search

speed47 / spectre-meltdown-checker

Reptar, Downfall, Zenbleed, ZombieLoad, RIDL, Fallout, Foreshadow, Spectre, Meltdown vulnerability/mitigation checker for Linux & BSD
3.87k stars 476 forks source link

Spectre Variant 1 - Differences between v032 and v034 results on RHEL 6 #127

Closed robleady closed 6 years ago

robleady commented 6 years ago

On a fully patched RHEL 6 system , v034 is reporting Spectre Variant 1 as being Vulnerable, but on v032 it was Not Vulnerable.

Spectre and Meltdown mitigation detection tool v0.32

Checking for vulnerabilities against running kernel Linux 2.6.32-696.20.1.el6.x86_64 #1 SMP Fri Jan 12 15:07:59 EST 2018 x86_64
CPU is  Intel(R) Xeon(R) CPU E5-2630L v2 @ 2.40GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  YES
> STATUS:  NOT VULNERABLE  (85 opcodes found, which is >= 70, heuristic to be improved when official patches become available)

Spectre and Meltdown mitigation detection tool v0.34

Checking for vulnerabilities on current system
Kernel is Linux 2.6.32-696.20.1.el6.x86_64 #1 SMP Fri Jan 12 15:07:59 EST 2018 x86_64
CPU is Intel(R) Xeon(R) CPU E5-2630L v2 @ 2.40GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES
    * CPU indicates STIBP capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU microcode is known to cause stability problems:  NO  (model 62 stepping 4 ucode 1066)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel has array_index_mask_nospec:  NO
* Checking count of LFENCE instructions following a jump in kernel:  NO  (only 23 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS:  VULNERABLE  (Kernel source needs to be patched to mitigate the vulnerability)

Does that imply Red Hat's fixes for CVE-2017-5753 are incomplete, or is the latter script doing something wrong/different ?

knweiss commented 6 years ago

FWIW: I see the same difference on RHEL6. The new heuristic doesn't seem to cover Red Hat's Spectre Variant 1 mitigation on RHEL6.

Here's the comparison of Spectre Variant 1 between 0.34 and Red Hat's own checker spectre-meltdown--23ef32a.sh:

# spectre-meltdown-checker 
Spectre and Meltdown mitigation detection tool v0.34

Checking for vulnerabilities on current system
Kernel is Linux 2.6.32-696.20.1.el6.x86_64 #1 SMP Fri Jan 26 17:51:45 UTC 2018 x86_64
CPU is Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO 
    * CPU indicates IBRS capability:  NO 
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO 
    * CPU indicates IBPB capability:  NO 
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO 
    * CPU indicates STIBP capability:  NO 
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
  * CPU microcode is known to cause stability problems:  NO  (model 58 stepping 9 ucode 28)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  YES 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel has array_index_mask_nospec:  NO 
* Checking count of LFENCE instructions following a jump in kernel:  NO  (only 23 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS:  VULNERABLE  (Kernel source needs to be patched to mitigate the vulnerability)
[...]

Red Hat's checker:

# sh spectre-meltdown--23ef32a.sh

This script is primarily designed to detect Spectre / Meltdown on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.

Detected CPU vendor: Intel
Running kernel: 2.6.32-696.20.1.el6.x86_64

Variant #1 (Spectre): Mitigated
CVE-2017-5753 - speculative execution bounds-check bypass
   - Kernel with mitigation patches: OK
[...]
speed47 commented 6 years ago

Thanks for the reports. I checked the RedHat's detection script, but unfortunately it just relies on the fact that the kernel has IBRS enabled (part of variant 2 mitigation) to come to the conclusion that variant 1 is also mitigated. This works only for their kernels (as they correctly state) because they somehow know that they patched variant 1 and 2 at the same time. Unfortunately I can't rely on that information for my script because that's almost always false except for RedHat.

Their variant 1 mitigation is also different from the one that is being pushed upstream, so I have to find a way to reliably detect this "variant 1 mitigation flavour" without explicitly checking if it's a RedHat kernel (I want to be distro and arch agnostic).

knweiss commented 6 years ago

I hope they'll backport the /sys/devices/system/cpu/vulnerabilities/ directory to RHEL6, too.

speed47 commented 6 years ago

I've been working on a branch to enhance detection for Canonical(Ubuntu) and RedHat versions of the patches, that are different from the upstream Linux kernel patches. Could you try it again with the redhat_canonical branch and report the results here ? ( https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/redhat_canonical/spectre-meltdown-checker.sh ).

robleady commented 6 years ago

That seems to be working better. Output from a run on RHEL 6:

# sh spectre-meltdown-checker.v034+.sh
Spectre and Meltdown mitigation detection tool v0.34+

Checking for vulnerabilities on current system
Kernel is Linux 2.6.32-696.20.1.el6.x86_64 #1 SMP Fri Jan 12 15:07:59 EST 2018 x86_64
CPU is Intel(R) Xeon(R) CPU E5-2630L v2 @ 2.40GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES
    * CPU indicates STIBP capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU microcode is known to cause stability problems:  NO  (model 62 stepping 4 ucode 1066)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel has array_index_mask_nospec:  NO
* Kernel has the RedHat/Ubuntu patch:  YES
> STATUS:  NOT VULNERABLE  (Kernel source has been patched to mitigate the vulnerability (Canonical/RedHat patch))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  YES
  * Currently enabled features
    * IBRS enabled for Kernel space:  YES
    * IBRS enabled for User space:  NO
    * IBPB enabled:  YES
* Mitigation 2
  * Kernel compiled with retpoline option:  NO
  * Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  NOT VULNERABLE  (IBRS/IBPB are mitigating the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

And output from a RHEL 7 box:

# sh spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.34+

Checking for vulnerabilities on current system
Kernel is Linux 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Dec 28 14:23:39 EST 2017 x86_64
CPU is Intel(R) Xeon(R) CPU E5-2630L v2 @ 2.40GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  YES
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES
    * CPU indicates STIBP capability:  YES
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU microcode is known to cause stability problems:  YES  (model 62 stepping 4 ucode 0x42a)

The microcode your CPU is running on is known to cause instability problems,
such as intempestive reboots or random crashes.
You are advised to either revert to a previous microcode version (that might not have
the mitigations for Spectre), or upgrade to a newer one if available.

* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel has array_index_mask_nospec:  NO
* Kernel has the RedHat/Ubuntu patch:  YES
> STATUS:  NOT VULNERABLE  (Kernel source has been patched to mitigate the vulnerability (Canonical/RedHat patch))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  YES
  * Currently enabled features
    * IBRS enabled for Kernel space:  YES
    * IBRS enabled for User space:  NO
    * IBPB enabled:  YES
* Mitigation 2
  * Kernel compiled with retpoline option:  NO
  * Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  NOT VULNERABLE  (IBRS/IBPB are mitigating the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
knweiss commented 6 years ago

It works for me, too. Same output as above.

Nitpicking: The official spelling is "Red Hat" ("ALWAYS TWO WORDS AND CAPITALIZED WHEN WRITTEN OUT IN TEXT") not "RedHat".

speed47 commented 6 years ago

@knweiss Easy enough to fix! @robleady thanks for your feedback. Closing this issue, as the branch has been merged to master