peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2026-04-03 05:37:11 +02:00
Code Issues Projects Releases Wiki Activity
Files
a77cf8264f58392241e41058acd4574deda5dfd7
spectre-meltdown-checker/src/vulns/CVE-2018-3620.sh
Stéphane Lesimple 3ea8e213ec chore: add proper header to all src/vulns/* files
2026-04-02 21:03:29 +02:00

118 lines
4.6 KiB
Bash
Raw Blame History

# vim: set ts=4 sw=4 sts=4 et:
###############################
# CVE-2018-3620, Foreshadow-NG (OS/SMM), L1 Terminal Fault
check_CVE_2018_3620() {
check_cve 'CVE-2018-3620'
}
check_CVE_2018_3620_linux() {
local status sys_interface_available msg pteinv_supported pteinv_active
status=UNK
sys_interface_available=0
msg=''
if sys_interface_check "$VULN_SYSFS_BASE/l1tf"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
status=$ret_sys_interface_check_status
msg=$ret_sys_interface_check_fullmsg
fi
if [ "$opt_sysfs_only" != 1 ]; then
pr_info_nol "* Kernel supports PTE inversion: "
if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
pstatus yellow UNKNOWN "missing 'strings' tool, please install it"
pteinv_supported=-1
elif [ -n "$g_kernel_err" ]; then
pstatus yellow UNKNOWN "$g_kernel_err"
pteinv_supported=-1
else
if "${opt_arch_prefix}strings" "$g_kernel" | grep -Fq 'PTE Inversion'; then
pstatus green YES "found in kernel image"
pr_debug "pteinv: found pte inversion evidence in kernel image"
pteinv_supported=1
else
pstatus yellow NO
pteinv_supported=0
fi
fi
pr_info_nol "* PTE inversion enabled and active: "
if [ "$opt_live" = 1 ]; then
if [ -n "$ret_sys_interface_check_fullmsg" ]; then
if echo "$ret_sys_interface_check_fullmsg" | grep -q 'Mitigation: PTE Inversion'; then
pstatus green YES
pteinv_active=1
else
pstatus yellow NO
pteinv_active=0
fi
else
pstatus yellow UNKNOWN "sysfs interface not available"
pteinv_active=-1
fi
else
pstatus blue N/A "not testable in offline mode"
fi
elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only!
msg="/sys vulnerability interface use forced, but it's not available!"
status=UNK
fi
if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_sysfs_only" != 1 ]; then
if [ "$pteinv_supported" = 1 ]; then
if [ "$pteinv_active" = 1 ] || [ "$opt_live" != 1 ]; then
pvulnstatus "$cve" OK "PTE inversion mitigates the vulnerability"
else
pvulnstatus "$cve" VULN "Your kernel supports PTE inversion but it doesn't seem to be enabled"
fi
else
pvulnstatus "$cve" VULN "Your kernel doesn't support PTE inversion, update it"
fi
else
# --sysfs-only: sysfs was available (otherwise msg would be set), use its result
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
fi
else
# msg was set explicitly: either sysfs-not-available error, or a sysfs override
pvulnstatus "$cve" "$status" "$msg"
fi
}
check_CVE_2018_3620_bsd() {
local bsd_zero_reserved
pr_info_nol "* Kernel reserved the memory page at physical address 0x0: "
if ! kldstat -q -m vmm; then
kldload vmm 2>/dev/null && g_kldload_vmm=1
pr_debug "attempted to load module vmm, g_kldload_vmm=$g_kldload_vmm"
else
pr_debug "vmm module already loaded"
fi
if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
# https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch
# this is very difficult to detect that the kernel reserved the 0 page, but this fix
# is part of the exact same patch than the other L1TF CVE, so we detect it
# and deem it as OK if the other patch is there
pstatus green YES
bsd_zero_reserved=1
else
pstatus yellow NO
bsd_zero_reserved=0
fi
if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
else
if [ "$bsd_zero_reserved" = 1 ]; then
pvulnstatus "$cve" OK "kernel mitigates the vulnerability"
else
pvulnstatus "$cve" VULN "your kernel needs to be updated"
fi
fi
}
Reference in New Issue View Git Blame Copy Permalink