dsanchez/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker synced 2025-01-03 10:05:44 +01:00
Code Issues Releases Wiki Activity

Compare commits

base: dsanchez:3ac36669d99a188e221a03d79d60f62b558c4df8
Branches Tags
dsanchez:master
dsanchez:v0.46
dsanchez:v0.45
dsanchez:v0.44
dsanchez:v0.43
dsanchez:v0.42
dsanchez:v0.41
dsanchez:v0.40
dsanchez:v0.39
dsanchez:v0.38
dsanchez:v0.37
dsanchez:v0.36
dsanchez:v0.35
dsanchez:v0.34
dsanchez:v0.33
dsanchez:v0.32
dsanchez:v0.31
dsanchez:v0.30
dsanchez:v0.29
dsanchez:v0.28
dsanchez:v0.27
dsanchez:v0.26
dsanchez:v0.25
dsanchez:v0.24
dsanchez:v0.23
dsanchez:v0.22
dsanchez:v0.21
dsanchez:v0.20
dsanchez:v0.19
dsanchez:v0.18
dsanchez:v0.17
dsanchez:v0.16
dsanchez:v0.15
dsanchez:v0.14
dsanchez:v0.13
dsanchez:v0.12
dsanchez:v0.11
dsanchez:v0.10
dsanchez:v0.09
dsanchez:v0.08
dsanchez:v0.07
dsanchez:v0.06
dsanchez:v0.05
dsanchez:v0.04
dsanchez:v0.03
dsanchez:v0.02
dsanchez:v0.01
..
compare: dsanchez:b5237e663fd346aec17afcb1f3258ff1a5793f2e
Branches Tags
dsanchez:master
dsanchez:v0.46
dsanchez:v0.45
dsanchez:v0.44
dsanchez:v0.43
dsanchez:v0.42
dsanchez:v0.41
dsanchez:v0.40
dsanchez:v0.39
dsanchez:v0.38
dsanchez:v0.37
dsanchez:v0.36
dsanchez:v0.35
dsanchez:v0.34
dsanchez:v0.33
dsanchez:v0.32
dsanchez:v0.31
dsanchez:v0.30
dsanchez:v0.29
dsanchez:v0.28
dsanchez:v0.27
dsanchez:v0.26
dsanchez:v0.25
dsanchez:v0.24
dsanchez:v0.23
dsanchez:v0.22
dsanchez:v0.21
dsanchez:v0.20
dsanchez:v0.19
dsanchez:v0.18
dsanchez:v0.17
dsanchez:v0.16
dsanchez:v0.15
dsanchez:v0.14
dsanchez:v0.13
dsanchez:v0.12
dsanchez:v0.11
dsanchez:v0.10
dsanchez:v0.09
dsanchez:v0.08
dsanchez:v0.07
dsanchez:v0.06
dsanchez:v0.05
dsanchez:v0.04
dsanchez:v0.03
dsanchez:v0.02
dsanchez:v0.01

7 Commits
3ac36669d9 ... b5237e663f

Author SHA1 Message Date
Stéphane Lesimple
b5237e663f feat: bsd: for unimplemented CVEs, at least report when CPU is not affected 2022-03-20 22:00:55 +01:00
Stéphane Lesimple
8a30f72afe chore: wording: model not vulnerable -> model not affected 2022-03-20 21:51:01 +01:00
Stéphane Lesimple
ba99cdb028 feat: implement detection for MCEPSC under BSD 2022-03-20 21:51:01 +01:00
Stéphane Lesimple
2d8ee9b7e3 chore: update Intel Family 6 models 2022-03-20 21:51:01 +01:00
Stéphane Lesimple
31fdbed6f4 chore: ensure vars are set before being dereferenced (set -u compat) 2022-03-20 21:51:01 +01:00
Stéphane Lesimple
7cf17460d1 fix: is_ucode_blacklisted: fix some model names 2022-03-20 21:51:01 +01:00
Stéphane Lesimple
7110987934 feat: add --cpu, apply changes to (read|write)_msr, update fwdb to v221+i20220208 2022-03-20 21:50:50 +01:00
1 changed files with 88 additions and 76 deletions
Show Stats Expand all files Collapse all files

164
spectre-meltdown-checker.sh
View File

@ -295,8 +295,8 @@ cve2name()
esac esac
} }
is_cpu_vulnerable_cached=0 is_cpu_affected_cached=0
_is_cpu_vulnerable_cached() _is_cpu_affected_cached()
{ {
# shellcheck disable=SC2086 # shellcheck disable=SC2086
case "$1" in case "$1" in
@ -315,19 +315,19 @@ _is_cpu_vulnerable_cached()
CVE-2019-11135) return $variant_taa;; CVE-2019-11135) return $variant_taa;;
CVE-2018-12207) return $variant_itlbmh;; CVE-2018-12207) return $variant_itlbmh;;
CVE-2020-0543) return $variant_srbds;; CVE-2020-0543) return $variant_srbds;;
*) echo "$0: error: invalid variant '$1' passed to is_cpu_vulnerable()" >&2; exit 255;; *) echo "$0: error: invalid variant '$1' passed to is_cpu_affected()" >&2; exit 255;;
esac esac
} }
is_cpu_vulnerable() is_cpu_affected()
{ {
# param: one of the $supported_cve_list items # param: one of the $supported_cve_list items
# returns 0 if vulnerable, 1 if not vulnerable # returns 0 if affected, 1 if not affected
# (note that in shell, a return of 0 is success) # (note that in shell, a return of 0 is success)
# by default, everything is vulnerable, we work in a "whitelist" logic here. # by default, everything is affected, we work in a "whitelist" logic here.
# usage: is_cpu_vulnerable CVE-xxxx-yyyy && do something if vulnerable # usage: is_cpu_affected CVE-xxxx-yyyy && do something if affected
if [ "$is_cpu_vulnerable_cached" = 1 ]; then if [ "$is_cpu_affected_cached" = 1 ]; then
_is_cpu_vulnerable_cached "$1" _is_cpu_affected_cached "$1"
return $? return $?
fi fi
@ -350,17 +350,17 @@ is_cpu_vulnerable()
[ -z "$variant_mfbds" ] && variant_mfbds=immune [ -z "$variant_mfbds" ] && variant_mfbds=immune
[ -z "$variant_mlpds" ] && variant_mlpds=immune [ -z "$variant_mlpds" ] && variant_mlpds=immune
[ -z "$variant_mdsum" ] && variant_mdsum=immune [ -z "$variant_mdsum" ] && variant_mdsum=immune
_debug "is_cpu_vulnerable: cpu not affected by Microarchitectural Data Sampling" _debug "is_cpu_affected: cpu not affected by Microarchitectural Data Sampling"
fi fi
if is_cpu_taa_free; then if is_cpu_taa_free; then
[ -z "$variant_taa" ] && variant_taa=immune [ -z "$variant_taa" ] && variant_taa=immune
_debug "is_cpu_vulnerable: cpu not affected by TSX Asynhronous Abort" _debug "is_cpu_affected: cpu not affected by TSX Asynhronous Abort"
fi fi
if is_cpu_srbds_free; then if is_cpu_srbds_free; then
[ -z "$variant_srbds" ] && variant_srbds=immune [ -z "$variant_srbds" ] && variant_srbds=immune
_debug "is_cpu_vulnerable: cpu not affected by Special Register Buffer Data Sampling" _debug "is_cpu_affected: cpu not affected by Special Register Buffer Data Sampling"
fi fi
if is_cpu_specex_free; then if is_cpu_specex_free; then
@ -378,8 +378,8 @@ is_cpu_vulnerable()
variant_srbds=immune variant_srbds=immune
elif is_intel; then elif is_intel; then
# Intel # Intel
# https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not vulnerable # https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not affected
# https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => meltdown vulnerable # https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => meltdown affected
# model name : Pentium(R) Dual-Core CPU E5200 @ 2.50GHz # model name : Pentium(R) Dual-Core CPU E5200 @ 2.50GHz
if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
variant1=vuln variant1=vuln
@ -388,36 +388,36 @@ is_cpu_vulnerable()
fi fi
if [ "$capabilities_rdcl_no" = 1 ]; then if [ "$capabilities_rdcl_no" = 1 ]; then
# capability bit for future Intel processor that will explicitly state # capability bit for future Intel processor that will explicitly state
# that they're not vulnerable to Meltdown # that they're not affected to Meltdown
# this var is set in check_cpu() # this var is set in check_cpu()
[ -z "$variant3" ] && variant3=immune [ -z "$variant3" ] && variant3=immune
[ -z "$variantl1tf" ] && variantl1tf=immune [ -z "$variantl1tf" ] && variantl1tf=immune
_debug "is_cpu_vulnerable: RDCL_NO is set so not vuln to meltdown nor l1tf" _debug "is_cpu_affected: RDCL_NO is set so not vuln to meltdown nor l1tf"
fi fi
if [ "$capabilities_ssb_no" = 1 ]; then if [ "$capabilities_ssb_no" = 1 ]; then
# capability bit for future Intel processor that will explicitly state # capability bit for future Intel processor that will explicitly state
# that they're not vulnerable to Variant 4 # that they're not affected to Variant 4
# this var is set in check_cpu() # this var is set in check_cpu()
[ -z "$variant4" ] && variant4=immune [ -z "$variant4" ] && variant4=immune
_debug "is_cpu_vulnerable: SSB_NO is set so not vuln to variant4" _debug "is_cpu_affected: SSB_NO is set so not vuln to variant4"
fi fi
if is_cpu_ssb_free; then if is_cpu_ssb_free; then
[ -z "$variant4" ] && variant4=immune [ -z "$variant4" ] && variant4=immune
_debug "is_cpu_vulnerable: cpu not affected by speculative store bypass so not vuln to variant4" _debug "is_cpu_affected: cpu not affected by speculative store bypass so not vuln to variant4"
fi fi
# variant 3a # variant 3a
if [ "$cpu_family" = 6 ]; then if [ "$cpu_family" = 6 ]; then
if [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] || [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ]; then if [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] || [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ]; then
_debug "is_cpu_vulnerable: xeon phi immune to variant 3a" _debug "is_cpu_affected: xeon phi immune to variant 3a"
[ -z "$variant3a" ] && variant3a=immune [ -z "$variant3a" ] && variant3a=immune
elif [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT" ] || \ elif [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID" ] || \ [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_D" ]; then [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_D" ]; then
# https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html # https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html
# https://github.com/speed47/spectre-meltdown-checker/issues/310 # https://github.com/speed47/spectre-meltdown-checker/issues/310
# => silvermont CPUs (aka cherry lake for tablets and brawsell for mobile/desktop) don't seem to be vulnerable # => silvermont CPUs (aka cherry lake for tablets and brawsell for mobile/desktop) don't seem to be affected
# => goldmont ARE vulnerable # => goldmont ARE affected
_debug "is_cpu_vulnerable: silvermont immune to variant 3a" _debug "is_cpu_affected: silvermont immune to variant 3a"
[ -z "$variant3a" ] && variant3a=immune [ -z "$variant3a" ] && variant3a=immune
fi fi
fi fi
@ -441,18 +441,18 @@ is_cpu_vulnerable()
[ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] || \ [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] || \
[ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ]; then [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ]; then
_debug "is_cpu_vulnerable: intel family 6 but model known to be immune to l1tf" _debug "is_cpu_affected: intel family 6 but model known to be immune to l1tf"
[ -z "$variantl1tf" ] && variantl1tf=immune [ -z "$variantl1tf" ] && variantl1tf=immune
else else
_debug "is_cpu_vulnerable: intel family 6 is vuln to l1tf" _debug "is_cpu_affected: intel family 6 is vuln to l1tf"
variantl1tf=vuln variantl1tf=vuln
fi fi
elif [ "$cpu_family" -lt 6 ]; then elif [ "$cpu_family" -lt 6 ]; then
_debug "is_cpu_vulnerable: intel family < 6 is immune to l1tf" _debug "is_cpu_affected: intel family < 6 is immune to l1tf"
[ -z "$variantl1tf" ] && variantl1tf=immune [ -z "$variantl1tf" ] && variantl1tf=immune
fi fi
elif is_amd || is_hygon; then elif is_amd || is_hygon; then
# AMD revised their statement about variant2 => vulnerable # AMD revised their statement about variant2 => affected
# https://www.amd.com/en/corporate/speculative-execution # https://www.amd.com/en/corporate/speculative-execution
variant1=vuln variant1=vuln
variant2=vuln variant2=vuln
@ -462,7 +462,7 @@ is_cpu_vulnerable()
[ -z "$variant3a" ] && variant3a=immune [ -z "$variant3a" ] && variant3a=immune
if is_cpu_ssb_free; then if is_cpu_ssb_free; then
[ -z "$variant4" ] && variant4=immune [ -z "$variant4" ] && variant4=immune
_debug "is_cpu_vulnerable: cpu not affected by speculative store bypass so not vuln to variant4" _debug "is_cpu_affected: cpu not affected by speculative store bypass so not vuln to variant4"
fi fi
variantl1tf=immune variantl1tf=immune
elif [ "$cpu_vendor" = CAVIUM ]; then elif [ "$cpu_vendor" = CAVIUM ]; then
@ -495,55 +495,55 @@ is_cpu_vulnerable()
# part ? ? c08 c09 c0d c0f c0e d07 d08 d09 d0a d0b d0c d0d # part ? ? c08 c09 c0d c0f c0e d07 d08 d09 d0a d0b d0c d0d
# arch 7? 7? 7 7 7 7 7 8 8 8 8 8 8 8 # arch 7? 7? 7 7 7 7 7 8 8 8 8 8 8 8
# #
# Whitelist identified non-vulnerable processors, use vulnerability information from # Whitelist identified non-affected processors, use vulnerability information from
# https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability # https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
# Partnumbers can be found here: # Partnumbers can be found here:
# https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in # https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in
# #
# Maintain cumulative check of vulnerabilities - # Maintain cumulative check of vulnerabilities -
# if at least one of the cpu is vulnerable, then the system is vulnerable # if at least one of the cpu is affected, then the system is affected
if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
variant1=vuln variant1=vuln
variant2=vuln variant2=vuln
[ -z "$variant3" ] && variant3=immune [ -z "$variant3" ] && variant3=immune
[ -z "$variant3a" ] && variant3a=immune [ -z "$variant3a" ] && variant3a=immune
[ -z "$variant4" ] && variant4=immune [ -z "$variant4" ] && variant4=immune
_debug "checking cpu$i: armv7 A8/A9/A12/A17 non vulnerable to variants 3, 3a & 4" _debug "checking cpu$i: armv7 A8/A9/A12/A17 non affected to variants 3, 3a & 4"
elif [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc0f; then elif [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc0f; then
variant1=vuln variant1=vuln
variant2=vuln variant2=vuln
[ -z "$variant3" ] && variant3=immune [ -z "$variant3" ] && variant3=immune
variant3a=vuln variant3a=vuln
[ -z "$variant4" ] && variant4=immune [ -z "$variant4" ] && variant4=immune
_debug "checking cpu$i: armv7 A15 non vulnerable to variants 3 & 4" _debug "checking cpu$i: armv7 A15 non affected to variants 3 & 4"
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then
variant1=vuln variant1=vuln
variant2=vuln variant2=vuln
[ -z "$variant3" ] && variant3=immune [ -z "$variant3" ] && variant3=immune
variant3a=vuln variant3a=vuln
variant4=vuln variant4=vuln
_debug "checking cpu$i: armv8 A57/A72 non vulnerable to variants 3" _debug "checking cpu$i: armv8 A57/A72 non affected to variants 3"
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd09; then elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd09; then
variant1=vuln variant1=vuln
variant2=vuln variant2=vuln
[ -z "$variant3" ] && variant3=immune [ -z "$variant3" ] && variant3=immune
[ -z "$variant3a" ] && variant3a=immune [ -z "$variant3a" ] && variant3a=immune
variant4=vuln variant4=vuln
_debug "checking cpu$i: armv8 A73 non vulnerable to variants 3 & 3a" _debug "checking cpu$i: armv8 A73 non affected to variants 3 & 3a"
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0a; then elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0a; then
variant1=vuln variant1=vuln
variant2=vuln variant2=vuln
variant3=vuln variant3=vuln
[ -z "$variant3a" ] && variant3a=immune [ -z "$variant3a" ] && variant3a=immune
variant4=vuln variant4=vuln
_debug "checking cpu$i: armv8 A75 non vulnerable to variant 3a" _debug "checking cpu$i: armv8 A75 non affected to variant 3a"
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
variant1=vuln variant1=vuln
[ -z "$variant2" ] && variant2=immune [ -z "$variant2" ] && variant2=immune
[ -z "$variant3" ] && variant3=immune [ -z "$variant3" ] && variant3=immune
[ -z "$variant3a" ] && variant3a=immune [ -z "$variant3a" ] && variant3a=immune
variant4=vuln variant4=vuln
_debug "checking cpu$i: armv8 A76/A77/NeoverseN1 non vulnerable to variant 2, 3 & 3a" _debug "checking cpu$i: armv8 A76/A77/NeoverseN1 non affected to variant 2, 3 & 3a"
elif [ "$cpuarch" -le 7 ] || { [ "$cpuarch" = 8 ] && [ $(( cpupart )) -lt $(( 0xd07 )) ]; } ; then elif [ "$cpuarch" -le 7 ] || { [ "$cpuarch" = 8 ] && [ $(( cpupart )) -lt $(( 0xd07 )) ]; } ; then
[ -z "$variant1" ] && variant1=immune [ -z "$variant1" ] && variant1=immune
[ -z "$variant2" ] && variant2=immune [ -z "$variant2" ] && variant2=immune
@ -560,7 +560,7 @@ is_cpu_vulnerable()
_debug "checking cpu$i: arm unknown arch$cpuarch part$cpupart, considering vuln" _debug "checking cpu$i: arm unknown arch$cpuarch part$cpupart, considering vuln"
fi fi
fi fi
_debug "is_cpu_vulnerable: for cpu$i and so far, we have <$variant1> <$variant2> <$variant3> <$variant3a> <$variant4>" _debug "is_cpu_affected: for cpu$i and so far, we have <$variant1> <$variant2> <$variant3> <$variant3a> <$variant4>"
done done
variantl1tf=immune variantl1tf=immune
fi fi
@ -584,22 +584,22 @@ is_cpu_vulnerable()
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] || \ [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_D" ] || \ [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_D" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_PLUS" ]; then [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_PLUS" ]; then
_debug "is_cpu_vulnerable: intel family 6 but model known to be immune to itlbmh" _debug "is_cpu_affected: intel family 6 but model known to be immune to itlbmh"
[ -z "$variant_itlbmh" ] && variant_itlbmh=immune [ -z "$variant_itlbmh" ] && variant_itlbmh=immune
else else
_debug "is_cpu_vulnerable: intel family 6 is vuln to itlbmh" _debug "is_cpu_affected: intel family 6 is vuln to itlbmh"
variant_itlbmh=vuln variant_itlbmh=vuln
fi fi
elif [ "$cpu_family" -lt 6 ]; then elif [ "$cpu_family" -lt 6 ]; then
_debug "is_cpu_vulnerable: intel family < 6 is immune to itlbmh" _debug "is_cpu_affected: intel family < 6 is immune to itlbmh"
[ -z "$variant_itlbmh" ] && variant_itlbmh=immune [ -z "$variant_itlbmh" ] && variant_itlbmh=immune
fi fi
else else
_debug "is_cpu_vulnerable: non-intel not vulnerable to itlbmh" _debug "is_cpu_affected: non-intel not affected to itlbmh"
[ -z "$variant_itlbmh" ] && variant_itlbmh=immune [ -z "$variant_itlbmh" ] && variant_itlbmh=immune
fi fi
_debug "is_cpu_vulnerable: temp results are <$variant1> <$variant2> <$variant3> <$variant3a> <$variant4> <$variantl1tf>" _debug "is_cpu_affected: temp results are <$variant1> <$variant2> <$variant3> <$variant3a> <$variant4> <$variantl1tf>"
[ "$variant1" = "immune" ] && variant1=1 || variant1=0 [ "$variant1" = "immune" ] && variant1=1 || variant1=0
[ "$variant2" = "immune" ] && variant2=1 || variant2=0 [ "$variant2" = "immune" ] && variant2=1 || variant2=0
[ "$variant3" = "immune" ] && variant3=1 || variant3=0 [ "$variant3" = "immune" ] && variant3=1 || variant3=0
@ -614,11 +614,11 @@ is_cpu_vulnerable()
[ "$variant_itlbmh" = "immune" ] && variant_itlbmh=1 || variant_itlbmh=0 [ "$variant_itlbmh" = "immune" ] && variant_itlbmh=1 || variant_itlbmh=0
[ "$variant_srbds" = "immune" ] && variant_srbds=1 || variant_srbds=0 [ "$variant_srbds" = "immune" ] && variant_srbds=1 || variant_srbds=0
variantl1tf_sgx="$variantl1tf" variantl1tf_sgx="$variantl1tf"
# even if we are vulnerable to L1TF, if there's no SGX, we're not vulnerable to the original foreshadow # even if we are affected to L1TF, if there's no SGX, we're not affected to the original foreshadow
[ "$cpuid_sgx" = 0 ] && variantl1tf_sgx=1 [ "$cpuid_sgx" = 0 ] && variantl1tf_sgx=1
_debug "is_cpu_vulnerable: final results are <$variant1> <$variant2> <$variant3> <$variant3a> <$variant4> <$variantl1tf> <$variantl1tf_sgx>" _debug "is_cpu_affected: final results are <$variant1> <$variant2> <$variant3> <$variant3a> <$variant4> <$variantl1tf> <$variantl1tf_sgx>"
is_cpu_vulnerable_cached=1 is_cpu_affected_cached=1
_is_cpu_vulnerable_cached "$1" _is_cpu_affected_cached "$1"
return $? return $?
} }
@ -685,7 +685,7 @@ is_cpu_mds_free()
[ "$capabilities_mds_no" = 1 ] && return 0 [ "$capabilities_mds_no" = 1 ] && return 0
fi fi
# official statement from AMD says none of their CPUs are vulnerable # official statement from AMD says none of their CPUs are affected
# https://www.amd.com/en/corporate/product-security # https://www.amd.com/en/corporate/product-security
# https://www.amd.com/system/files/documents/security-whitepaper.pdf # https://www.amd.com/system/files/documents/security-whitepaper.pdf
if is_amd; then if is_amd; then
@ -1661,7 +1661,7 @@ parse_cpu_details()
if grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then if grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
cpu_vendor='ARM' cpu_vendor='ARM'
# some devices (phones or other) have several ARMs and as such different part numbers, # some devices (phones or other) have several ARMs and as such different part numbers,
# an example is "bigLITTLE", so we need to store the whole list, this is needed for is_cpu_vulnerable # an example is "bigLITTLE", so we need to store the whole list, this is needed for is_cpu_affected
cpu_part_list=$(awk '/CPU part/ {print $4}' "$procfs/cpuinfo") cpu_part_list=$(awk '/CPU part/ {print $4}' "$procfs/cpuinfo")
cpu_arch_list=$(awk '/CPU architecture/ {print $3}' "$procfs/cpuinfo") cpu_arch_list=$(awk '/CPU architecture/ {print $3}' "$procfs/cpuinfo")
# take the first one to fill the friendly name, do NOT quote the vars below # take the first one to fill the friendly name, do NOT quote the vars below
@ -3075,7 +3075,7 @@ check_cpu()
fi fi
fi fi
_info_nol " * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): " _info_nol " * CPU explicitly indicates not being affected by Meltdown/L1TF (RDCL_NO): "
if [ "$capabilities_rdcl_no" = -1 ]; then if [ "$capabilities_rdcl_no" = -1 ]; then
pstatus yellow UNKNOWN pstatus yellow UNKNOWN
elif [ "$capabilities_rdcl_no" = 1 ]; then elif [ "$capabilities_rdcl_no" = 1 ]; then
@ -3084,7 +3084,7 @@ check_cpu()
pstatus yellow NO pstatus yellow NO
fi fi
_info_nol " * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): " _info_nol " * CPU explicitly indicates not being affected by Variant 4 (SSB_NO): "
if [ "$capabilities_ssb_no" = -1 ]; then if [ "$capabilities_ssb_no" = -1 ]; then
pstatus yellow UNKNOWN pstatus yellow UNKNOWN
elif [ "$capabilities_ssb_no" = 1 ] || [ "$amd_ssb_no" = 1 ] || [ "$hygon_ssb_no" = 1 ]; then elif [ "$capabilities_ssb_no" = 1 ] || [ "$amd_ssb_no" = 1 ] || [ "$hygon_ssb_no" = 1 ]; then
@ -3102,7 +3102,7 @@ check_cpu()
pstatus yellow NO pstatus yellow NO
fi fi
_info_nol " * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): " _info_nol " * Hypervisor indicates host CPU might be affected by RSB underflow (RSBA): "
if [ "$capabilities_rsba" = -1 ]; then if [ "$capabilities_rsba" = -1 ]; then
pstatus yellow UNKNOWN pstatus yellow UNKNOWN
elif [ "$capabilities_rsba" = 1 ]; then elif [ "$capabilities_rsba" = 1 ]; then
@ -3111,7 +3111,7 @@ check_cpu()
pstatus blue NO pstatus blue NO
fi fi
_info_nol " * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): " _info_nol " * CPU explicitly indicates not being affected by Microarchitectural Data Sampling (MDS_NO): "
if [ "$capabilities_mds_no" = -1 ]; then if [ "$capabilities_mds_no" = -1 ]; then
pstatus yellow UNKNOWN pstatus yellow UNKNOWN
elif [ "$capabilities_mds_no" = 1 ]; then elif [ "$capabilities_mds_no" = 1 ]; then
@ -3120,7 +3120,7 @@ check_cpu()
pstatus yellow NO pstatus yellow NO
fi fi
_info_nol " * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): " _info_nol " * CPU explicitly indicates not being affected by TSX Asynchronous Abort (TAA_NO): "
if [ "$capabilities_taa_no" = -1 ]; then if [ "$capabilities_taa_no" = -1 ]; then
pstatus yellow UNKNOWN pstatus yellow UNKNOWN
elif [ "$capabilities_taa_no" = 1 ]; then elif [ "$capabilities_taa_no" = 1 ]; then
@ -3129,7 +3129,7 @@ check_cpu()
pstatus yellow NO pstatus yellow NO
fi fi
_info_nol " * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): " _info_nol " * CPU explicitly indicates not being affected by iTLB Multihit (PSCHANGE_MSC_NO): "
if [ "$capabilities_pschange_msc_no" = -1 ]; then if [ "$capabilities_pschange_msc_no" = -1 ]; then
pstatus yellow UNKNOWN pstatus yellow UNKNOWN
elif [ "$capabilities_pschange_msc_no" = 1 ]; then elif [ "$capabilities_pschange_msc_no" = 1 ]; then
@ -3267,7 +3267,7 @@ check_cpu_vulnerabilities()
_info "* CPU vulnerability to the speculative execution attack variants" _info "* CPU vulnerability to the speculative execution attack variants"
for cve in $supported_cve_list; do for cve in $supported_cve_list; do
_info_nol " * Affected by $cve ($(cve2name "$cve")): " _info_nol " * Affected by $cve ($(cve2name "$cve")): "
if is_cpu_vulnerable "$cve"; then if is_cpu_affected "$cve"; then
pstatus yellow YES pstatus yellow YES
else else
pstatus green NO pstatus green NO
@ -3556,7 +3556,7 @@ check_CVE_2017_5753_linux()
fi fi
# report status # report status
if ! is_cpu_vulnerable "$cve"; then if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected" pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected"
elif [ -z "$msg" ]; then elif [ -z "$msg" ]; then
@ -3591,7 +3591,7 @@ check_CVE_2017_5753_linux()
check_CVE_2017_5753_bsd() check_CVE_2017_5753_bsd()
{ {
if ! is_cpu_vulnerable "$cve"; then if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected" pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected"
else else
@ -4007,7 +4007,7 @@ check_CVE_2017_5715_linux()
status=UNK status=UNK
fi fi
if ! is_cpu_vulnerable "$cve"; then if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected" pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected"
else else
@ -4186,7 +4186,7 @@ check_CVE_2017_5715_bsd()
fi fi
fi fi
if ! is_cpu_vulnerable "$cve"; then if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected" pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected"
elif [ "$retpoline" = 1 ]; then elif [ "$retpoline" = 1 ]; then
@ -4391,7 +4391,7 @@ check_CVE_2017_5754_linux()
fi fi
fi fi
if ! is_cpu_vulnerable "$cve"; then if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected" pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected"
elif [ -z "$msg" ]; then elif [ -z "$msg" ]; then
@ -4478,7 +4478,7 @@ check_CVE_2017_5754_bsd()
pti_performance_check pti_performance_check
if ! is_cpu_vulnerable "$cve"; then if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected" pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected"
elif [ "$kpti_enabled" = 1 ]; then elif [ "$kpti_enabled" = 1 ]; then
@ -4512,7 +4512,7 @@ check_CVE_2018_3640()
pstatus yellow NO pstatus yellow NO
fi fi
if ! is_cpu_vulnerable "$cve"; then if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected" pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected"
elif [ -n "$cpuid_ssbd" ]; then elif [ -n "$cpuid_ssbd" ]; then
@ -4632,7 +4632,7 @@ check_CVE_2018_3639_linux()
status=UNK status=UNK
fi fi
if ! is_cpu_vulnerable "$cve"; then if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected" pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected"
elif [ -z "$msg" ] || [ "$msg" = "Vulnerable" ]; then elif [ -z "$msg" ] || [ "$msg" = "Vulnerable" ]; then
@ -4695,7 +4695,7 @@ check_CVE_2018_3639_bsd()
*) pstatus yellow NO;; *) pstatus yellow NO;;
esac esac
if ! is_cpu_vulnerable "$cve"; then if ! is_cpu_affected "$cve"; then
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected" pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected"
else else
if [ "$ssb_active" = 1 ]; then if [ "$ssb_active" = 1 ]; then
@ -4743,7 +4743,7 @@ check_CVE_2018_3615()
pstatus blue N/A pstatus blue N/A
fi fi
if ! is_cpu_vulnerable "$cve"; then if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected" pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected"
elif [ "$cpu_flush_cmd" = 1 ] || { [ "$msr_locked_down" = 1 ] && [ "$cpuid_l1df" = 1 ]; } ; then elif [ "$cpu_flush_cmd" = 1 ] || { [ "$msr_locked_down" = 1 ] && [ "$cpuid_l1df" = 1 ]; } ; then
@ -4818,7 +4818,7 @@ check_CVE_2018_3620_linux()
status=UNK status=UNK
fi fi
if ! is_cpu_vulnerable "$cve"; then if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected" pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected"
elif [ -z "$msg" ]; then elif [ -z "$msg" ]; then
@ -4858,7 +4858,7 @@ check_CVE_2018_3620_bsd()
bsd_zero_reserved=0 bsd_zero_reserved=0
fi fi
if ! is_cpu_vulnerable "$cve"; then if ! is_cpu_affected "$cve"; then
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected" pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected"
else else
if [ "$bsd_zero_reserved" = 1 ]; then if [ "$bsd_zero_reserved" = 1 ]; then
@ -5013,7 +5013,7 @@ check_CVE_2018_3646_linux()
l1d_mode=-1 l1d_mode=-1
fi fi
if ! is_cpu_vulnerable "$cve"; then if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected" pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected"
elif [ "$fullmsg" = "Not affected" ]; then elif [ "$fullmsg" = "Not affected" ]; then
@ -5076,7 +5076,7 @@ check_CVE_2018_3646_bsd()
*) pstatus yellow UNKNOWN;; *) pstatus yellow UNKNOWN;;
esac esac
if ! is_cpu_vulnerable "$cve"; then if ! is_cpu_affected "$cve"; then
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected" pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected"
else else
if [ "$kernel_l1d_enabled" = 1 ]; then if [ "$kernel_l1d_enabled" = 1 ]; then
@ -5204,7 +5204,7 @@ check_mds_bsd()
*) pstatus yellow UNKNOWN *) pstatus yellow UNKNOWN
esac esac
if ! is_cpu_vulnerable "$cve"; then if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
else else
if [ "$cpuid_md_clear" = 1 ]; then if [ "$cpuid_md_clear" = 1 ]; then
@ -5297,7 +5297,7 @@ check_mds_linux()
status=UNK status=UNK
fi fi
if ! is_cpu_vulnerable "$cve"; then if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
else else
@ -5421,7 +5421,7 @@ check_CVE_2019_11135_linux()
status=UNK status=UNK
fi fi
if ! is_cpu_vulnerable "$cve" ; then if ! is_cpu_affected "$cve" ; then
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ -z "$msg" ]; then elif [ -z "$msg" ]; then
@ -5454,7 +5454,7 @@ check_CVE_2019_11135_linux()
check_CVE_2019_11135_bsd() check_CVE_2019_11135_bsd()
{ {
if ! is_cpu_vulnerable "$cve" ; then if ! is_cpu_affected "$cve" ; then
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
else else
@ -5526,7 +5526,7 @@ check_CVE_2018_12207_linux()
status=UNK status=UNK
fi fi
if ! is_cpu_vulnerable "$cve" ; then if ! is_cpu_affected "$cve" ; then
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ "$has_vmm" = 0 ]; then elif [ "$has_vmm" = 0 ]; then
@ -5565,7 +5565,7 @@ check_CVE_2018_12207_bsd()
pstatus yellow NO pstatus yellow NO
fi fi
if ! is_cpu_vulnerable "$cve"; then if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected" pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected"
elif [ -z "$kernel_2m_x_ept" ]; then elif [ -z "$kernel_2m_x_ept" ]; then
@ -5588,6 +5588,8 @@ check_CVE_2020_0543()
_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
if [ "$os" = Linux ]; then if [ "$os" = Linux ]; then
check_CVE_2020_0543_linux check_CVE_2020_0543_linux
elif echo "$os" | grep -q BSD; then
check_CVE_2020_0543_bsd
else else
_warn "Unsupported OS ($os)" _warn "Unsupported OS ($os)"
fi fi
@ -5636,7 +5638,7 @@ check_CVE_2020_0543_linux()
msg="/sys vulnerability interface use forced, but it's not available!" msg="/sys vulnerability interface use forced, but it's not available!"
status=UNK status=UNK
fi fi
if ! is_cpu_vulnerable "$cve" ; then if ! is_cpu_affected "$cve" ; then
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
else else
@ -5688,6 +5690,16 @@ check_CVE_2020_0543_linux()
fi fi
} }
check_CVE_2020_0543_bsd()
{
if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not affected"
else
pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
fi
}
####################### #######################
# END OF VULNS SECTIONS # END OF VULNS SECTIONS