1
0
mirror of https://github.com/speed47/spectre-meltdown-checker synced 2025-01-05 10:59:07 +01:00

feat(inception): handle sysfs interface

This commit is contained in:
Stéphane Lesimple 2023-08-12 11:32:32 +02:00
parent 444876f8ec
commit 23f720cc82
2 changed files with 49 additions and 9 deletions

View File

@ -24,7 +24,7 @@ jobs:
fi fi
- name: check direct execution - name: check direct execution
run: | run: |
expected=17 expected=18
nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l) nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
if [ "$nb" -ne "$expected" ]; then if [ "$nb" -ne "$expected" ]; then
echo "Invalid number of CVEs reported: $nb instead of $expected" echo "Invalid number of CVEs reported: $nb instead of $expected"
@ -34,7 +34,7 @@ jobs:
fi fi
- name: check docker-compose run execution - name: check docker-compose run execution
run: | run: |
expected=17 expected=18
docker-compose build docker-compose build
nb=$(docker-compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) nb=$(docker-compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
if [ "$nb" -ne "$expected" ]; then if [ "$nb" -ne "$expected" ]; then
@ -45,7 +45,7 @@ jobs:
fi fi
- name: check docker run execution - name: check docker run execution
run: | run: |
expected=17 expected=18
docker build -t spectre-meltdown-checker . docker build -t spectre-meltdown-checker .
nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
if [ "$nb" -ne "$expected" ]; then if [ "$nb" -ne "$expected" ]; then

View File

@ -564,10 +564,10 @@ is_cpu_affected()
amd_legacy_erratum "$(amd_model_range 0x17 0x60 0x0 0x7f 0xf)" && variant_zenbleed=vuln amd_legacy_erratum "$(amd_model_range 0x17 0x60 0x0 0x7f 0xf)" && variant_zenbleed=vuln
amd_legacy_erratum "$(amd_model_range 0x17 0xa0 0x0 0xaf 0xf)" && variant_zenbleed=vuln amd_legacy_erratum "$(amd_model_range 0x17 0xa0 0x0 0xaf 0xf)" && variant_zenbleed=vuln
# Inception (Zen3 & Zen4) # Inception (according to kernel, zen 1 to 4)
# TODO: Should Zend2 & Zen1 be added. No ucode update will be released but they are affected too. if [ "$cpu_family" = $(( 0x17 )) ] || [ "$cpu_family" = $(( 0x19 )) ]; then
amd_legacy_erratum "$(amd_model_range 0x19 0x40 0x0 0x7f 0xf)" && variant_inception=vuln variant_inception=vuln
amd_legacy_erratum "$(amd_model_range 0x19 0x00 0x0 0x2f 0xf)" && variant_inception=vuln fi
elif [ "$cpu_vendor" = CAVIUM ]; then elif [ "$cpu_vendor" = CAVIUM ]; then
variant3=immune variant3=immune
@ -1413,6 +1413,7 @@ pvulnstatus()
CVE-2020-0543) aka="SRBDS";; CVE-2020-0543) aka="SRBDS";;
CVE-2023-20593) aka="ZENBLEED";; CVE-2023-20593) aka="ZENBLEED";;
CVE-2022-40982) aka="DOWNFALL";; CVE-2022-40982) aka="DOWNFALL";;
CVE-2023-20569) aka="INCEPTION";;
*) echo "$0: error: invalid CVE '$1' passed to pvulnstatus()" >&2; exit 255;; *) echo "$0: error: invalid CVE '$1' passed to pvulnstatus()" >&2; exit 255;;
esac esac
@ -6296,6 +6297,7 @@ check_CVE_2022_40982_linux() {
####################### #######################
# Inception section # Inception section
check_CVE_2023_20569() { check_CVE_2023_20569() {
cve='CVE-2023-20569' cve='CVE-2023-20569'
_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
@ -6308,12 +6310,50 @@ check_CVE_2023_20569() {
} }
check_CVE_2023_20569_linux() { check_CVE_2023_20569_linux() {
status=UNK
sys_interface_available=0
msg=''
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
fi
if [ "$opt_sysfs_only" != 1 ]; then
_info_nol "* Kernel supports mitigation: "
if [ -n "$kernel_err" ]; then
kernel_sro_err="$kernel_err"
elif grep -q 'spec_rstack_overflow' "$kernel"; then
kernel_sro="found spec_rstack_overflow in kernel image"
fi
if [ -n "$kernel_sro" ]; then
pstatus green YES "$kernel_sro"
elif [ -n "$kernel_sro_err" ]; then
pstatus yellow UNKNOWN "$kernel_sro_err"
else
pstatus yellow NO
fi
if [ -n "$kernel_sro" ]; then
# TODO check mitigation
:
fi
elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only!
msg="/sys vulnerability interface use forced, but it's not available!"
status=UNK
fi
if ! is_cpu_affected "$cve" ; then if ! is_cpu_affected "$cve" ; then
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test
# TODO
pvulnstatus "$cve" UNK "further checks are required (WIP)"
else else
pvulnstatus "$cve" UNK "further checks are required" pvulnstatus $cve "$status" "$msg"
fi fi
} }