Closed kanthans closed 6 years ago
There is no stable kernel patch for the variant 1 and variant 2 yet, so most kernels are still vulnerable.
I'm following the WIP patches on the LKML to add detection ahead of time, but almost all production-ready kernel are still vulnerable to date so "vulnerable" status is to be expected.
If you know for a fact that they're not (CVE for variant 1 and/or 2 explicitely marked as fixed per the vendor), can you also include the kernel version in your output, and a link to the vendor information?
I'll then be able to dig. Some backports are doing things differently and I'll try to include all the possible ways to detect those.
Please re-run with v0.12, also! Things are moving very, very fast :)
Hi
The output on SuSE Ent Linux with the checker version 0.19
Checking for vulnerabilities against live running kernel Linux 4.4.103-92.56-default #1 SMP Wed Dec 27 16:24:31 UTC 2017 (2fd2155) x86_64
Will use vmlinux image /boot/vmlinuz-4.4.103-92.56-default
Will use kconfig /proc/config.gz
Will use System.map file /proc/kallsyms
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: YES (91 opcodes found, which is >= 70)
> STATUS: NOT VULNERABLE (heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: YES
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
CVE5715 still shows as vulnerable. However the link on the SuSE website indicates it is fixed. [https://www.suse.com/support/update/announcement/2018/suse-su-20180012-1/]
Can you please share your thoughts on the same.
Thank you
@kanthans check this:
As it seems to be the expected behaviour (indeed the majority of kernels out there don't yet have IBRS, even the "fixed" ones, as most of the time they only fix variant 3 thru KPTI), I'm closing this ticket.
Feel free to reopen if needed.
Thank you very much for this tool
Testing the tool against AMI , CentOS 7.4 and SuSE Enterprise Linux after patching with respective vendor patches. All the tests are against your tool ver 0.09. The outputs are given below. Can you please check why the vulnerabilities are reported inspite of installing the patches.
Thank you once again for the tool.
Amazon Linux
Suse Linux Enterprise Desktop/Server
CentOS 7.4