mirror of
https://github.com/speed47/spectre-meltdown-checker.git
synced 2026-04-05 16:23:19 +02:00
214 lines
11 KiB
Bash
214 lines
11 KiB
Bash
# vim: set ts=4 sw=4 sts=4 et:
|
|
###############################
|
|
# CVE-2023-20569, Inception, SRSO, Return Address Security
|
|
|
|
check_CVE_2023_20569() {
|
|
check_cve 'CVE-2023-20569'
|
|
}
|
|
|
|
check_CVE_2023_20569_linux() {
|
|
local status sys_interface_available msg kernel_sro kernel_sro_err kernel_srso kernel_ibpb_entry smt_enabled
|
|
status=UNK
|
|
sys_interface_available=0
|
|
msg=''
|
|
|
|
if sys_interface_check "$VULN_SYSFS_BASE/spec_rstack_overflow"; then
|
|
# this kernel has the /sys interface, trust it over everything
|
|
sys_interface_available=1
|
|
status=$ret_sys_interface_check_status
|
|
# kernels before the fix from dc6306ad5b0d (v6.6-rc6, backported to v6.5.6)
|
|
# incorrectly reported "Mitigation: safe RET, no microcode" as mitigated,
|
|
# when in fact userspace is still vulnerable because IBPB doesn't flush
|
|
# branch type predictions without the extending microcode.
|
|
# override the sysfs status in that case.
|
|
if echo "$ret_sys_interface_check_fullmsg" | grep -qi 'Mitigation:.*safe RET.*no microcode'; then
|
|
status=VULN
|
|
msg="Vulnerable: Safe RET, no microcode (your kernel incorrectly reports this as mitigated, it was fixed in more recent kernels)"
|
|
fi
|
|
fi
|
|
|
|
if [ "$opt_sysfs_only" != 1 ]; then
|
|
pr_info_nol "* Kernel supports mitigation: "
|
|
if [ -n "$g_kernel_err" ]; then
|
|
kernel_sro_err="$g_kernel_err"
|
|
elif grep -q 'spec_rstack_overflow' "$g_kernel"; then
|
|
kernel_sro="found spec_rstack_overflow in kernel image"
|
|
fi
|
|
if [ -n "$kernel_sro" ]; then
|
|
pstatus green YES "$kernel_sro"
|
|
elif [ -n "$kernel_sro_err" ]; then
|
|
pstatus yellow UNKNOWN "$kernel_sro_err"
|
|
else
|
|
pstatus yellow NO
|
|
fi
|
|
|
|
pr_info_nol "* Kernel compiled with SRSO support: "
|
|
if [ -r "$opt_config" ]; then
|
|
# CONFIG_CPU_SRSO: Linux < 6.9
|
|
# CONFIG_MITIGATION_SRSO: Linux >= 6.9
|
|
if grep -Eq '^CONFIG_(CPU|MITIGATION)_SRSO=y' "$opt_config"; then
|
|
pstatus green YES
|
|
kernel_srso="CONFIG_(CPU|MITIGATION)_SRSO=y found in kernel config"
|
|
else
|
|
pstatus yellow NO "required for safe RET and ibpb_on_vmexit mitigations"
|
|
fi
|
|
else
|
|
# https://github.com/torvalds/linux/commit/138bcddb86d8a4f842e4ed6f0585abc9b1a764ff#diff-17bd24a7a7850613cced545790ac30646097e8d6207348c2bd1845f397acb390R2313
|
|
if [ -n "$g_kernel_err" ]; then
|
|
pstatus yellow UNKNOWN "$g_kernel_err"
|
|
elif grep -Eq 'WARNING: kernel not compiled with (CPU|MITIGATION)_SRSO' "$g_kernel"; then
|
|
# this msg is optimized out at compile time if the option is not enabled, see commit referenced above
|
|
# if it's present, then SRSO is NOT compiled in
|
|
pstatus yellow NO "kernel not compiled with (CPU|MITIGATION)_SRSO"
|
|
else
|
|
# if it's not present, then SRSO is compiled in IF kernel_sro is set, otherwise we're just
|
|
# in front of an old kernel that doesn't have the mitigation logic at all
|
|
if [ -n "$kernel_sro" ]; then
|
|
kernel_srso="SRSO mitigation logic is compiled in the kernel"
|
|
pstatus green OK "$kernel_srso"
|
|
else
|
|
pstatus yellow NO "your kernel is too old and doesn't have the mitigation logic"
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
# check whether the running kernel has the corrected SRSO reporting
|
|
# (dc6306ad5b0d, v6.6-rc6, backported to v6.5.6): kernels with the fix
|
|
# contain the string "Vulnerable: Safe RET, no microcode" in their image,
|
|
# while older kernels only have "safe RET" (and append ", no microcode" dynamically).
|
|
pr_info_nol "* Kernel has accurate SRSO reporting: "
|
|
if [ -n "$g_kernel_err" ]; then
|
|
pstatus yellow UNKNOWN "$g_kernel_err"
|
|
elif grep -q 'Vulnerable: Safe RET, no microcode' "$g_kernel"; then
|
|
pstatus green YES
|
|
elif [ -n "$kernel_sro" ]; then
|
|
pstatus yellow NO "your kernel reports partial SRSO mitigations as fully mitigated, upgrade recommended"
|
|
else
|
|
pstatus yellow NO "your kernel is too old and doesn't have the SRSO mitigation logic"
|
|
fi
|
|
|
|
pr_info_nol "* Kernel compiled with IBPB_ENTRY support: "
|
|
if [ -r "$opt_config" ]; then
|
|
# CONFIG_CPU_IBPB_ENTRY: Linux < 6.9
|
|
# CONFIG_MITIGATION_IBPB_ENTRY: Linux >= 6.9
|
|
if grep -Eq '^CONFIG_(CPU|MITIGATION)_IBPB_ENTRY=y' "$opt_config"; then
|
|
pstatus green YES
|
|
kernel_ibpb_entry="CONFIG_(CPU|MITIGATION)_IBPB_ENTRY=y found in kernel config"
|
|
else
|
|
pstatus yellow NO
|
|
fi
|
|
else
|
|
# https://github.com/torvalds/linux/commit/138bcddb86d8a4f842e4ed6f0585abc9b1a764ff#diff-17bd24a7a7850613cced545790ac30646097e8d6207348c2bd1845f397acb390R2325
|
|
if [ -n "$g_kernel_err" ]; then
|
|
pstatus yellow UNKNOWN "$g_kernel_err"
|
|
elif grep -Eq 'WARNING: kernel not compiled with (CPU|MITIGATION)_IBPB_ENTRY' "$g_kernel"; then
|
|
# this msg is optimized out at compile time if the option is not enabled, see commit referenced above
|
|
# if it's present, then IBPB_ENTRY is NOT compiled in
|
|
pstatus yellow NO "kernel not compiled with (CPU|MITIGATION)_IBPB_ENTRY"
|
|
else
|
|
# if it's not present, then IBPB_ENTRY is compiled in IF kernel_sro is set, otherwise we're just
|
|
# in front of an old kernel that doesn't have the mitigation logic at all
|
|
if [ -n "$kernel_sro" ]; then
|
|
kernel_ibpb_entry="IBPB_ENTRY mitigation logic is compiled in the kernel"
|
|
pstatus green OK "$kernel_ibpb_entry"
|
|
else
|
|
pstatus yellow NO "your kernel is too old and doesn't have the mitigation logic"
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
# Zen & Zen2 : if the right IBPB microcode applied + SMT off --> not vuln
|
|
if [ "$cpu_family" = $((0x17)) ]; then
|
|
pr_info_nol "* CPU supports IBPB: "
|
|
if [ -n "$cap_ibpb" ]; then
|
|
pstatus green YES "$cap_ibpb"
|
|
else
|
|
pstatus yellow NO
|
|
fi
|
|
|
|
pr_info_nol "* Hyper-Threading (SMT) is enabled: "
|
|
is_cpu_smt_enabled
|
|
smt_enabled=$?
|
|
if [ "$smt_enabled" = 0 ]; then
|
|
pstatus yellow YES
|
|
else
|
|
pstatus green NO
|
|
fi
|
|
# Zen 3/4 microcode brings SBPB mitigation
|
|
elif [ "$cpu_family" = $((0x19)) ]; then
|
|
pr_info_nol "* CPU supports SBPB: "
|
|
if [ "$cap_sbpb" = 1 ]; then
|
|
pstatus green YES
|
|
elif [ "$cap_sbpb" = 3 ]; then
|
|
pstatus yellow UNKNOWN "cannot write MSR, rerun with --allow-msr-write"
|
|
else
|
|
pstatus yellow NO
|
|
fi
|
|
fi
|
|
|
|
elif [ "$sys_interface_available" = 0 ]; then
|
|
# we have no sysfs but were asked to use it only!
|
|
msg="/sys vulnerability interface use forced, but it's not available!"
|
|
status=UNK
|
|
fi
|
|
|
|
if ! is_cpu_affected "$cve"; then
|
|
# override status & msg in case CPU is not vulnerable after all
|
|
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
|
|
elif [ -z "$msg" ]; then
|
|
# if msg is empty, sysfs check didn't fill it, rely on our own test
|
|
if [ "$opt_sysfs_only" != 1 ]; then
|
|
# Zen/Zen2
|
|
if [ "$cpu_family" = $((0x17)) ]; then
|
|
if [ "$smt_enabled" = 0 ]; then
|
|
pvulnstatus "$cve" VULN "SMT is enabled on your Zen/Zen2 CPU, which makes mitigation ineffective"
|
|
explain "For Zen/Zen2 CPUs, proper mitigation needs an up to date microcode, and SMT needs to be disabled (this can be done by adding \`nosmt\` to your kernel command line)"
|
|
elif [ -z "$kernel_sro" ]; then
|
|
pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the SRSO mitigation logic"
|
|
elif [ -n "$cap_ibpb" ]; then
|
|
pvulnstatus "$cve" OK "SMT is disabled and both your kernel and microcode support mitigation"
|
|
else
|
|
pvulnstatus "$cve" VULN "Your microcode is too old"
|
|
fi
|
|
# Zen3/Zen4
|
|
elif [ "$cpu_family" = $((0x19)) ]; then
|
|
if [ -z "$kernel_sro" ]; then
|
|
pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the SRSO mitigation logic"
|
|
elif [ -z "$kernel_srso" ] && [ -z "$kernel_ibpb_entry" ]; then
|
|
pvulnstatus "$cve" VULN "Your kernel doesn't have either SRSO or IBPB_ENTRY compiled-in"
|
|
elif [ "$cap_sbpb" = 3 ]; then
|
|
pvulnstatus "$cve" UNK "Couldn't verify if your microcode supports IBPB (rerun with --allow-msr-write)"
|
|
elif [ "$cap_sbpb" = 2 ]; then
|
|
pvulnstatus "$cve" VULN "Your microcode doesn't support SBPB"
|
|
else
|
|
pvulnstatus "$cve" OK "Your kernel and microcode both support mitigation"
|
|
fi
|
|
else
|
|
# not supposed to happen, as normally this CPU should not be affected and not run this code
|
|
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
|
|
fi
|
|
else
|
|
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
|
|
fi
|
|
else
|
|
pvulnstatus "$cve" "$status" "$msg"
|
|
if echo "$msg" | grep -qi 'your kernel incorrectly reports this as mitigated'; then
|
|
explain "Your kernel's /sys interface reports 'Mitigation: safe RET, no microcode' for the SRSO vulnerability.\n" \
|
|
"This was a bug in the kernel's reporting (fixed in v6.5.6/v6.6-rc6, commit dc6306ad5b0d):\n" \
|
|
"the Safe RET mitigation alone only protects the kernel from userspace attacks, but without\n" \
|
|
"the IBPB-extending microcode, userspace itself remains vulnerable because IBPB doesn't flush\n" \
|
|
"branch type predictions. Newer kernels correctly report this as 'Vulnerable: Safe RET, no microcode'.\n" \
|
|
"To fully mitigate, you need both the Safe RET kernel support AND an updated CPU microcode.\n" \
|
|
"Updating your kernel to v6.5.6+ or v6.6+ will also give you accurate vulnerability reporting."
|
|
fi
|
|
fi
|
|
}
|
|
|
|
check_CVE_2023_20569_bsd() {
|
|
if ! is_cpu_affected "$cve"; then
|
|
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
|
|
else
|
|
pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
|
|
fi
|
|
}
|