mirror of
https://github.com/speed47/spectre-meltdown-checker
synced 2024-12-22 12:23:36 +01:00
feat(inception): handle sysfs interface
This commit is contained in:
parent
3167762cfd
commit
dc6921a1ac
6
.github/workflows/check.yml
vendored
6
.github/workflows/check.yml
vendored
@ -24,7 +24,7 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
- name: check direct execution
|
- name: check direct execution
|
||||||
run: |
|
run: |
|
||||||
expected=17
|
expected=18
|
||||||
nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
|
nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
|
||||||
if [ "$nb" -ne "$expected" ]; then
|
if [ "$nb" -ne "$expected" ]; then
|
||||||
echo "Invalid number of CVEs reported: $nb instead of $expected"
|
echo "Invalid number of CVEs reported: $nb instead of $expected"
|
||||||
@ -34,7 +34,7 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
- name: check docker-compose run execution
|
- name: check docker-compose run execution
|
||||||
run: |
|
run: |
|
||||||
expected=17
|
expected=18
|
||||||
docker-compose build
|
docker-compose build
|
||||||
nb=$(docker-compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
|
nb=$(docker-compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
|
||||||
if [ "$nb" -ne "$expected" ]; then
|
if [ "$nb" -ne "$expected" ]; then
|
||||||
@ -45,7 +45,7 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
- name: check docker run execution
|
- name: check docker run execution
|
||||||
run: |
|
run: |
|
||||||
expected=17
|
expected=18
|
||||||
docker build -t spectre-meltdown-checker .
|
docker build -t spectre-meltdown-checker .
|
||||||
nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
|
nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
|
||||||
if [ "$nb" -ne "$expected" ]; then
|
if [ "$nb" -ne "$expected" ]; then
|
||||||
|
@ -564,10 +564,10 @@ is_cpu_affected()
|
|||||||
amd_legacy_erratum "$(amd_model_range 0x17 0x60 0x0 0x7f 0xf)" && variant_zenbleed=vuln
|
amd_legacy_erratum "$(amd_model_range 0x17 0x60 0x0 0x7f 0xf)" && variant_zenbleed=vuln
|
||||||
amd_legacy_erratum "$(amd_model_range 0x17 0xa0 0x0 0xaf 0xf)" && variant_zenbleed=vuln
|
amd_legacy_erratum "$(amd_model_range 0x17 0xa0 0x0 0xaf 0xf)" && variant_zenbleed=vuln
|
||||||
|
|
||||||
# Inception (Zen3 & Zen4)
|
# Inception (according to kernel, zen 1 to 4)
|
||||||
# TODO: Should Zend2 & Zen1 be added. No ucode update will be released but they are affected too.
|
if [ "$cpu_family" = $(( 0x17 )) ] || [ "$cpu_family" = $(( 0x19 )) ]; then
|
||||||
amd_legacy_erratum "$(amd_model_range 0x19 0x40 0x0 0x7f 0xf)" && variant_inception=vuln
|
variant_inception=vuln
|
||||||
amd_legacy_erratum "$(amd_model_range 0x19 0x00 0x0 0x2f 0xf)" && variant_inception=vuln
|
fi
|
||||||
|
|
||||||
elif [ "$cpu_vendor" = CAVIUM ]; then
|
elif [ "$cpu_vendor" = CAVIUM ]; then
|
||||||
variant3=immune
|
variant3=immune
|
||||||
@ -1413,6 +1413,7 @@ pvulnstatus()
|
|||||||
CVE-2020-0543) aka="SRBDS";;
|
CVE-2020-0543) aka="SRBDS";;
|
||||||
CVE-2023-20593) aka="ZENBLEED";;
|
CVE-2023-20593) aka="ZENBLEED";;
|
||||||
CVE-2022-40982) aka="DOWNFALL";;
|
CVE-2022-40982) aka="DOWNFALL";;
|
||||||
|
CVE-2023-20569) aka="INCEPTION";;
|
||||||
*) echo "$0: error: invalid CVE '$1' passed to pvulnstatus()" >&2; exit 255;;
|
*) echo "$0: error: invalid CVE '$1' passed to pvulnstatus()" >&2; exit 255;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -6296,6 +6297,7 @@ check_CVE_2022_40982_linux() {
|
|||||||
|
|
||||||
#######################
|
#######################
|
||||||
# Inception section
|
# Inception section
|
||||||
|
|
||||||
check_CVE_2023_20569() {
|
check_CVE_2023_20569() {
|
||||||
cve='CVE-2023-20569'
|
cve='CVE-2023-20569'
|
||||||
_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
|
_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
|
||||||
@ -6308,12 +6310,50 @@ check_CVE_2023_20569() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
check_CVE_2023_20569_linux() {
|
check_CVE_2023_20569_linux() {
|
||||||
|
status=UNK
|
||||||
|
sys_interface_available=0
|
||||||
|
msg=''
|
||||||
|
|
||||||
|
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow"; then
|
||||||
|
# this kernel has the /sys interface, trust it over everything
|
||||||
|
sys_interface_available=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$opt_sysfs_only" != 1 ]; then
|
||||||
|
_info_nol "* Kernel supports mitigation: "
|
||||||
|
if [ -n "$kernel_err" ]; then
|
||||||
|
kernel_sro_err="$kernel_err"
|
||||||
|
elif grep -q 'spec_rstack_overflow' "$kernel"; then
|
||||||
|
kernel_sro="found spec_rstack_overflow in kernel image"
|
||||||
|
fi
|
||||||
|
if [ -n "$kernel_sro" ]; then
|
||||||
|
pstatus green YES "$kernel_sro"
|
||||||
|
elif [ -n "$kernel_sro_err" ]; then
|
||||||
|
pstatus yellow UNKNOWN "$kernel_sro_err"
|
||||||
|
else
|
||||||
|
pstatus yellow NO
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$kernel_sro" ]; then
|
||||||
|
# TODO check mitigation
|
||||||
|
:
|
||||||
|
fi
|
||||||
|
|
||||||
|
elif [ "$sys_interface_available" = 0 ]; then
|
||||||
|
# we have no sysfs but were asked to use it only!
|
||||||
|
msg="/sys vulnerability interface use forced, but it's not available!"
|
||||||
|
status=UNK
|
||||||
|
fi
|
||||||
|
|
||||||
if ! is_cpu_affected "$cve" ; then
|
if ! is_cpu_affected "$cve" ; then
|
||||||
# override status & msg in case CPU is not vulnerable after all
|
# override status & msg in case CPU is not vulnerable after all
|
||||||
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
|
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
|
||||||
|
elif [ -z "$msg" ]; then
|
||||||
|
# if msg is empty, sysfs check didn't fill it, rely on our own test
|
||||||
|
# TODO
|
||||||
|
pvulnstatus "$cve" UNK "further checks are required (WIP)"
|
||||||
else
|
else
|
||||||
pvulnstatus "$cve" UNK "further checks are required"
|
pvulnstatus $cve "$status" "$msg"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user