mirror of
https://github.com/speed47/spectre-meltdown-checker
synced 2025-01-05 10:59:07 +01:00
Compare commits
No commits in common. "9b7b09ada3caf56c1e6169a1240909010f5c8e49" and "44223c5308d14b277d9dc00a26b4333520e1261a" have entirely different histories.
9b7b09ada3
...
44223c5308
6
.github/workflows/check.yml
vendored
6
.github/workflows/check.yml
vendored
@ -24,7 +24,7 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
- name: check direct execution
|
- name: check direct execution
|
||||||
run: |
|
run: |
|
||||||
expected=18
|
expected=17
|
||||||
nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
|
nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
|
||||||
if [ "$nb" -ne "$expected" ]; then
|
if [ "$nb" -ne "$expected" ]; then
|
||||||
echo "Invalid number of CVEs reported: $nb instead of $expected"
|
echo "Invalid number of CVEs reported: $nb instead of $expected"
|
||||||
@ -34,7 +34,7 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
- name: check docker-compose run execution
|
- name: check docker-compose run execution
|
||||||
run: |
|
run: |
|
||||||
expected=18
|
expected=17
|
||||||
docker-compose build
|
docker-compose build
|
||||||
nb=$(docker-compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
|
nb=$(docker-compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
|
||||||
if [ "$nb" -ne "$expected" ]; then
|
if [ "$nb" -ne "$expected" ]; then
|
||||||
@ -45,7 +45,7 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
- name: check docker run execution
|
- name: check docker run execution
|
||||||
run: |
|
run: |
|
||||||
expected=18
|
expected=17
|
||||||
docker build -t spectre-meltdown-checker .
|
docker build -t spectre-meltdown-checker .
|
||||||
nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
|
nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
|
||||||
if [ "$nb" -ne "$expected" ]; then
|
if [ "$nb" -ne "$expected" ]; then
|
||||||
|
@ -21,7 +21,6 @@ CVE
|
|||||||
[CVE-2018-12207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207) | Machine Check Exception on Page Size Changes | MCEPSC, No eXcuses, iTLB Multihit
|
[CVE-2018-12207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207) | Machine Check Exception on Page Size Changes | MCEPSC, No eXcuses, iTLB Multihit
|
||||||
[CVE-2020-0543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543) | Special Register Buffer Data Sampling | SRBDS
|
[CVE-2020-0543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543) | Special Register Buffer Data Sampling | SRBDS
|
||||||
[CVE-2022-40982](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982) | Gather Data Sampling | GDS, Downfall
|
[CVE-2022-40982](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982) | Gather Data Sampling | GDS, Downfall
|
||||||
[CVE-2023-20569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569) | Return Address Security | Inception, RAS, SRSO
|
|
||||||
[CVE-2023-20593](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593) | Cross-Process Information Leak | Zenbleed
|
[CVE-2023-20593](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593) | Cross-Process Information Leak | Zenbleed
|
||||||
|
|
||||||
Supported operating systems:
|
Supported operating systems:
|
||||||
@ -188,12 +187,6 @@ docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/m
|
|||||||
- Mitigation: either microcode update or disabling AVX feature
|
- Mitigation: either microcode update or disabling AVX feature
|
||||||
- Performance impact of the mitigation: TBD
|
- Performance impact of the mitigation: TBD
|
||||||
|
|
||||||
**CVE-2023-20569** Return Address Security (Inception)
|
|
||||||
|
|
||||||
- Impact: Kernel & all software
|
|
||||||
- Mitigation: updated kernel & microcode
|
|
||||||
- Performance impact of the mitigation: low to significant depending on the mitigation
|
|
||||||
|
|
||||||
**CVE-2023-20593** Cross-Process Information Leak (Zenbleed)
|
**CVE-2023-20593** Cross-Process Information Leak (Zenbleed)
|
||||||
|
|
||||||
- Impact: Kernel & all software
|
- Impact: Kernel & all software
|
||||||
|
@ -177,7 +177,7 @@ global_critical=0
|
|||||||
global_unknown=0
|
global_unknown=0
|
||||||
nrpe_vuln=''
|
nrpe_vuln=''
|
||||||
|
|
||||||
supported_cve_list='CVE-2017-5753 CVE-2017-5715 CVE-2017-5754 CVE-2018-3640 CVE-2018-3639 CVE-2018-3615 CVE-2018-3620 CVE-2018-3646 CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091 CVE-2019-11135 CVE-2018-12207 CVE-2020-0543 CVE-2023-20593 CVE-2022-40982 CVE-2023-20569'
|
supported_cve_list='CVE-2017-5753 CVE-2017-5715 CVE-2017-5754 CVE-2018-3640 CVE-2018-3639 CVE-2018-3615 CVE-2018-3620 CVE-2018-3646 CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091 CVE-2019-11135 CVE-2018-12207 CVE-2020-0543 CVE-2023-20593 CVE-2022-40982'
|
||||||
|
|
||||||
# find a sane command to print colored messages, we prefer `printf` over `echo`
|
# find a sane command to print colored messages, we prefer `printf` over `echo`
|
||||||
# because `printf` behavior is more standard across Linux/BSD
|
# because `printf` behavior is more standard across Linux/BSD
|
||||||
@ -304,7 +304,6 @@ cve2name()
|
|||||||
CVE-2020-0543) echo "Special Register Buffer Data Sampling (SRBDS)";;
|
CVE-2020-0543) echo "Special Register Buffer Data Sampling (SRBDS)";;
|
||||||
CVE-2023-20593) echo "Zenbleed, cross-process information leak";;
|
CVE-2023-20593) echo "Zenbleed, cross-process information leak";;
|
||||||
CVE-2022-40982) echo "Downfall, gather data sampling (GDS)";;
|
CVE-2022-40982) echo "Downfall, gather data sampling (GDS)";;
|
||||||
CVE-2023-20569) echo "Inception, return address security (RAS)";;
|
|
||||||
*) echo "$0: error: invalid CVE '$1' passed to cve2name()" >&2; exit 255;;
|
*) echo "$0: error: invalid CVE '$1' passed to cve2name()" >&2; exit 255;;
|
||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
@ -331,7 +330,6 @@ _is_cpu_affected_cached()
|
|||||||
CVE-2020-0543) return $variant_srbds;;
|
CVE-2020-0543) return $variant_srbds;;
|
||||||
CVE-2023-20593) return $variant_zenbleed;;
|
CVE-2023-20593) return $variant_zenbleed;;
|
||||||
CVE-2022-40982) return $variant_downfall;;
|
CVE-2022-40982) return $variant_downfall;;
|
||||||
CVE-2023-20569) return $variant_inception;;
|
|
||||||
*) echo "$0: error: invalid variant '$1' passed to is_cpu_affected()" >&2; exit 255;;
|
*) echo "$0: error: invalid variant '$1' passed to is_cpu_affected()" >&2; exit 255;;
|
||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
@ -399,9 +397,8 @@ is_cpu_affected()
|
|||||||
variant_taa=''
|
variant_taa=''
|
||||||
variant_itlbmh=''
|
variant_itlbmh=''
|
||||||
variant_srbds=''
|
variant_srbds=''
|
||||||
# Zenbleed and Inception are both AMD specific, look for "is_amd" below:
|
# Zenbleed is AMD specific, look for "is_amd" below:
|
||||||
variant_zenbleed=immune
|
variant_zenbleed=immune
|
||||||
variant_inception=immune
|
|
||||||
# Downfall is Intel specific, look for "is_intel" below:
|
# Downfall is Intel specific, look for "is_intel" below:
|
||||||
variant_downfall=immune
|
variant_downfall=immune
|
||||||
|
|
||||||
@ -563,12 +560,6 @@ is_cpu_affected()
|
|||||||
amd_legacy_erratum "$(amd_model_range 0x17 0x30 0x0 0x4f 0xf)" && variant_zenbleed=vuln
|
amd_legacy_erratum "$(amd_model_range 0x17 0x30 0x0 0x4f 0xf)" && variant_zenbleed=vuln
|
||||||
amd_legacy_erratum "$(amd_model_range 0x17 0x60 0x0 0x7f 0xf)" && variant_zenbleed=vuln
|
amd_legacy_erratum "$(amd_model_range 0x17 0x60 0x0 0x7f 0xf)" && variant_zenbleed=vuln
|
||||||
amd_legacy_erratum "$(amd_model_range 0x17 0xa0 0x0 0xaf 0xf)" && variant_zenbleed=vuln
|
amd_legacy_erratum "$(amd_model_range 0x17 0xa0 0x0 0xaf 0xf)" && variant_zenbleed=vuln
|
||||||
|
|
||||||
# Inception (according to kernel, zen 1 to 4)
|
|
||||||
if [ "$cpu_family" = $(( 0x17 )) ] || [ "$cpu_family" = $(( 0x19 )) ]; then
|
|
||||||
variant_inception=vuln
|
|
||||||
fi
|
|
||||||
|
|
||||||
elif [ "$cpu_vendor" = CAVIUM ]; then
|
elif [ "$cpu_vendor" = CAVIUM ]; then
|
||||||
variant3=immune
|
variant3=immune
|
||||||
variant3a=immune
|
variant3a=immune
|
||||||
@ -726,7 +717,6 @@ is_cpu_affected()
|
|||||||
[ "$variant_srbds" = "immune" ] && variant_srbds=1 || variant_srbds=0
|
[ "$variant_srbds" = "immune" ] && variant_srbds=1 || variant_srbds=0
|
||||||
[ "$variant_zenbleed" = "immune" ] && variant_zenbleed=1 || variant_zenbleed=0
|
[ "$variant_zenbleed" = "immune" ] && variant_zenbleed=1 || variant_zenbleed=0
|
||||||
[ "$variant_downfall" = "immune" ] && variant_downfall=1 || variant_downfall=0
|
[ "$variant_downfall" = "immune" ] && variant_downfall=1 || variant_downfall=0
|
||||||
[ "$variant_inception" = "immune" ] && variant_inception=1 || variant_inception=0
|
|
||||||
variantl1tf_sgx="$variantl1tf"
|
variantl1tf_sgx="$variantl1tf"
|
||||||
# even if we are affected to L1TF, if there's no SGX, we're not affected to the original foreshadow
|
# even if we are affected to L1TF, if there's no SGX, we're not affected to the original foreshadow
|
||||||
[ "$cpuid_sgx" = 0 ] && variantl1tf_sgx=1
|
[ "$cpuid_sgx" = 0 ] && variantl1tf_sgx=1
|
||||||
@ -1301,7 +1291,7 @@ while [ -n "${1:-}" ]; do
|
|||||||
fi
|
fi
|
||||||
case "$2" in
|
case "$2" in
|
||||||
help) echo "The following parameters are supported for --variant (can be used multiple times):";
|
help) echo "The following parameters are supported for --variant (can be used multiple times):";
|
||||||
echo "1, 2, 3, 3a, 4, msbds, mfbds, mlpds, mdsum, l1tf, taa, mcepsc, srbds, zenbleed, downfall, inception";
|
echo "1, 2, 3, 3a, 4, msbds, mfbds, mlpds, mdsum, l1tf, taa, mcepsc, srbds, zenbleed, downfall";
|
||||||
exit 0;;
|
exit 0;;
|
||||||
1) opt_cve_list="$opt_cve_list CVE-2017-5753"; opt_cve_all=0;;
|
1) opt_cve_list="$opt_cve_list CVE-2017-5753"; opt_cve_all=0;;
|
||||||
2) opt_cve_list="$opt_cve_list CVE-2017-5715"; opt_cve_all=0;;
|
2) opt_cve_list="$opt_cve_list CVE-2017-5715"; opt_cve_all=0;;
|
||||||
@ -1318,7 +1308,6 @@ while [ -n "${1:-}" ]; do
|
|||||||
srbds) opt_cve_list="$opt_cve_list CVE-2020-0543"; opt_cve_all=0;;
|
srbds) opt_cve_list="$opt_cve_list CVE-2020-0543"; opt_cve_all=0;;
|
||||||
zenbleed) opt_cve_list="$opt_cve_list CVE-2023-20593"; opt_cve_all=0;;
|
zenbleed) opt_cve_list="$opt_cve_list CVE-2023-20593"; opt_cve_all=0;;
|
||||||
downfall) opt_cve_list="$opt_cve_list CVE-2022-40982"; opt_cve_all=0;;
|
downfall) opt_cve_list="$opt_cve_list CVE-2022-40982"; opt_cve_all=0;;
|
||||||
inception) opt_cve_list="$opt_cve_list CVE-2023-20569"; opt_cve_all=0;;
|
|
||||||
*)
|
*)
|
||||||
echo "$0: error: invalid parameter '$2' for --variant, see --variant help for a list" >&2;
|
echo "$0: error: invalid parameter '$2' for --variant, see --variant help for a list" >&2;
|
||||||
exit 255
|
exit 255
|
||||||
@ -1413,7 +1402,6 @@ pvulnstatus()
|
|||||||
CVE-2020-0543) aka="SRBDS";;
|
CVE-2020-0543) aka="SRBDS";;
|
||||||
CVE-2023-20593) aka="ZENBLEED";;
|
CVE-2023-20593) aka="ZENBLEED";;
|
||||||
CVE-2022-40982) aka="DOWNFALL";;
|
CVE-2022-40982) aka="DOWNFALL";;
|
||||||
CVE-2023-20569) aka="INCEPTION";;
|
|
||||||
*) echo "$0: error: invalid CVE '$1' passed to pvulnstatus()" >&2; exit 255;;
|
*) echo "$0: error: invalid CVE '$1' passed to pvulnstatus()" >&2; exit 255;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -2704,8 +2692,7 @@ sys_interface_check()
|
|||||||
|
|
||||||
# write_msr
|
# write_msr
|
||||||
# param1 (mandatory): MSR, can be in hex or decimal.
|
# param1 (mandatory): MSR, can be in hex or decimal.
|
||||||
# param2 (optional): value to write, can be in hex or decimal.
|
# param2 (optional): CPU index, starting from 0. Default 0.
|
||||||
# param3 (optional): CPU index, starting from 0. Default 0.
|
|
||||||
WRITE_MSR_RET_OK=0
|
WRITE_MSR_RET_OK=0
|
||||||
WRITE_MSR_RET_KO=1
|
WRITE_MSR_RET_KO=1
|
||||||
WRITE_MSR_RET_ERR=2
|
WRITE_MSR_RET_ERR=2
|
||||||
@ -2741,8 +2728,6 @@ write_msr_one_core()
|
|||||||
_core="$1"
|
_core="$1"
|
||||||
_msr_dec=$(( $2 ))
|
_msr_dec=$(( $2 ))
|
||||||
_msr=$(printf "0x%x" "$_msr_dec")
|
_msr=$(printf "0x%x" "$_msr_dec")
|
||||||
_value_dec=$(( $3 ))
|
|
||||||
_value=$(printf "0x%x" "$_value_dec")
|
|
||||||
|
|
||||||
write_msr_msg='unknown error'
|
write_msr_msg='unknown error'
|
||||||
: "${msr_locked_down:=0}"
|
: "${msr_locked_down:=0}"
|
||||||
@ -2767,7 +2752,7 @@ write_msr_one_core()
|
|||||||
|
|
||||||
_write_denied=0
|
_write_denied=0
|
||||||
if [ "$os" != Linux ]; then
|
if [ "$os" != Linux ]; then
|
||||||
cpucontrol -m "$_msr=$_value" "/dev/cpuctl$_core" >/dev/null 2>&1; ret=$?
|
cpucontrol -m "$_msr=0" "/dev/cpuctl$_core" >/dev/null 2>&1; ret=$?
|
||||||
else
|
else
|
||||||
# for Linux
|
# for Linux
|
||||||
# convert to decimal
|
# convert to decimal
|
||||||
@ -2777,16 +2762,16 @@ write_msr_one_core()
|
|||||||
# if wrmsr is available, use it
|
# if wrmsr is available, use it
|
||||||
elif command -v wrmsr >/dev/null 2>&1 && [ "${SMC_NO_WRMSR:-}" != 1 ]; then
|
elif command -v wrmsr >/dev/null 2>&1 && [ "${SMC_NO_WRMSR:-}" != 1 ]; then
|
||||||
_debug "write_msr: using wrmsr"
|
_debug "write_msr: using wrmsr"
|
||||||
wrmsr $_msr_dec $_value_dec 2>/dev/null; ret=$?
|
wrmsr $_msr_dec 0 2>/dev/null; ret=$?
|
||||||
# ret=4: msr doesn't exist, ret=127: msr.allow_writes=off
|
# ret=4: msr doesn't exist, ret=127: msr.allow_writes=off
|
||||||
[ "$ret" = 127 ] && _write_denied=1
|
[ "$ret" = 127 ] && _write_denied=1
|
||||||
# or fallback to dd if it supports seek_bytes, we prefer it over perl because we can tell the difference between EPERM and EIO
|
# or fallback to dd if it supports seek_bytes, we prefer it over perl because we can tell the difference between EPERM and EIO
|
||||||
elif dd if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then
|
elif dd if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then
|
||||||
_debug "write_msr: using dd"
|
_debug "write_msr: using dd"
|
||||||
awk "BEGIN{printf \"%c\", $_value_dec}" | dd of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
|
dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
|
||||||
# if it failed, inspect stderrto look for EPERM
|
# if it failed, inspect stderrto look for EPERM
|
||||||
if [ "$ret" != 0 ]; then
|
if [ "$ret" != 0 ]; then
|
||||||
if awk "BEGIN{printf \"%c\", $_value_dec}" | dd of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then
|
if dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then
|
||||||
_write_denied=1
|
_write_denied=1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -2794,7 +2779,7 @@ write_msr_one_core()
|
|||||||
elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
|
elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
|
||||||
_debug "write_msr: using perl"
|
_debug "write_msr: using perl"
|
||||||
ret=1
|
ret=1
|
||||||
perl -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack(v4,$_value_dec)))"; [ $? -eq 8 ] && ret=0
|
perl -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0
|
||||||
else
|
else
|
||||||
_debug "write_msr: got no wrmsr, perl or recent enough dd!"
|
_debug "write_msr: got no wrmsr, perl or recent enough dd!"
|
||||||
mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR")
|
mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR")
|
||||||
@ -2839,7 +2824,7 @@ write_msr_one_core()
|
|||||||
else
|
else
|
||||||
ret=$WRITE_MSR_RET_KO
|
ret=$WRITE_MSR_RET_KO
|
||||||
fi
|
fi
|
||||||
_debug "write_msr: for cpu $_core on msr $_msr, value=$_value, ret=$ret"
|
_debug "write_msr: for cpu $_core on msr $_msr, ret=$ret"
|
||||||
mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$ret")
|
mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$ret")
|
||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
@ -3533,29 +3518,6 @@ check_cpu()
|
|||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if is_amd || is_hygon; then
|
|
||||||
_info " * Selective Branch Predictor Barrier (SBPB)"
|
|
||||||
_info_nol " * PRED_CMD MSR supports SBPB bit write: "
|
|
||||||
|
|
||||||
if [ "$opt_allow_msr_write" = 1 ]; then
|
|
||||||
# the MSR PRED_SBPB is at offset 0x49, BIT(7), write-only
|
|
||||||
write_msr 0x49 128; ret=$?
|
|
||||||
if [ $ret = $WRITE_MSR_RET_OK ]; then
|
|
||||||
pstatus green YES
|
|
||||||
cpuid_sbpb=1
|
|
||||||
elif [ $ret = $WRITE_MSR_RET_KO ]; then
|
|
||||||
pstatus yellow NO
|
|
||||||
cpuid_sbpb=2
|
|
||||||
else
|
|
||||||
pstatus yellow UNKNOWN "$write_msr_msg"
|
|
||||||
cpuid_sbpb=3
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
pstatus yellow UNKNOWN "not allowed to write msr"
|
|
||||||
cpuid_sbpb=3
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
_info_nol " * CPU supports Transactional Synchronization Extensions (TSX): "
|
_info_nol " * CPU supports Transactional Synchronization Extensions (TSX): "
|
||||||
ret=$READ_CPUID_RET_KO
|
ret=$READ_CPUID_RET_KO
|
||||||
cpuid_rtm=0
|
cpuid_rtm=0
|
||||||
@ -6321,174 +6283,6 @@ check_CVE_2022_40982_linux() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
#######################
|
|
||||||
# Inception section
|
|
||||||
|
|
||||||
check_CVE_2023_20569() {
|
|
||||||
cve='CVE-2023-20569'
|
|
||||||
_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
|
|
||||||
if [ "$os" = Linux ]
|
|
||||||
then
|
|
||||||
check_CVE_2023_20569_linux
|
|
||||||
else
|
|
||||||
_warn "Unsupported OS ($os)."
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
check_CVE_2023_20569_linux() {
|
|
||||||
status=UNK
|
|
||||||
sys_interface_available=0
|
|
||||||
msg=''
|
|
||||||
|
|
||||||
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow"; then
|
|
||||||
# this kernel has the /sys interface, trust it over everything
|
|
||||||
sys_interface_available=1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$opt_sysfs_only" != 1 ]; then
|
|
||||||
_info_nol "* Kernel supports mitigation: "
|
|
||||||
if [ -n "$kernel_err" ]; then
|
|
||||||
kernel_sro_err="$kernel_err"
|
|
||||||
elif grep -q 'spec_rstack_overflow' "$kernel"; then
|
|
||||||
kernel_sro="found spec_rstack_overflow in kernel image"
|
|
||||||
fi
|
|
||||||
if [ -n "$kernel_sro" ]; then
|
|
||||||
pstatus green YES "$kernel_sro"
|
|
||||||
elif [ -n "$kernel_sro_err" ]; then
|
|
||||||
pstatus yellow UNKNOWN "$kernel_sro_err"
|
|
||||||
else
|
|
||||||
pstatus yellow NO
|
|
||||||
fi
|
|
||||||
|
|
||||||
_info_nol "* Kernel compiled with SRSO support: "
|
|
||||||
if [ -r "$opt_config" ]; then
|
|
||||||
if grep -q '^CONFIG_CPU_SRSO=y' "$opt_config"; then
|
|
||||||
pstatus green YES
|
|
||||||
kernel_srso="CONFIG_CPU_SRSO=y found in kernel config"
|
|
||||||
else
|
|
||||||
pstatus yellow NO "required for safe RET and ibpb_on_vmexit mitigations"
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
# https://github.com/torvalds/linux/commit/138bcddb86d8a4f842e4ed6f0585abc9b1a764ff#diff-17bd24a7a7850613cced545790ac30646097e8d6207348c2bd1845f397acb390R2313
|
|
||||||
if [ -n "$kernel_err" ]; then
|
|
||||||
pstatus yellow UNKNOWN "$kernel_err"
|
|
||||||
elif grep -q 'WARNING: kernel not compiled with CPU_SRSO' "$kernel"; then
|
|
||||||
# this msg is optimized out at compile time if the option is not enabled, see commit referenced above
|
|
||||||
# if it's present, then SRSO is NOT compiled in
|
|
||||||
pstatus yellow NO "kernel not compiled with CPU_SRSO"
|
|
||||||
else
|
|
||||||
# if it's not present, then SRSO is compiled in IF kernel_sro==1, otherwise we're just
|
|
||||||
# in front of an old kernel that doesn't have the mitigation logic at all
|
|
||||||
if [ "$kernel_sro" = 1 ]; then
|
|
||||||
kernel_srso="SRSO mitigation logic is compiled in the kernel"
|
|
||||||
pstatus green OK "$kernel_srso"
|
|
||||||
else
|
|
||||||
pstatus yellow NO "your kernel is too old and doesn't have the mitigation logic"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
_info_nol "* Kernel compiled with IBPB_ENTRY support: "
|
|
||||||
if [ -r "$opt_config" ]; then
|
|
||||||
if grep -q '^CONFIG_CPU_IBPB_ENTRY=y' "$opt_config"; then
|
|
||||||
pstatus green YES
|
|
||||||
kernel_ibpb_entry="CONFIG_CPU_IBPB_ENTRY=y found in kernel config"
|
|
||||||
else
|
|
||||||
pstatus yellow NO
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
# https://github.com/torvalds/linux/commit/138bcddb86d8a4f842e4ed6f0585abc9b1a764ff#diff-17bd24a7a7850613cced545790ac30646097e8d6207348c2bd1845f397acb390R2325
|
|
||||||
if [ -n "$kernel_err" ]; then
|
|
||||||
pstatus yellow UNKNOWN "$kernel_err"
|
|
||||||
elif grep -q 'WARNING: kernel not compiled with CPU_IBPB_ENTRY' "$kernel"; then
|
|
||||||
# this msg is optimized out at compile time if the option is not enabled, see commit referenced above
|
|
||||||
# if it's present, then IBPB_ENTRY is NOT compiled in
|
|
||||||
pstatus yellow NO "kernel not compiled with CPU_IBPB_ENTRY"
|
|
||||||
else
|
|
||||||
# if it's not present, then IBPB_ENTRY is compiled in IF kernel_sro==1, otherwise we're just
|
|
||||||
# in front of an old kernel that doesn't have the mitigation logic at all
|
|
||||||
if [ "$kernel_sro" = 1 ]; then
|
|
||||||
kernel_ibpb_entry="IBPB_ENTRY mitigation logic is compiled in the kernel"
|
|
||||||
pstatus green OK "$kernel_ibpb_entry"
|
|
||||||
else
|
|
||||||
pstatus yellow NO "your kernel is too old and doesn't have the mitigation logic"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Zen & Zen2 : if the right IBPB microcode applied + SMT off --> not vuln
|
|
||||||
if [ "$cpu_family" = $(( 0x17 )) ]; then
|
|
||||||
_info_nol "* CPU supports IBPB: "
|
|
||||||
if [ -n "$cpuid_ibpb" ]; then
|
|
||||||
pstatus green YES "$cpuid_ibpb"
|
|
||||||
else
|
|
||||||
pstatus yellow NO
|
|
||||||
fi
|
|
||||||
|
|
||||||
_info_nol "* Hyper-Threading (SMT) is enabled: "
|
|
||||||
is_cpu_smt_enabled; smt_enabled=$?
|
|
||||||
if [ "$smt_enabled" = 0 ]; then
|
|
||||||
pstatus yellow YES
|
|
||||||
else
|
|
||||||
pstatus green NO
|
|
||||||
fi
|
|
||||||
# Zen 3/4 microcode brings SBPB mitigation
|
|
||||||
elif [ "$cpu_family" = $(( 0x19 )) ]; then
|
|
||||||
_info_nol "* CPU supports SBPB: "
|
|
||||||
if [ "$cpuid_sbpb" = 1 ]; then
|
|
||||||
pstatus green YES
|
|
||||||
elif [ "$cpuid_sbpb" = 3 ]; then
|
|
||||||
pstatus yellow UNKNOWN "cannot write MSR, rerun with --allow-msr-write"
|
|
||||||
else
|
|
||||||
pstatus yellow NO
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
elif [ "$sys_interface_available" = 0 ]; then
|
|
||||||
# we have no sysfs but were asked to use it only!
|
|
||||||
msg="/sys vulnerability interface use forced, but it's not available!"
|
|
||||||
status=UNK
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! is_cpu_affected "$cve" ; then
|
|
||||||
# override status & msg in case CPU is not vulnerable after all
|
|
||||||
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
|
|
||||||
elif [ -z "$msg" ]; then
|
|
||||||
# if msg is empty, sysfs check didn't fill it, so we rely on our own logic
|
|
||||||
# Zen/Zen2
|
|
||||||
if [ "$cpu_family" = $(( 0x17 )) ]; then
|
|
||||||
if [ "$smt_enabled" = 0 ]; then
|
|
||||||
pvulnstatus "$cve" VULN "SMT is enabled on your Zen/Zen2 CPU, which makes mitigation ineffective"
|
|
||||||
explain "For Zen/Zen2 CPUs, proper mitigation needs an up to date microcode, and SMT needs to be disabled (this can be done by adding \`nosmt\` to your kernel command line)"
|
|
||||||
elif [ -z "$kernel_sro" ]; then
|
|
||||||
pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the SRSO mitigation logic"
|
|
||||||
elif [ -n "$cpuid_ibpb" ]; then
|
|
||||||
pvulnstatus "$cve" OK "SMT is disabled and both your kernel and microcode support mitigation"
|
|
||||||
else
|
|
||||||
pvulnstatus "$cve" VULN "Your microcode is too old"
|
|
||||||
fi
|
|
||||||
# Zen3/Zen4
|
|
||||||
elif [ "$cpu_family" = $(( 0x19 )) ]; then
|
|
||||||
if [ -z "$kernel_sro" ]; then
|
|
||||||
pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the SRSO mitigation logic"
|
|
||||||
elif [ -z "$kernel_srso" ] && [ -z "$kernel_ibpb_entry" ]; then
|
|
||||||
pvulnstatus "$cve" VULN "Your kernel doesn't have either SRSO or IBPB_ENTRY compiled-in"
|
|
||||||
elif [ "$cpuid_sbpb" = 3 ]; then
|
|
||||||
pvulnstatus "$cve" UNK "Couldn't verify if your microcode supports IBPB (rerun with --allow-msr-write)"
|
|
||||||
elif [ "$cpuid_sbpb" = 2 ]; then
|
|
||||||
pvulnstatus "$cve" VULN "Your microcode doesn't support SBPB"
|
|
||||||
else
|
|
||||||
pvulnstatus "$cve" OK "Your kernel and microcode both support mitigation"
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
# not supposed to happen, as normally this CPU should not be affected and not run this code
|
|
||||||
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
pvulnstatus $cve "$status" "$msg"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#######################
|
#######################
|
||||||
# END OF VULNS SECTIONS
|
# END OF VULNS SECTIONS
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user