search

speed47 / spectre-meltdown-checker

Reptar, Downfall, Zenbleed, ZombieLoad, RIDL, Fallout, Foreshadow, Spectre, Meltdown vulnerability/mitigation checker for Linux & BSD
3.85k stars 476 forks source link

SuSE Linux/AMI Linux verification #6

Closed kanthans closed 6 years ago

kanthans commented 6 years ago

Thank you very much for this tool

Testing the tool against AMI , CentOS 7.4 and SuSE Enterprise Linux after patching with respective vendor patches. All the tests are against your tool ver 0.09. The outputs are given below. Can you please check why the vulnerabilities are reported inspite of installing the patches.

Thank you once again for the tool.

Amazon Linux 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places:  NO  (only 35 opcodes found, should be >= 60)
> STATUS:  VULNERABLE

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  YES
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpolines:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

Suse Linux Enterprise Desktop/Server

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places:  YES  (91 opcodes found, which is >= 60)
> STATUS:  NOT VULNERABLE

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpolines:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO
* PTI enabled and active:  NO
> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)

CentOS 7.4

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places:  YES  (112 opcodes found, which is >= 60)
> STATUS:  NOT VULNERABLE

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  YES
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpolines:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO
* PTI enabled and active:  NO
> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)
speed47 commented 6 years ago

There is no stable kernel patch for the variant 1 and variant 2 yet, so most kernels are still vulnerable.

I'm following the WIP patches on the LKML to add detection ahead of time, but almost all production-ready kernel are still vulnerable to date so "vulnerable" status is to be expected.

If you know for a fact that they're not (CVE for variant 1 and/or 2 explicitely marked as fixed per the vendor), can you also include the kernel version in your output, and a link to the vendor information?

I'll then be able to dig. Some backports are doing things differently and I'll try to include all the possible ways to detect those.

speed47 commented 6 years ago

Please re-run with v0.12, also! Things are moving very, very fast :)

kanthans commented 6 years ago

Hi

The output on SuSE Ent Linux with the checker version 0.19


Checking for vulnerabilities against live running kernel Linux 4.4.103-92.56-default #1 SMP Wed Dec 27 16:24:31 UTC 2017 (2fd2155) x86_64
Will use vmlinux image /boot/vmlinuz-4.4.103-92.56-default
Will use kconfig /proc/config.gz
Will use System.map file /proc/kallsyms

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  YES  (91 opcodes found, which is >= 70)
> STATUS:  NOT VULNERABLE  (heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  YES
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

CVE5715 still shows as vulnerable. However the link on the SuSE website indicates it is fixed. [https://www.suse.com/support/update/announcement/2018/suse-su-20180012-1/]

Can you please share your thoughts on the same.

Thank you

ghost commented 6 years ago

@kanthans check this:

https://bugzilla.opensuse.org/show_bug.cgi?id=1068032#c145

speed47 commented 6 years ago

As it seems to be the expected behaviour (indeed the majority of kernels out there don't yet have IBRS, even the "fixed" ones, as most of the time they only fix variant 3 thru KPTI), I'm closing this ticket.

Feel free to reopen if needed.