ]; then
pvulnstatus "$cve" OK "Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled"
else
pvulnstatus "$cve" VULN "Your microcode and kernel are both up to date for this mitigation, but your must disable SMT (Hyper-Threading) for a complete mitigation"
pvulnstatus "$cve" VULN "Your microcode and kernel are both up to date for this mitigation, but you must disable SMT (Hyper-Threading) for a complete mitigation"
fi
else
pvulnstatus "$cve" VULN "Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active"
@ -4962,7 +5135,7 @@ check_mds_linux()
mymsg="Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled"
else
mystatus=VULN
mymsg="Your microcode and kernel are both up to date for this mitigation, but your must disable SMT (Hyper-Threading) for a complete mitigation"
mymsg="Your microcode and kernel are both up to date for this mitigation, but you must disable SMT (Hyper-Threading) for a complete mitigation"
fi
else
mystatus=VULN
@ -5187,6 +5360,116 @@ check_CVE_2018_12207_linux()
fi
}
###################
# SRBDS SECTION
# Special Register Buffer Data Sampling (SRBDS)
check_CVE_2020_0543()
{
cve='CVE-2020-0543'
_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
if [ "$os" = Linux ]; then
check_CVE_2020_0543_linux
else
_warn "Unsupported OS ($os)"
fi
}
check_CVE_2020_0543_linux()
{
status=UNK
sys_interface_available=0
msg=''
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/srbds"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
fi
if [ "$opt_sysfs_only" != 1 ]; then
_info_nol "* SRBDS mitigation control is supported by the kernel: "
kernel_srbds=''
if [ -n "$kernel_err" ]; then
kernel_srbds_err="$kernel_err"
elif grep -q 'Dependent on hypervisor' "$kernel"; then
kernel_srbds="found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation"
fi
if [ -n "$kernel_srbds" ]; then
pstatus green YES "$kernel_srbds"
elif [ -n "$kernel_srbds_err" ]; then
pstatus yellow UNKNOWN "$kernel_srbds_err"
else
pstatus yellow NO
fi
_info_nol "* SRBDS mitigation control is enabled and active: "
if [ "$opt_live" = 1 ]; then
if [ -n "$fullmsg" ]; then
if echo "$fullmsg" | grep -qE '^Mitigation'; then
pstatus green YES "$fullmsg"
else
pstatus yellow NO
fi
else
pstatus yellow NO "SRBDS not found in sysfs hierarchy"
fi
else
pstatus blue N/A "not testable in offline mode"
fi
elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only!
msg="/sys vulnerability interface use forced, but it's not available!"
status=UNK
fi
if ! is_cpu_vulnerable "$cve" ; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not vulnerable"
else
if [ "$opt_sysfs_only" != 1 ]; then
if [ "$cpuid_srbds" = 1 ]; then
# SRBDS mitigation control exists
if [ "$srbds_on" = 1 ]; then
# SRBDS mitigation control is enabled
if [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_live" = 1 ]; then
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
pvulnstatus "$cve" OK "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated"
fi
else
if [ -n "$kernel_srbds" ]; then
pvulnstatus "$cve" OK "Your microcode and kernel are both up to date for SRBDS mitigation control. Mitigation is enabled"
else
pvulnstatus "$cve" OK "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated"
fi
fi
elif [ "$srbds_on" = 0 ]; then
# SRBDS mitigation control is disabled
if [ -z "$msg" ]; then
if [ "$opt_live" = 1 ]; then
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
pvulnstatus "$cve" VULN "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated. Mitigation is disabled"
fi
else
if [ -n "$kernel_srbds" ]; then
pvulnstatus "$cve" VULN "Your microcode and kernel are both up to date for SRBDS mitigation control. Mitigation is disabled"
else
pvulnstatus "$cve" VULN "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated. Mitigation is disabled"
fi
fi
else
# rdmsr: CPU 0 cannot read MSR 0x00000123
pvulnstatus "$cve" UNK "Not able to enumerate MSR for SRBDS mitigation control"
fi
else
# [ $cpuid_srbds != 1 ]
pvulnstatus "$cve" VULN "Your CPU microcode may need to be updated to mitigate the vulnerability"
fi
else
# sysfs only: return the status/msg we got
pvulnstatus "$cve" "$status" "$fullmsg"
return
fi
fi
}
#######################
# END OF VULNS SECTIONS
@ -5279,7 +5562,7 @@ exit 0 # ok
# The builtin version follows, but the user can download an up-to-date copy (to be stored in his $HOME) by using --update-fwdb
# To update the builtin version itself (by *modifying* this very file), use --update-builtin-fwdb
# %%% MCEDB v130.20191104+i20191027
# %%% MCEDB v165.20201021+i20200616
# I,0x00000611,0x00000B27,19961218
# I,0x00000612,0x000000C6,19961210
# I,0x00000616,0x000000C6,19961210
@ -5438,8 +5721,8 @@ exit 0 # ok
# I,0x000206D2,0x9584020C,20110622
# I,0x000206D3,0x80000304,20110420
# I,0x000206D5,0x00000513,20111013
# I,0x000206D6,0x0000061F,20190521
# I,0x000206D7,0x00000718,20190521
# I,0x000206D6,0x00000621,20200304
# I,0x000206D7,0x0000071A,20200324
# I,0x000206E0,0xE3493401,20090108
# I,0x000206E1,0xE3493402,20090224
# I,0x000206E2,0xFFFF0004,20081001
@ -5457,9 +5740,9 @@ exit 0 # ok
# I,0x00030669,0x0000010D,20130515
# I,0x00030671,0x00000117,20130410
# I,0x00030672,0x0000022E,20140401
# I,0x00030673,0x00000326,20180110
# I,0x00030673,0x83290100,20190916
# I,0x00030678,0x00000838,20190422
# I,0x00030679,0x0000090C,20190423
# I,0x00030679,0x0000090D,20190710
# I,0x000306A0,0x00000007,20110407
# I,0x000306A2,0x0000000C,20110725
# I,0x000306A4,0x00000007,20110908
@ -5470,11 +5753,11 @@ exit 0 # ok
# I,0x000306C0,0xFFFF0013,20111110
# I,0x000306C1,0xFFFF0014,20120725
# I,0x000306C2,0xFFFF0006,20121017
# I,0x000306C3,0x00000027,20190226
# I,0x000306C3,0x00000028,20191112
# I,0x000306D1,0xFFFF0009,20131015
# I,0x000306D2,0xFFFF0009,20131219
# I,0x000306D3,0xE3121338,20140825
# I,0x000306D4,0x0000002E,20190613
# I,0x000306D4,0x0000002F,20191112
# I,0x000306E0,0x00000008,20120726
# I,0x000306E2,0x0000020D,20130321
# I,0x000306E3,0x00000308,20130321
@ -5483,15 +5766,15 @@ exit 0 # ok
# I,0x000306E7,0x00000715,20190314
# I,0x000306F0,0xFFFF0017,20130730
# I,0x000306F1,0x00000014,20140110
# I,0x000306F2,0x00000043,20190301
# I,0x000306F2,0x00000044,20200527
# I,0x000306F3,0x0000000D,20160211
# I,0x000306F4,0x00000016,20190617
# I,0x00040650,0xFFFF000B,20121206
# I,0x00040651,0x00000025,20190226
# I,0x00040651,0x00000026,20191112
# I,0x00040660,0xFFFF0011,20121012
# I,0x00040661,0x0000001B,20190226
# I,0x00040661,0x0000001C,20191112
# I,0x00040670,0xFFFF0006,20140304
# I,0x00040671,0x00000021,20190613
# I,0x00040671,0x00000022,20191112
# I,0x000406A0,0x80124001,20130521
# I,0x000406A8,0x0000081F,20140812
# I,0x000406A9,0x0000081F,20140812
@ -5503,18 +5786,19 @@ exit 0 # ok
# I,0x000406D8,0x0000012D,20190916
# I,0x000406E1,0x00000020,20141111
# I,0x000406E2,0x0000002C,20150521
# I,0x000406E3,0x000000D6,20191003
# I,0x000406E3,0x000000E2,20200714
# I,0x000406E8,0x00000026,20160414
# I,0x000406F0,0x00000014,20150702
# I,0x000406F1,0x0B000038,20190618
# I,0x00050650,0x8000002B,20160208
# I,0x00050651,0x8000002B,20160208
# I,0x00050652,0x80000037,20170502
# I,0x00050653,0x01000151,20190909
# I,0x00050654,0x02000065,20190905
# I,0x00050653,0x01000159,20200618
# I,0x00050654,0x02006A08,20200616
# I,0x00050655,0x03000012,20190412
# I,0x00050656,0x0400002C,20190905
# I,0x00050657,0x0500002C,20190905
# I,0x00050656,0x04003003,20200618
# I,0x00050657,0x05003003,20200618
# I,0x0005065A,0x8600000D,20191108
# I,0x00050661,0xF1000008,20150130
# I,0x00050662,0x0000001C,20190617
# I,0x00050663,0x07000019,20190617
@ -5525,41 +5809,60 @@ exit 0 # ok
# I,0x000506A0,0x00000038,20150112
# I,0x000506C2,0x00000014,20180511
# I,0x000506C8,0x90011010,20160323
# I,0x000506C9,0x0000003C,20190722
# I,0x000506CA,0x0000001A,20190722
# I,0x000506C9,0x00000040,20200227
# I,0x000506CA,0x0000001E,20200227
# I,0x000506D1,0x00000102,20150605
# I,0x000506E0,0x00000018,20141119
# I,0x000506E1,0x0000002A,20150602
# I,0x000506E2,0x0000002E,20150815
# I,0x000506E3,0x000000D6,20191003
# I,0x000506E3,0x000000E2,20200714
# I,0x000506E8,0x00000034,20160710
# I,0x000506F0,0x00000010,20160607
# I,0x000506F1,0x0000002E,20190321
# I,0x000506F1,0x00000032,20200307
# I,0x00060660,0x0000000C,20160821
# I,0x00060661,0x0000000E,20170128
# I,0x00060662,0x00000022,20171129
# I,0x00060663,0x0000002A,20180417
# I,0x000606A0,0x80000031,20200308
# I,0x000606A4,0x8B0001B0,20200413
# I,0x000606A5,0x8C000090,20200412
# I,0x000606E0,0x0000000B,20161104
# I,0x000606E1,0x00000108,20190423
# I,0x000706A0,0x00000026,20170712
# I,0x000706A1,0x00000032,20190828
# I,0x000706A8,0x00000016,20190829
# I,0x000706A1,0x00000034,20200609
# I,0x000706A8,0x00000018,20200609
# I,0x000706E0,0x0000002C,20180614
# I,0x000706E1,0x00000042,20190420
# I,0x000706E2,0x00000042,20190420
# I,0x000706E4,0x00000036,20190718
# I,0x000706E5,0x00000050,20191027
# I,0x000706E3,0x81000008,20181002
# I,0x000706E4,0x00000046,20190905
# I,0x000706E5,0x000000A0,20200730
# I,0x00080650,0x00000018,20180108
# I,0x000806E9,0x000000CA,20191015
# I,0x000806EA,0x000000CA,20191003
# I,0x000806EB,0x000000CA,20191003
# I,0x000806EC,0x000000CA,20191003
# I,0x000906E9,0x000000CA,20191003
# I,0x000906EA,0x000000CA,20191003
# I,0x000906EB,0x000000CA,20191003
# I,0x000906EC,0x000000CA,20191003
# I,0x000906ED,0x000000CA,20191003
# I,0x000A0650,0x000000AE,20190410
# I,0x000A0660,0x000000CA,20191003
# I,0x000806A0,0x00000010,20190507
# I,0x000806A1,0x00000028,20200626
# I,0x000806C0,0x00000068,20200402
# I,0x000806C1,0x00000066,20200925
# I,0x000806D0,0x0000002E,20200709
# I,0x000806E9,0x000000DE,20200527
# I,0x000806EA,0x000000E0,20200617
# I,0x000806EB,0x000000DE,20200603
# I,0x000806EC,0x000000DE,20200518
# I,0x00090660,0x80001001,20190918
# I,0x000906E9,0x000000DE,20200526
# I,0x000906EA,0x000000DE,20200525
# I,0x000906EB,0x000000DE,20200525
# I,0x000906EC,0x000000DE,20200603
# I,0x000906ED,0x000000DE,20200524
# I,0x000A0650,0x000000BE,20191010
# I,0x000A0651,0x000000C2,20191113
# I,0x000A0652,0x000000E0,20200708
# I,0x000A0653,0x000000E0,20200708
# I,0x000A0654,0x000000C6,20200123
# I,0x000A0655,0x000000E2,20200914
# I,0x000A0660,0x000000E0,20200708
# I,0x000A0661,0x000000E0,20200702
# I,0x000A0670,0x00000002,20200304
# I,0x000A0680,0x80000002,20200121
# A,0x00000F00,0x02000008,20070614
# A,0x00000F01,0x0000001C,20021031
# A,0x00000F10,0x00000003,20020325
@ -5628,17 +5931,25 @@ exit 0 # ok
# A,0x00800F00,0x0800002A,20161006
# A,0x00800F10,0x0800100C,20170131
# A,0x00800F11,0x08001138,20190204
# A,0x00800F12,0x08001250,20190416
# A,0x00800F12,0x0800126C,20200619
# A,0x00800F82,0x0800820D,20190416
# A,0x00810F00,0x08100004,20161120
# A,0x00810F10,0x08101016,20190430
# A,0x00810F11,0x08101102,20181106
# A,0x00810F11,0x08101103,20190417
# A,0x00810F80,0x08108002,20180605
# A,0x00810F81,0x08108109,20190417
# A,0x00820F00,0x08200002,20180214
# A,0x00820F01,0x08200103,20190417
# A,0x00830F00,0x08300027,20190401
# A,0x00830F10,0x08301025,20190711
# A,0x00860F00,0x08600004,20190620
# A,0x00830F10,0x08301039,20200207
# A,0x00850F00,0x08500004,20180212
# A,0x00860F00,0x0860000E,20200127
# A,0x00860F01,0x08600106,20200619
# A,0x00860F81,0x08608102,20200617
# A,0x00870F00,0x08700004,20181206
# A,0x00870F10,0x08701013,20190611
# A,0x00870F10,0x08701021,20200125
# A,0x00A00F00,0x0A000033,20200413
# A,0x00A00F10,0x0A00100F,20200624
# A,0x00A20F00,0x0A200025,20200121
# A,0x00A20F10,0x0A201009,20200821
# A,0x00A50F00,0x0A50000B,20200821