1
0
mirror of https://github.com/speed47/spectre-meltdown-checker synced 2025-01-10 13:08:14 +01:00

fix(dmesg): detect when dmesg is truncated

To avoid false negatives when looking for a message
in dmesg, we were previously also grepping in known
on-disk archives of dmesg (dmesg.log, kern.log).
This in turn caused false positives because we have no
guarantee that we're grepping the dmesg of the current
running kernel. Hence we now only look in the live
`dmesg`, detect if it has been truncated, and report
it to the user.
This commit is contained in:
Stéphane Lesimple 2018-01-21 15:17:10 +01:00
parent 0aa5857a76
commit 40381349ab

View File

@ -588,6 +588,22 @@ unload_cpuid()
fi fi
} }
dmesg_grep()
{
# grep for something in dmesg, ensuring that the dmesg buffer
# has not been truncated
dmesg_grepped=''
if ! dmesg | grep -qE '(^|\] )Linux version [0-9]'; then
# dmesg truncated
return 2
fi
dmesg_grepped=$(dmesg | grep -E "$1" | head -1)
# not found:
[ -z "$dmesg_grepped" ] && return 1
# found, output is in $dmesg_grepped
return 0
}
is_coreos() is_coreos()
{ {
which coreos-install >/dev/null 2>&1 && which toolbox >/dev/null 2>&1 && return 0 which coreos-install >/dev/null 2>&1 && which toolbox >/dev/null 2>&1 && return 0
@ -1125,24 +1141,25 @@ check_variant3()
# RedHat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301 # RedHat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301
kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null) kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
_debug "kpti_enabled: file /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled" _debug "kpti_enabled: file /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled"
elif dmesg | grep -Eq "$dmesg_grep"; then fi
# if we can't find the flag, grep dmesg output if [ -z "$kpti_enabled" ]; then
_debug "kpti_enabled: found hint in dmesg: "$(dmesg | grep -E "$dmesg_grep") dmesg_grep "$dmesg_grep"; ret=$?
kpti_enabled=1 if [ $ret -eq 0 ]; then
elif [ -r /var/log/dmesg ] && grep -Eq "$dmesg_grep" /var/log/dmesg; then _debug "kpti_enabled: found hint in dmesg: $dmesg_grepped"
# if we can't find the flag in dmesg output, grep in /var/log/dmesg when readable kpti_enabled=1
_debug "kpti_enabled: found hint in /var/log/dmesg: "$(grep -E "$dmesg_grep" /var/log/dmesg) elif [ $ret -eq 2 ]; then
kpti_enabled=1 _debug "kpti_enabled: dmesg truncated"
elif [ -r /var/log/kern.log ] && grep -Eq "$dmesg_grep" /var/log/kern.log; then kpti_enabled=-1
# if we can't find the flag in dmesg output, grep in /var/log/kern.log when readable fi
_debug "kpti_enabled: found hint in /var/log/kern.log: "$(grep -E "$dmesg_grep" /var/log/kern.log) fi
kpti_enabled=1 if [ -z "$kpti_enabled" ]; then
else
_debug "kpti_enabled: couldn't find any hint that PTI is enabled" _debug "kpti_enabled: couldn't find any hint that PTI is enabled"
kpti_enabled=0 kpti_enabled=0
fi fi
if [ "$kpti_enabled" = 1 ]; then if [ "$kpti_enabled" = 1 ]; then
pstatus green YES pstatus green YES
elif [ "$kpti_enabled" = -1 ]; then
pstatus yellow UNKNOWN "dmesg truncated, please reboot and relaunch this script"
else else
pstatus red NO pstatus red NO
fi fi
@ -1177,15 +1194,12 @@ check_variant3()
_info_nol "* Checking if we're running under Xen PV (64 bits): " _info_nol "* Checking if we're running under Xen PV (64 bits): "
if [ "$(uname -m)" = "x86_64" ]; then if [ "$(uname -m)" = "x86_64" ]; then
# XXX do we have a better way that relying on dmesg? # XXX do we have a better way that relying on dmesg?
if dmesg | grep -q 'Booting paravirtualized kernel on Xen$' ; then dmesg_grep 'Booting paravirtualized kernel on Xen$'; ret=$?
pstatus green YES 'Xen PV is not vulnerable' if [ $ret -eq 0 ]; then
xen_pv=1
elif [ -r /var/log/dmesg ] && grep -q 'Booting paravirtualized kernel on Xen$' /var/log/dmesg; then
pstatus green YES 'Xen PV is not vulnerable'
xen_pv=1
elif [ -r /var/log/kern.log ] && grep -q 'Booting paravirtualized kernel on Xen$' /var/log/kern.log; then
pstatus green YES 'Xen PV is not vulnerable' pstatus green YES 'Xen PV is not vulnerable'
xen_pv=1 xen_pv=1
elif [ $ret -eq 2 ]; then
pstatus yellow UNKNOWN "dmesg truncated, please reboot and relaunch this script"
else else
pstatus blue NO pstatus blue NO
fi fi