diff options
| author | Stéphane Lesimple <speed47_github@speed47.net> | 2018-01-11 15:35:57 +0100 |
|---|---|---|
| committer | Stéphane Lesimple <speed47_github@speed47.net> | 2018-01-11 15:35:57 +0100 |
| commit | bc4e39038a3417282c56e43b23b520ca8ed7f4ed (patch) | |
| tree | e328d7555e28090a227ce1cc212649eebfac8403 | |
| parent | 62f8ed6f61ba3f6fd763bb99a6e5b1872c69cd4c (diff) | |
| download | spectre-meltdown-checker-bc4e39038a3417282c56e43b23b520ca8ed7f4ed.tar.lz spectre-meltdown-checker-bc4e39038a3417282c56e43b23b520ca8ed7f4ed.tar.xz spectre-meltdown-checker-bc4e39038a3417282c56e43b23b520ca8ed7f4ed.zip | |
fix(opcodes): fix regression introduced in previous commit
We were saying unknown instead of vulnerable when the count of lfence opcodes was low
This was not impacting batch mode or the final decision, just the human-readable output of the script.
| -rwxr-xr-x | spectre-meltdown-checker.sh | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index 3545fed..82e0b07 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -611,7 +611,7 @@ check_variant1() if [ "$nb_lfence" -lt 70 ]; then msg="only $nb_lfence opcodes found, should be >= 70, heuristic to be improved when official patches become available" status=VULN - pstatus yellow UNKNOWN + pstatus red NO else msg="$nb_lfence opcodes found, which is >= 70, heuristic to be improved when official patches become available" status=OK @@ -857,6 +857,9 @@ check_variant3() mount_debugfs _info_nol "* PTI enabled and active: " if [ "$opt_live" = 1 ]; then + dmesg_grep="Kernel/User page tables isolation: enabled" + dmesg_grep="$dmesg_grep|Kernel page table isolation enabled" + dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace" if grep ^flags /proc/cpuinfo | grep -qw pti; then # vanilla PTI patch sets the 'pti' flag in cpuinfo kpti_enabled=1 @@ -866,10 +869,10 @@ check_variant3() elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then # RedHat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301 kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null) - elif dmesg | grep -Eq 'Kernel/User page tables isolation: enabled|Kernel page table isolation enabled'; then + elif dmesg | grep -Eq "$dmesg_grep"; then # if we can't find the flag, grep dmesg output kpti_enabled=1 - elif [ -r /var/log/dmesg ] && grep -Eq 'Kernel/User page tables isolation: enabled|Kernel page table isolation enabled' /var/log/dmesg; then + elif [ -r /var/log/dmesg ] && grep -Eq "$dmesg_grep" /var/log/dmesg; then # if we can't find the flag in dmesg output, grep in /var/log/dmesg when readable kpti_enabled=1 else |