mirror of
https://github.com/speed47/spectre-meltdown-checker
synced 2024-12-22 12:23:36 +01:00
fix(variant1): smarter lfence check
Instead of just counting the number of LFENCE instructions, now we're only counting the those that directly follow a jump instruction.
This commit is contained in:
parent
b738ac4bd7
commit
aa18b51e1c
@ -1192,7 +1192,7 @@ check_variant1()
|
|||||||
if [ "$opt_verbose" -ge 2 ] || [ "$v1_mask_nospec" != 1 ]; then
|
if [ "$opt_verbose" -ge 2 ] || [ "$v1_mask_nospec" != 1 ]; then
|
||||||
# this is a slow heuristic and we don't need it if we already know the kernel is patched
|
# this is a slow heuristic and we don't need it if we already know the kernel is patched
|
||||||
# but still show it in verbose mode
|
# but still show it in verbose mode
|
||||||
_info_nol "* Checking count of LFENCE opcodes in kernel: "
|
_info_nol "* Checking count of LFENCE instructions following a jump in kernel: "
|
||||||
if [ -n "$vmlinux_err" ]; then
|
if [ -n "$vmlinux_err" ]; then
|
||||||
pstatus yellow UNKNOWN "couldn't check ($vmlinux_err)"
|
pstatus yellow UNKNOWN "couldn't check ($vmlinux_err)"
|
||||||
else
|
else
|
||||||
@ -1204,12 +1204,14 @@ check_variant1()
|
|||||||
# in patched kernels, this is more around 70-80, sometimes way higher (100+)
|
# in patched kernels, this is more around 70-80, sometimes way higher (100+)
|
||||||
# v0.13: 68 found in a 3.10.23-xxxx-std-ipv6-64 (with lots of modules compiled-in directly), which doesn't have the LFENCE patches,
|
# v0.13: 68 found in a 3.10.23-xxxx-std-ipv6-64 (with lots of modules compiled-in directly), which doesn't have the LFENCE patches,
|
||||||
# so let's push the threshold to 70.
|
# so let's push the threshold to 70.
|
||||||
nb_lfence=$(objdump -d "$vmlinux" | grep -wc 'lfence')
|
# v0.33+: now only count lfence opcodes after a jump, way less error-prone
|
||||||
if [ "$nb_lfence" -lt 70 ]; then
|
# non patched kernel have between 0 and 20 matches, patched ones have at least 40-45
|
||||||
pstatus red NO "only $nb_lfence opcodes found, should be >= 70, heuristic to be improved when official patches become available"
|
nb_lfence=$(objdump -d "$vmlinux" | grep -w -B1 lfence | grep -Ewc 'jmp|jne|je')
|
||||||
|
if [ "$nb_lfence" -lt 30 ]; then
|
||||||
|
pstatus red NO "only $nb_lfence jump-then-lfence instructions found, should be >= 30 (heuristic)"
|
||||||
else
|
else
|
||||||
v1_lfence=1
|
v1_lfence=1
|
||||||
pstatus green YES "$nb_lfence opcodes found, which is >= 70, heuristic to be improved when official patches become available"
|
pstatus green YES "$nb_lfence jump-then-lfence instructions found, which is >= 30 (heuristic)"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -1231,7 +1233,7 @@ check_variant1()
|
|||||||
if [ "$v1_mask_nospec" = 1 ]; then
|
if [ "$v1_mask_nospec" = 1 ]; then
|
||||||
pvulnstatus $cve OK "Kernel source has been patched to mitigate the vulnerability (array_index_mask_nospec)"
|
pvulnstatus $cve OK "Kernel source has been patched to mitigate the vulnerability (array_index_mask_nospec)"
|
||||||
elif [ "$v1_lfence" = 1 ]; then
|
elif [ "$v1_lfence" = 1 ]; then
|
||||||
pvulnstatus $cve OK "Kernel source has PROBABLY been patched to mitigate the vulnerability (LFENCE opcodes heuristic)"
|
pvulnstatus $cve OK "Kernel source has PROBABLY been patched to mitigate the vulnerability (jump-then-lfence instructions heuristic)"
|
||||||
elif [ "$vmlinux_err" ]; then
|
elif [ "$vmlinux_err" ]; then
|
||||||
pvulnstatus $cve UNK "Couldn't find kernel image or tools missing to execute the checks"
|
pvulnstatus $cve UNK "Couldn't find kernel image or tools missing to execute the checks"
|
||||||
else
|
else
|
||||||
|
Loading…
Reference in New Issue
Block a user