Closed Salz closed 3 weeks ago
The bug is still present in the latest version of git repo, checked today
The bug is still present in the latest version of git repo, checked today
Confirmed, same here.
FTR, here is the change of the kernel option name:
Breno Leitao (10):
x86/bugs: Rename CONFIG_GDS_FORCE_MITIGATION => CONFIG_MITIGATION_GDS_FORCE
x86/bugs: Rename CONFIG_CPU_IBPB_ENTRY => CONFIG_MITIGATION_IBPB_ENTRY
x86/bugs: Rename CONFIG_CALL_DEPTH_TRACKING => CONFIG_MITIGATION_CALL_DEPTH_TRACKING
x86/bugs: Rename CONFIG_PAGE_TABLE_ISOLATION => CONFIG_MITIGATION_PAGE_TABLE_ISOLATION
x86/bugs: Rename CONFIG_RETPOLINE => CONFIG_MITIGATION_RETPOLINE
x86/bugs: Rename CONFIG_SLS => CONFIG_MITIGATION_SLS
x86/bugs: Rename CONFIG_CPU_UNRET_ENTRY => CONFIG_MITIGATION_UNRET_ENTRY
x86/bugs: Rename CONFIG_CPU_IBRS_ENTRY => CONFIG_MITIGATION_IBRS_ENTRY
x86/bugs: Rename CONFIG_CPU_SRSO => CONFIG_MITIGATION_SRSO
x86/bugs: Rename CONFIG_RETHUNK => CONFIG_MITIGATION_RETHUNK
A quick "grep" in "spectre-meltdown-checker" shows that the following options are affected and still used with the their old names:
CONFIG_CPU_IBPB_ENTRY
CONFIG_PAGE_TABLE_ISOLATION
CONFIG_RETPOLINE
CONFIG_CPU_SRSO
But let's focus on "CONFIG_RETPOLINE" for which this issue is opened here.
Waiting for a patch I made a SlackBuild with a quick and dirty "fix"
#!/bin/bash
set -e
CWD=`pwd`
TMP=${TMP:-/tmp/MG}
PKG=$TMP/package-spectre-meltdown-checker
PRGNAM=spectre-meltdown-checker
VERSION=`date +%m%ygit`
CHOST=x86_64
ARCH=${ARCH:-x86_64}
BUILD=1mg
if [ "$ARCH" = "i386" ]; then
SLKCFLAGS="-O2 -march=i386 -mcpu=i686"
elif [ "$ARCH" = "i486" ]; then
SLKCFLAGS="-O2 -march=i486 -mtune=i686"
elif [ "$ARCH" = "i686" ]; then
SLKCFLAGS="-O2"
elif [ "$ARCH" = "s390" ]; then
SLKCFLAGS="-O2"
elif [ "$ARCH" = "x86_64" ]; then
SLKCFLAGS="-O2 -fPIC"
fi
if [ ! -d $TMP ]; then
mkdir -p $TMP
fi
if [ ! -d $PKG ]; then
mkdir -p $PKG
fi
# Prepare
GITURL=https://github.com/speed47/spectre-meltdown-checker.git
cd $TMP
if [ -z "$PRGNAM-$VERSION" -o ! -e "$PRGNAM-$VERSION" ]
then
git clone $GITURL $PRGNAM-$VERSION
elif [ -f "$PRGNAM" ]
then
echo "the dir is a file! EXIT"
exit 1
elif [ -d "$PRGNAM-$VERSION" ]
then
cd $PRGNAM-$VERSION && git pull && cd ..
fi
cd $PRGNAM-$VERSION
# Install
mkdir -p $PKG/usr/bin/ $PKG/usr/doc/$PRGNAM-$VERSION
install -m 755 spectre-meltdown-checker.sh $PKG/usr/bin/spectre-meltdown-checker.sh
install -m 644 README.md $PKG/usr/doc/$PRGNAM-$VERSION/README.md
# Fix for kernel 6.9
NUM1=`uname -r`
NUM2=6.9
if [[ `echo "$NUM1 $NUM2" | awk '{print ($NUM1 >= $NUM2)}'` == 1 ]]; then
sed -i s:CONFIG_RETPOLINE:CONFIG_MITIGATION_RETPOLINE:g $PKG/usr/bin/spectre-meltdown-checker.sh
fi
cd $PKG
find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || echo
find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || echo
find . | xargs file | grep "current ar archive" | cut -f 1 -d : | xargs strip -g 2> /dev/null || echo
mkdir -p $PKG/install
cat $CWD/slack-desc > $PKG/install/slack-desc
cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
# Packaging
makepkg -l y -c n $CWD/$PRGNAM-$VERSION-$ARCH-$BUILD.txz
if [ "$1" = "--cleanup" ]; then
rm -rf $TMP
fi
Tested and works fine
uname -r
6.9.3
spectre-meltdown-checker.sh
....
SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK `CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK CVE-2023-20593:OK CVE-2022-40982:OK CVE-2023-20569:OK CVE-2023-23583:OK`
@sateuwdie This is not important but your use of if
,elif
, elif
... screams case
to me.
I ever follow this motto
"when swimming don't care about the time to reach the beach from a long distance only care about reach it alive and not tired"
in IT
"don't care about the code, the important thing is that works" :)
Your if
, elif
, needs an else
, in case you got eaten by a shark! ;-)
Your
if
,elif
, needs anelse
, in case you got eaten by a shark! ;-)
There is a solution: avoid warm water which are better for swim (less fatigue) but also the home of "warm water fauna" like sharks, jellyfish, etc. and prefer cold water (more fatigue, less sharks)
Deadly sea snakes like to inhabit shore-lines.
My original point was only a coding style note, other than that, this is all hyperbolic.
Deadly sea snakes like to inhabit shore-lines.
My original point was only a coding style note, other than that, this is all hyperbolic.
I understand, but I ever had a "raw" approach: if work don't spent time with not beautify code but go to the next work :)
I ever had a "raw" approach: if work don't spent time with not beautify code but go to the next work
To state that in human readable form:
It is time to drop this. https://xkcd.com/386/
FTR, here is the change of the kernel option name:
* [patchwork.kernel.org/project/netdevbpf/patch/20231121160740.1249350-6-leitao@debian.org](https://patchwork.kernel.org/project/netdevbpf/patch/20231121160740.1249350-6-leitao@debian.org/) * [lore.kernel.org/lkml/Ze8LpCezZ4yHRBnk@gmail.com](https://lore.kernel.org/lkml/Ze8LpCezZ4yHRBnk@gmail.com/)
Breno Leitao (10): x86/bugs: Rename CONFIG_GDS_FORCE_MITIGATION => CONFIG_MITIGATION_GDS_FORCE x86/bugs: Rename CONFIG_CPU_IBPB_ENTRY => CONFIG_MITIGATION_IBPB_ENTRY x86/bugs: Rename CONFIG_CALL_DEPTH_TRACKING => CONFIG_MITIGATION_CALL_DEPTH_TRACKING x86/bugs: Rename CONFIG_PAGE_TABLE_ISOLATION => CONFIG_MITIGATION_PAGE_TABLE_ISOLATION x86/bugs: Rename CONFIG_RETPOLINE => CONFIG_MITIGATION_RETPOLINE x86/bugs: Rename CONFIG_SLS => CONFIG_MITIGATION_SLS x86/bugs: Rename CONFIG_CPU_UNRET_ENTRY => CONFIG_MITIGATION_UNRET_ENTRY x86/bugs: Rename CONFIG_CPU_IBRS_ENTRY => CONFIG_MITIGATION_IBRS_ENTRY x86/bugs: Rename CONFIG_CPU_SRSO => CONFIG_MITIGATION_SRSO x86/bugs: Rename CONFIG_RETHUNK => CONFIG_MITIGATION_RETHUNK
Thanks, this saved me some research time!
Tested on Linux 6.9-rc1 and 6.9-rc2, the script reports being vulnerable to CVE-2017-5715 despite having retpoline enabled in the kernel:
This is because the kernel option name changed from CONFIG_RETPOLINE to CONFIG_MITIGATION_RETPOLINE in 6.9-rc1.
To check for both options i changed the grep call to
grep -q '^CONFIG_\(MITIGATION_\)\?RETPOLINE=y'
in the script, which marks CVS-2017-5715 as fixed again.