False vulnerability CVE-2020-0543? [Bug Report]

speed47 / spectre-meltdown-checker

Reptar, Downfall, Zenbleed, ZombieLoad, RIDL, Fallout, Foreshadow, Spectre, Meltdown vulnerability/mitigation checker for Linux & BSD

3.85k stars 476 forks source link

False vulnerability CVE-2020-0543? [Bug Report] #416

Open servimo opened 2 years ago

servimo commented 2 years ago

CPU supports Special Register Buffer Data Sampling (SRBDS): NO

CVE-2020-0543 aka ‘Special Register Buffer Data Sampling (SRBDS)’ Mitigated according to the /sys interface: NO (Vulnerable: No microcode) SRBDS mitigation control is supported by the kernel: YES (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation) SRBDS mitigation control is enabled and active: NO STATUS: VULNERABLE (Your CPU microcode may need to be updated to mitigate the vulnerability

speed47 commented 2 years ago

Your CPU doesn't seem to have the latest microcode to support SRBDS mitigation. Mitigation for this vulnerability requires a recent kernel AND recent microcode for your CPU.

servimo commented 2 years ago

I think it is a false vulnerability because my processor is an old Intel i7 3770k (3rd generation) and this suport SRBDS is related to a technology it don't have. I could be wrong.

speed47 commented 2 years ago

Your CPU is indeed affected, first row of this table: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/resources/processors-affected-srbds.html As of to why you might not have a microcode that mitigates the issue, most probably your CPU is out of support and will never get the fix (see https://github.com/speed47/spectre-meltdown-checker/blob/master/FAQ.md#the-tool-says-that-i-need-a-more-up-to-date-microcode-but-i-have-the-more-recent-version )

servimo commented 2 years ago

Nothing I can do. But in here my core specifications say:

Intel® Transactional Synchronization Extensions no

https://ark.intel.com/content/www/us/en/ark/products/65523/intel-core-i73770k-processor-8m-cache-up-to-3-90-ghz.html?wapkw=intel%20core%20i7%203770k

Ok. I am out of support. Thanks for your explanation.

qcretro commented 1 year ago

I'm running a Xeon 1230 v2 (ivybridge) that is vulnerable to SRBDS on kernel 5.15.85-1 and intel-microcode 3.20221108.2 from debian testing and the tool reports that my system is vulnerable. I added srbds=on to kernel boot

root@zaphod:~# dmesg | grep microcode [ 0.000000] microcode: microcode updated early to revision 0x21, date = 2019-02-13 [ 0.202493] SRBDS: Vulnerable: No microcode [ 0.924981] microcode: sig=0x306a9, pf=0x2, revision=0x21 [ 0.925117] microcode: Microcode Update Driver: v2.2.

servimo commented 1 year ago

For what I understand there is no mitigation for ivybridge microcode. No matter if you put SRBDS=on or off. Intel will not gonna give support for it.