From 3e454f1817c447baab60990fc5c4b11ca9880c73 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Tue, 23 Jan 2018 22:20:34 +0100 Subject: [PATCH] fix(offline): report unknown when too few info In offline mode, in the worst case where an invalid config file is given, and we have no vmlinux image nor System.map, the script was reporting Variant 2 and Variant 3 as vulnerable in the global status. Replace this by a proper pair of UNKNOWNs --- spectre-meltdown-checker.sh | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index 09658b4..aa1b43b 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -928,7 +928,9 @@ check_variant2() fi _info_nol "* Kernel support for IBRS: " + ibrs_can_tell=0 if [ "$opt_live" = 1 ]; then + ibrs_can_tell=1 mount_debugfs for ibrs_file in \ /sys/kernel/debug/ibrs_enabled \ @@ -962,6 +964,7 @@ check_variant2() fi fi if [ "$ibrs_supported" != 1 -a -n "$opt_map" ]; then + ibrs_can_tell=1 if grep -q spec_ctrl "$opt_map"; then pstatus green YES ibrs_supported=1 @@ -969,7 +972,12 @@ check_variant2() fi fi if [ "$ibrs_supported" != 1 ]; then - pstatus red NO + if [ "$ibrs_can_tell" = 1 ]; then + pstatus red NO + else + # if we're in offline mode without System.map, we can't really know + pstatus yellow UNKNOWN "in offline mode, we need System.map to be able to tell" + fi fi _info_nol "* IBRS enabled for Kernel space: " @@ -1068,8 +1076,10 @@ check_variant2() else if [ "$ibrs_supported" = 1 ]; then pvulnstatus CVE-2017-5715 OK "offline mode: IBRS will mitigate the vulnerability if enabled at runtime" - else + elif [ "$ibrs_can_tell" = 1 ]; then pvulnstatus CVE-2017-5715 VULN "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability" + else + pvulnstatus CVE-2017-5715 UNK "offline mode: not enough information" fi fi else @@ -1235,8 +1245,10 @@ check_variant3() else if [ "$kpti_support" = 1 ]; then pvulnstatus $cve OK "offline mode: PTI will mitigate the vulnerability if enabled at runtime" - else + elif [ "$kpti_can_tell" = 1 ]; then pvulnstatus $cve VULN "PTI is needed to mitigate the vulnerability" + else + pvulnstatus $cve UNK "offline mode: not enough information" fi fi else