Skip to content

Commit

Permalink
fix(offline): report unknown when too few info
Browse files Browse the repository at this point in the history 
In offline mode, in the worst case where an invalid
config file is given, and we have no vmlinux image
nor System.map, the script was reporting Variant 2
and Variant 3 as vulnerable in the global status.
Replace this by a proper pair of UNKNOWNs
  • Loading branch information
@speed47
speed47 committed Jan 23, 2018
1 parent c8a25c5 commit 3e454f1
Showing 1 changed file with 15 additions and 3 deletions.
18 changes: 15 additions & 3 deletions spectre-meltdown-checker.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -928,7 +928,9 @@ check_variant2()
fi

_info_nol "* Kernel support for IBRS: "
ibrs_can_tell=0
if [ "$opt_live" = 1 ]; then
ibrs_can_tell=1
mount_debugfs
for ibrs_file in \
/sys/kernel/debug/ibrs_enabled \
Expand Down Expand Up @@ -962,14 +964,20 @@ check_variant2()
fi
fi
if [ "$ibrs_supported" != 1 -a -n "$opt_map" ]; then
ibrs_can_tell=1
if grep -q spec_ctrl "$opt_map"; then
pstatus green YES
ibrs_supported=1
_debug "ibrs: found '*spec_ctrl*' symbol in $opt_map"
fi
fi
if [ "$ibrs_supported" != 1 ]; then
pstatus red NO
if [ "$ibrs_can_tell" = 1 ]; then
pstatus red NO
else
# if we're in offline mode without System.map, we can't really know
pstatus yellow UNKNOWN "in offline mode, we need System.map to be able to tell"
fi
fi

_info_nol "* IBRS enabled for Kernel space: "
Expand Down Expand Up @@ -1068,8 +1076,10 @@ check_variant2()
else
if [ "$ibrs_supported" = 1 ]; then
pvulnstatus CVE-2017-5715 OK "offline mode: IBRS will mitigate the vulnerability if enabled at runtime"
else
elif [ "$ibrs_can_tell" = 1 ]; then
pvulnstatus CVE-2017-5715 VULN "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability"
else
pvulnstatus CVE-2017-5715 UNK "offline mode: not enough information"
fi
fi
else
Expand Down Expand Up @@ -1235,8 +1245,10 @@ check_variant3()
else
if [ "$kpti_support" = 1 ]; then
pvulnstatus $cve OK "offline mode: PTI will mitigate the vulnerability if enabled at runtime"
else
elif [ "$kpti_can_tell" = 1 ]; then
pvulnstatus $cve VULN "PTI is needed to mitigate the vulnerability"
else
pvulnstatus $cve UNK "offline mode: not enough information"
fi
fi
else
Expand Down

0 comments on commit 3e454f1

Please sign in to comment.