False positive for CVE-2017-5715 due to failing to detect retpolines

[wizeman]

When I updated my kernel from 5.15.27 -> 5.15.28, spectre-meltdown-checker started complaining that I was vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection).

After doing a little investigation, this seems to be caused by the following line of code:

https://github.com/speed47/spectre-meltdown-checker/blob/a485c7882a4067aad81d6a781d0549c76f17b24e/spectre-meltdown-checker.sh#L3773

This is trying to detect whether the /sys/devices/system/cpu/vulnerabilities/spectre_v2 file contains the word retpoline (case insensitively).

I think kernel 5.15.27 used to contain the text Mitigation: AMD retpoline, (...) (or something similar) but 5.15.28 switched to a generic retpoline implementation, so the file now contains Mitigation: Retpolines, (...).

Since the grep command in the above line of code contains the -w switch but the word is now plural (and therefore doesn't match anymore), spectre-meltdown-checker doesn't detect that the kernel is compiled with a retpoline-aware compiler and therefore considers my machine to be vulnerable to CVE-2017-5715.

[speed47]

Thanks for the detailed report, you nailed it, indeed this changed in 5.15.28! PR #421 is pending.

[speed47]

Merged, please reopen if it doesn't fix the issue!

[taggart]

The fix for this issue was first provided in v0.45, so if you are using a version older than that, you may see this issue. Also older kernels may have this change backported, for example I saw the new generic "Mitigation: Retpolines" string on a Debian linux-image-5.10.0-25-amd64 5.10.191-1 kernel.