dsanchez/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker synced 2025-01-03 10:05:44 +01:00
Code Issues Releases Wiki Activity

enh: rsb filling: no longer need the 'strings' tool to check for kernel support in live mode

Browse Source
This commit is contained in:
Stéphane Lesimple 2020-03-10 22:13:55 +01:00
parent 27c36fdb80
commit 3beefc2587
1 changed files with 19 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
spectre-meltdown-checker.sh
View File

@ -3682,19 +3682,28 @@ check_CVE_2017_5715_linux()
if is_vulnerable_to_empty_rsb || [ "$opt_verbose" -ge 2 ]; then if is_vulnerable_to_empty_rsb || [ "$opt_verbose" -ge 2 ]; then
_info_nol " * Kernel supports RSB filling: " _info_nol " * Kernel supports RSB filling: "
if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then rsb_filling=0
pstatus yellow UNKNOWN "missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package" if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then
elif [ -n "$kernel_err" ]; then # if we're live and we aren't denied looking into /sys, let's do it
if echo "$msg" | grep -qw RSB; then
rsb_filling=1
pstatus green YES
fi
fi
if [ "$rsb_filling" = 0 ]; then
if [ -n "$kernel_err" ]; then
pstatus yellow UNKNOWN "couldn't check ($kernel_err)" pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
else else
rsb_filling=$("${opt_arch_prefix}strings" "$kernel" | grep -w 'Filling RSB on context switch') if grep -qw -e 'Filling RSB on context switch' "$kernel"; then
if [ -n "$rsb_filling" ]; then rsb_filling=1
pstatus green YES pstatus green YES
else else
rsb_filling=0
pstatus yellow NO pstatus yellow NO
fi fi
fi fi
fi fi
fi
elif [ "$sys_interface_available" = 0 ]; then elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only! # we have no sysfs but were asked to use it only!
@ -3706,9 +3715,9 @@ check_CVE_2017_5715_linux()
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable" pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable"
else else
if [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ] && [ "$retp_enabled" != 0 ] && [ -n "$ibpb_enabled" ] && [ "$ibpb_enabled" -ge 1 ] && ( ! is_vulnerable_to_empty_rsb || [ -n "$rsb_filling" ] ); then if [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ] && [ "$retp_enabled" != 0 ] && [ -n "$ibpb_enabled" ] && [ "$ibpb_enabled" -ge 1 ] && ( ! is_vulnerable_to_empty_rsb || [ "$rsb_filling" = 1 ] ); then
pvulnstatus $cve OK "Full retpoline + IBPB are mitigating the vulnerability" pvulnstatus $cve OK "Full retpoline + IBPB are mitigating the vulnerability"
elif [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ] && [ "$retp_enabled" != 0 ] && [ "$opt_paranoid" = 0 ] && ( ! is_vulnerable_to_empty_rsb || [ -n "$rsb_filling" ] ); then elif [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ] && [ "$retp_enabled" != 0 ] && [ "$opt_paranoid" = 0 ] && ( ! is_vulnerable_to_empty_rsb || [ "$rsb_filling" = 1 ] ); then
pvulnstatus $cve OK "Full retpoline is mitigating the vulnerability" pvulnstatus $cve OK "Full retpoline is mitigating the vulnerability"
if [ -n "$cpuid_ibpb" ]; then if [ -n "$cpuid_ibpb" ]; then
_warn "You should enable IBPB to complete retpoline as a Variant 2 mitigation" _warn "You should enable IBPB to complete retpoline as a Variant 2 mitigation"