speed47
commented
6 years ago Hello,
Your patch would imply false positives: you're only looking for the UDEREF option, however it has only been patched recently by spender to include mitigation for Meltdown : checking for UDEREF is not enough.
Fortunately, spender included in his patch a flag exported to the /sys fs hierarchy to notify userspace than the kernel has been compiled with a recent enough version of UDEREF that protects from Meltdown. This check is already implemented in the script.
Excerpt of output under grsec:
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
- Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
- Kernel supports Page Table Isolation (PTI): NO
- PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and relaunch this script)
- Running as a Xen PV DomU: NO
STATUS: NOT VULNERABLE (Mitigation: PAX_UDEREF)
Hi,
grsecurity's PaX adds UDEREF for a long time now and its also a full replacement for mainline PTI - it does everything PTI does (better) and does everything UDEREF used to do in the past.
Please find my attached patch suggestion. spectre-meltdown-checker.sh-grsecurity-PaX.patch.zip