diff options
| author | Stéphane Lesimple <speed47_github@speed47.net> | 2018-01-30 22:59:44 +0100 |
|---|---|---|
| committer | Stéphane Lesimple <speed47_github@speed47.net> | 2018-01-31 14:34:54 +0100 |
| commit | aa18b51e1cadbf1e38cfab9a99f51491472b845f (patch) | |
| tree | c53c1802fb0ab37f4af737ffa6b1431794486b46 | |
| parent | b738ac4bd7560680f6fb18ecf20940f564924f57 (diff) | |
| download | spectre-meltdown-checker-aa18b51e1cadbf1e38cfab9a99f51491472b845f.tar.lz spectre-meltdown-checker-aa18b51e1cadbf1e38cfab9a99f51491472b845f.tar.xz spectre-meltdown-checker-aa18b51e1cadbf1e38cfab9a99f51491472b845f.zip | |
fix(variant1): smarter lfence check
Instead of just counting the number of LFENCE
instructions, now we're only counting the those
that directly follow a jump instruction.
| -rwxr-xr-x | spectre-meltdown-checker.sh | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index 63e137d..1a2d006 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -1192,7 +1192,7 @@ check_variant1() if [ "$opt_verbose" -ge 2 ] || [ "$v1_mask_nospec" != 1 ]; then # this is a slow heuristic and we don't need it if we already know the kernel is patched # but still show it in verbose mode - _info_nol "* Checking count of LFENCE opcodes in kernel: " + _info_nol "* Checking count of LFENCE instructions following a jump in kernel: " if [ -n "$vmlinux_err" ]; then pstatus yellow UNKNOWN "couldn't check ($vmlinux_err)" else @@ -1204,12 +1204,14 @@ check_variant1() # in patched kernels, this is more around 70-80, sometimes way higher (100+) # v0.13: 68 found in a 3.10.23-xxxx-std-ipv6-64 (with lots of modules compiled-in directly), which doesn't have the LFENCE patches, # so let's push the threshold to 70. - nb_lfence=$(objdump -d "$vmlinux" | grep -wc 'lfence') - if [ "$nb_lfence" -lt 70 ]; then - pstatus red NO "only $nb_lfence opcodes found, should be >= 70, heuristic to be improved when official patches become available" + # v0.33+: now only count lfence opcodes after a jump, way less error-prone + # non patched kernel have between 0 and 20 matches, patched ones have at least 40-45 + nb_lfence=$(objdump -d "$vmlinux" | grep -w -B1 lfence | grep -Ewc 'jmp|jne|je') + if [ "$nb_lfence" -lt 30 ]; then + pstatus red NO "only $nb_lfence jump-then-lfence instructions found, should be >= 30 (heuristic)" else v1_lfence=1 - pstatus green YES "$nb_lfence opcodes found, which is >= 70, heuristic to be improved when official patches become available" + pstatus green YES "$nb_lfence jump-then-lfence instructions found, which is >= 30 (heuristic)" fi fi fi @@ -1231,7 +1233,7 @@ check_variant1() if [ "$v1_mask_nospec" = 1 ]; then pvulnstatus $cve OK "Kernel source has been patched to mitigate the vulnerability (array_index_mask_nospec)" elif [ "$v1_lfence" = 1 ]; then - pvulnstatus $cve OK "Kernel source has PROBABLY been patched to mitigate the vulnerability (LFENCE opcodes heuristic)" + pvulnstatus $cve OK "Kernel source has PROBABLY been patched to mitigate the vulnerability (jump-then-lfence instructions heuristic)" elif [ "$vmlinux_err" ]; then pvulnstatus $cve UNK "Couldn't find kernel image or tools missing to execute the checks" else |