# vim: set ts=4 sw=4 sts=4 et: ####################### # iTLB Multihit section # CVE-2018-12207 iTLB multihit (machine check exception on page size changes) - entry point check_CVE_2018_12207() { check_cve 'CVE-2018-12207' } # CVE-2018-12207 iTLB multihit (machine check exception on page size changes) - Linux mitigation check check_CVE_2018_12207_linux() { local status sys_interface_available msg kernel_itlbmh kernel_itlbmh_err status=UNK sys_interface_available=0 msg='' if sys_interface_check "$VULN_SYSFS_BASE/itlb_multihit"; then # this kernel has the /sys interface, trust it over everything sys_interface_available=1 status=$ret_sys_interface_check_status fi if [ "$opt_sysfs_only" != 1 ]; then check_has_vmm pr_info_nol "* iTLB Multihit mitigation is supported by kernel: " kernel_itlbmh='' if [ -n "$g_kernel_err" ]; then kernel_itlbmh_err="$g_kernel_err" # commit 5219505fcbb640e273a0d51c19c38de0100ec5a9 elif grep -q 'itlb_multihit' "$g_kernel"; then kernel_itlbmh="found itlb_multihit in kernel image" fi if [ -n "$kernel_itlbmh" ]; then pstatus green YES "$kernel_itlbmh" elif [ -n "$kernel_itlbmh_err" ]; then pstatus yellow UNKNOWN "$kernel_itlbmh_err" else pstatus yellow NO fi pr_info_nol "* iTLB Multihit mitigation enabled and active: " if [ "$opt_live" = 1 ]; then if [ -n "$ret_sys_interface_check_fullmsg" ]; then if echo "$ret_sys_interface_check_fullmsg" | grep -qF 'Mitigation'; then pstatus green YES "$ret_sys_interface_check_fullmsg" else pstatus yellow NO fi else pstatus yellow NO "itlb_multihit not found in sysfs hierarchy" fi else pstatus blue N/A "not testable in offline mode" fi elif [ "$sys_interface_available" = 0 ]; then # we have no sysfs but were asked to use it only! msg="/sys vulnerability interface use forced, but it's not available!" status=UNK fi if ! is_cpu_affected "$cve"; then # override status & msg in case CPU is not vulnerable after all pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" elif [ "$g_has_vmm" = 0 ]; then pvulnstatus "$cve" OK "this system is not running a hypervisor" elif [ -z "$msg" ]; then # if msg is empty, sysfs check didn't fill it, rely on our own test if [ "$opt_sysfs_only" != 1 ]; then if [ "$opt_live" = 1 ]; then # if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it" else if [ -n "$kernel_itlbmh" ]; then pvulnstatus "$cve" OK "Your kernel supports iTLB Multihit mitigation" else pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it" fi fi else # --sysfs-only: sysfs was available (otherwise msg would be set), use its result pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg" fi else # msg was set explicitly: either sysfs-not-available error, or a sysfs override pvulnstatus "$cve" "$status" "$msg" fi } # CVE-2018-12207 iTLB multihit (machine check exception on page size changes) - BSD mitigation check check_CVE_2018_12207_bsd() { local kernel_2m_x_ept pr_info_nol "* Kernel supports disabling superpages for executable mappings under EPT: " kernel_2m_x_ept=$(sysctl -n vm.pmap.allow_2m_x_ept 2>/dev/null) if [ -z "$kernel_2m_x_ept" ]; then pstatus yellow NO else pstatus green YES fi pr_info_nol "* Superpages are disabled for executable mappings under EPT: " if [ "$kernel_2m_x_ept" = 0 ]; then pstatus green YES else pstatus yellow NO fi if ! is_cpu_affected "$cve"; then # override status & msg in case CPU is not vulnerable after all pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" elif [ -z "$kernel_2m_x_ept" ]; then pvulnstatus "$cve" VULN "Your kernel doesn't support mitigating this CVE, you should update it" elif [ "$kernel_2m_x_ept" != 0 ]; then pvulnstatus "$cve" VULN "Your kernel supports mitigating this CVE, but the mitigation is disabled" explain "To enable the mitigation, use \`sysctl vm.pmap.allow_2m_x_ept=0\`" else pvulnstatus "$cve" OK "Your kernel has support for mitigation and the mitigation is enabled" fi }