speed47 / spectre-meltdown-checker Goto Github PK
View Code? Open in Web Editor NEWReptar, Downfall, Zenbleed, ZombieLoad, RIDL, Fallout, Foreshadow, Spectre, Meltdown vulnerability/mitigation checker for Linux & BSD
Reptar, Downfall, Zenbleed, ZombieLoad, RIDL, Fallout, Foreshadow, Spectre, Meltdown vulnerability/mitigation checker for Linux & BSD
It would be useful to add
--color
--global
--no-global
The use case is minimal update making the script default to no-color and no-global exit code
Both may avoid breaking stuff under certain settings
The script checks for the presence of an older Atom cpu in line 174 by grepping for the 'Atom' string in the /proc/cpuinfo output.
However, an Atom string is not present for the N270 model which is reported as:
model name : Genuine Intel(R) CPU N270 @ 1.60GHz
As such the check should probably be revised to look for the specific Atom model designations (N270/N230/N330, et al.) as opposed to the cpu name in order to correctly flag variants 2 & 3.
This seems a bit contradictory to me. Why does it say that the opcodes count is unknown and then reports 33? No error message.
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial
$ uname -a
Linux blokix 4.4.0-109-generic #132-Ubuntu SMP Tue Jan 9 19:52:39 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ sudo sh spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.26
Checking for vulnerabilities against live running kernel Linux 4.4.0-109-generic #132-Ubuntu SMP Tue Jan 9 19:52:39 UTC 2018 x86_64
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
STATUS: VULNERABLE (only 33 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
NOTE: I cloned the repo a few minutes before submitting this question.
The script tells that I am vulnerable?
Imposible.
For kernels that have /sys/devices/system/cpu/vulnerabilities
, we'll be 100% sure of the information we have because it'll be exposed by the kernel itself. It will only work in live mode though.
I updated my kernel in a debian vm to 3.16.0-5-amd64 and this tool sais:
Spectre and Meltdown mitigation detection tool v0.26
Checking for vulnerabilities against live running kernel Linux 3.16.0-5-amd64 #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08) x86_64
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: UNKNOWN
> STATUS: VULNERABLE (only 23 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
Maybe you should add to the readme, how to enable PTI now?
As you are giving versions to spectre-meltdown-checker.sh, please tag them on github too
$ grep VERSION spectre-meltdown-checker.sh
VERSION=0.27
DId run the script on an Intel Atom 330 / 1.6GHz system, and it is shown vulnerable for all three CVEs. But as per Intel's list at https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr the Atom 330 should not be affected (if I understood correctly).
I guess a check for non-vulnerable Atom processors has not been implemented yet?
After having applied every update (inncluding BIOS) that I'm aware of these are now my results:
However, this Spectre POC from crozone still executes successfully.
Is the tool falsely reporting that I am not vulnerable, or is the POC no good?
https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/
Script output:
Spectre and Meltdown mitigation detection tool v0.19
Checking for vulnerabilities against live running kernel Linux 4.9.67-v7+ #1061 SMP Tue Dec 5 17:17:24 GMT 2017 armv7l
Will use no vmlinux image (accuracy might be reduced)
Will use no kconfig (accuracy might be reduced)
Will use System.map file /proc/kallsyms
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: UNKNOWN (couldn't find your kernel image in /boot, if you used neboot, this is normal)
> STATUS: UNKNOWN
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: UNKNOWN (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: UNKNOWN (couldn't read your kernel configuration)
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
Thanks for your wonderful tool!
In the last days, I performed various performance tests and measured performance degradation due to Meltdown patches in the kernel, especially in virtual machines. The result is, that the degree of performance degradation is dependent on CPU flag "pcid" and probably also on "invpcid". It might be worth to show presence of these CPU flags in your tool.
I posted my results here:
Willy Tarreau also saw this dependency on pcid/invpcid in virtual machines:
A test could be something like this:
for flag in pcid invpcid
do
echo -n "${flag}: "
if grep -m 1 "^flags" /proc/cpuinfo | grep -q " ${flag}"
then
echo "available"
else
echo "NOT available"
fi
done
I'm uncertain as to whether this is your issue, or Canonical have failed to fix the problem. I've updated to latest kernel, using latest intel-microcode
package & verified that initrd was rebuilt.
$ sudo ./spectre-meltdown-checker.sh -v -v
Spectre and Meltdown mitigation detection tool v0.27
Checking for vulnerabilities against live running kernel Linux 4.13.0-25-generic #29-Ubuntu SMP Mon Jan 8 21:14:41 UTC 2018 x86_64
(debug) found opt_kernel=/boot/vmlinuz-4.13.0-25-generic.efi.signed in /proc/cmdline
(debug) opt_kernel is now /boot/vmlinuz-4.13.0-25-generic.efi.signed
Will use vmlinux image /boot/vmlinuz-4.13.0-25-generic.efi.signed
Will use kconfig /boot/config-4.13.0-25-generic
Will use System.map file /proc/kallsyms
(debug) try_decompress: magic for gunzip found at offset 18357:xy
(debug) try_decompress: decompressed with gunzip successfully!
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 29 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: (debug) attempted to load module msr, ret=1
YES
(debug) attempted to unload module msr, ret=0
* Kernel support for IBRS: (debug) ibrs: file /sys/kernel/debug/ibrs_enabled doesn't exist
(debug) ibrs: file /sys/kernel/debug/x86/ibrs_enabled doesn't exist
(debug) ibrs: file /proc/sys/kernel/ibrs_enabled doesn't exist
NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): (debug) kpti_support: found option CONFIG_PAGE_TABLE_ISOLATION=y in /boot/config-4.13.0-25-generic
YES
* PTI enabled and active: (debug) kpti_enabled: found 'pti' flag in /proc/cpuinfo
YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
Trying to run this command on CoreOS, we get the output:
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: UNKNOWN
> STATUS: UNKNOWN (couldn't check (missing 'readelf' tool, please install it, usually it's in the 'binutils' package))
The issue being that CoreOS doesn't have a package manager to make it easy to install "readelf".
The "workaround" I found was to use the CoreOS "toolbox" command to install a Fedora container which mounts the host filesystem under /media/root
and then run the script in "offline" mode with:
./spectre-meltdown-checker/spectre-meltdown-checker.sh --kernel /media/root/boot/coreos/vmlinuz-a
NOTE: You have to install readelf with "dnf install binutils" first before running the above command
It would be good if the script checked for CoreOS and then maybe printed out the workaround? Or alternatively used the "toolbox" command to run the diagnostics from the Fedora container (after installing "readelf").
I'm running this script now against a cluster. Would it be possible to add a --variant 1,2,3 to pick what to test for? This way I can incrementally see what nodes still need to be patched based on the releases that are happening.
The code in is_cpu_vulnerable() for AMD CPUs sets
variant1=0
Shouldn't this be variant3 a.k.a. Meltdown?
Shouldn't this be var1=1, var2=1, and var3=0 for AMD?
Hi, I have run the script in a guest KVM/QEMU CentOS 7 machine, I have seen that all is ok but the variant 2 it's not corrected because I have not activated IBRS and I have noted that this is not posible because no microcode update for QEMU emulated CPU it's available. The question is if the script result is a false positive or not?
Hi here,
just a quick note, there are two additional issues incoming: Skyfall and Solace
Still no logos, but I guess this is just a matter of time and this will getting serious. Check out skyfallattack.com.
Cheers, Jan.
Chrome is reported as patched against both Spectre and Meltdown. Results of running checker in
in developer shell listed below. This is a vanilla machine w/ dev mode enabled specifically to run checker's live test and see what the results were. Note UNKNOWN result for CVE-2017-5753 and Mitigation 2 of CVE-2017-5715. chrome://flags/#enable-site-per-process is enabled on this machine.
Checking for vulnerabilities against live running kernel Linux 3.18.0-16288-g64d05cf80004 #1 SMP
PREEMPT Mon Jan 8 23:16:08 PST 2018 x86_64
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: UNKNOWN
> STATUS: UNKNOWN (couldn't check (couldn't find your kernel image in /boot, if you used netboot,
this is normal))
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: UNKNOWN (couldn't read your kernel configuration)
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to
mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
Dear Speed47,
Bellow if the output of the provided script executed on a Pine64 board running Linux. The CPU is not detected properly. The report show the board as NOT VULNERABLE, but some tests results are UNKNOWN : Can you please confirm if the board/CPU is vulnerable or not ?
jean@owncloud:~/scripts/spectre-meltdown-checker$``
sudo ./spectre-meltdown-checker.sh -v
[sudo] password for jean:
Spectre and Meltdown mitigation detection tool v0.31
Checking for vulnerabilities against running kernel Linux 3.10.105-0-pine64-longsleep #3 SMP PREEMPT Sat Mar 11 16:05:53 CET 2017 aarch64
CPU is
Will use no vmlinux image (accuracy might be reduced)
Will use kconfig /proc/config.gz
Will use System.map file /proc/kallsyms
We're missing some kernel info (see -v), accuracy might be reduced
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
- Checking count of LFENCE opcodes in kernel: UNKNOWN
STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
- Mitigation 1
- Hardware (CPU microcode) support for mitigation
The SPEC_CTRL MSR is available: UNKNOWN (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
The SPEC_CTRL CPUID feature bit is set: UNKNOWN (couldn't read /dev/cpu/0/cpuidr, is cpuid support enabled in your kernel?)
The kernel has set the spec_ctrl flag in cpuinfo: NO
- Kernel support for IBRS: NO
- IBRS enabled for Kernel space: NO
- IBRS enabled for User space: NO
- Mitigation 2
- Kernel compiled with retpoline option: NO
- Kernel compiled with a retpoline-aware compiler: NO
STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
- Kernel supports Page Table Isolation (PTI): NO
- PTI enabled and active: NO
- Performance impact if PTI is enabled
- CPU supports PCID: NO (no security impact but performance will be degraded with PTI)
- CPU supports INVPCID: NO (no security impact but performance will be degraded with PTI)
- Checking if we're running under Xen PV (64 bits): NO
STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
A false sense of security is worse than no security at all, see --disclaimer
jean@owncloud:~/scripts/spectre-meltdown-checker$
How can I maybe help regarding the board ?
Many thanks in advance,
Best regards.
Hi,
Some logs overwrites the kernel log output. (for intance some iptables logs) and you get a false positive about Meltdown PTI. Can you add this lines of code to grep /var/log/kern.log ? (Lines 1054 to 1057)
1050 elif [ -r /var/log/dmesg ] && grep -Eq "$dmesg_grep" /var/log/dmesg; then
1051 # if we can't find the flag in dmesg output, grep in /var/log/dmesg when readable
1052 _debug "kpti_enabled: found hint in /var/log/dmesg: "$(grep -E "$dmesg_grep" /var/log/dmesg)
1053 kpti_enabled=1
1054 elif [ -r /var/log/kern.log ] && grep -Eq "$dmesg_grep" /var/log/kern.log; then
1055 # if we can't find the flag in dmesg output, grep in /var/log/kern.log when readable
1056 _debug "kpti_enabled: found hint in /var/log/kern.log: "$(grep -E "$dmesg_grep" /var/log/kern.log)
1057 kpti_enabled=1
1058 else
1059 _debug "kpti_enabled: couldn't find any hint that PTI is enabled"
1060 kpti_enabled=0
So far as I can tell, the script does not actually check that the device's processor is vulnerable. It seems to me that it would be good were it to do that - before it checked for patches.
Hello,
im running linux mint 18.3 which is basically a ubuntu 16.04 Lts with microcode intel-microcode 3.20180108.0~ubuntu16.04.2 update an Kernel: 4.13.0-26-generic (which is patched)
Why am i vulnerable to spectre 1?
only 29 opcodes found, should be >=70 -- Vulnerable
Spectre variante 2: Vulnerable
IBRS hardware + Kernel support OR Kernel with retpoline are needed to mitigate the vulnerability
best regards Razzor
Hi, could you help me in fix this "UNKNOWN" problem?
Thanks:
Checking vulnerabilities against Linux 2.6.18-416.el5PAE #1 SMP Wed Oct 26 12:06:12 EDT 2016 i686
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
STATUS: UNKNOWN
The script states Kernel compiled with LFENCE opcode inserted at the proper places
- while just checking for a threshold quantity.
There is no validation that the extra opcodes are inserted at the proper places
Per https://alas.aws.amazon.com/ALAS-2018-939.html, the correct kernel for AWS AMIs should be: *-4.9.75-25.55.amzn1.[arch]
$ sudo ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.27Checking for vulnerabilities against live running kernel Linux 4.9.75-25.55.amzn1.x86_64 #1 SMP Fri Jan 5 23:50:27 UTC 2018 x86_64
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
- Checking count of LFENCE opcodes in kernel: NO
STATUS: VULNERABLE (only 27 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
- Mitigation 1
- Hardware (CPU microcode) support for mitigation: YES
- Kernel support for IBRS: NO
- IBRS enabled for Kernel space: NO
- IBRS enabled for User space: NO
- Mitigation 2
- Kernel compiled with retpoline option: NO
- Kernel compiled with a retpoline-aware compiler: NO
STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
- Kernel supports Page Table Isolation (PTI): YES
- PTI enabled and active: NO
STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
Anyone know why this is still showing up as vuln to all three?
Even stranger, when I first applied kernel updates via yum, I ran the tool before rebooting and it said meltdown was patched. Then I rebooted and it said all three are vuln. This paste below is PRE-reboot, note the kernel difference.
$ sudo ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.27Checking for vulnerabilities against live running kernel Linux 4.9.70-25.242.amzn1.x86_64 #1 SMP Wed Jan 3 05:36:22 UTC 2018 x86_64
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
- Checking count of LFENCE opcodes in kernel: NO
STATUS: VULNERABLE (only 27 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
- Mitigation 1
- Hardware (CPU microcode) support for mitigation: YES
- Kernel support for IBRS: NO
- IBRS enabled for Kernel space: NO
- IBRS enabled for User space: NO
- Mitigation 2
- Kernel compiled with retpoline option: NO
- Kernel compiled with a retpoline-aware compiler: NO
STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
- Kernel supports Page Table Isolation (PTI): YES
- PTI enabled and active: YES
STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
I am running Opensuse tumbleweed with kernel 4.14.12-1 (which is patched already), debugfs is mounted under /sys/kernel/debug but there is no such file as /sys/kernel/debug/ibrs_enabled or /sys/kernel/debug/x86/ibrs_enabled. However ibrs_enabled is present here:
/proc/sys/kernel/ibrs_enabled
...and it contains a value of 1.
Not sure if other distros behave the same, just thought I'd let you know.
Hi,
On AMD processor the processor flag is "ibpb" instead of "spec_ctrl".
if grep ^flags /proc/cpuinfo | grep -qw spec_ctrl; then
if grep ^flags /proc/cpuinfo | grep -qw -E "(spec_ctrl|ibpb)"; then
Hi there,
As you can see in the below output I should't be affected:
martin@marto ~]$ zgrep CONFIG_PAGE_TABLE_ISOLATION /proc/config.gz
CONFIG_PAGE_TABLE_ISOLATION=y
[martin@marto ~]$ dmesg | grep iso
[ 0.000000] Kernel/User page tables isolation: enabled
But after running your script I see the following:
[martin@marto ~]$ sudo sh spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.27
Checking for vulnerabilities against live running kernel Linux 4.14.13-1-ARCH #1 SMP PREEMPT Wed Jan 10 11:14:50 UTC 2018 x86_64
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 21 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
[martin@marto ~]$
I think someting is wrong here.Please advise.
Unpatched physical machine on Sandy Bridge CPU and EL7 shows:
STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
All of my EL6 virtual machines on VMware show:
STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
Physical Sandy Bridge CPU and EL6 system shows:
STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
According to https://xen-orchestra.com/blog/meltdown-and-spectre-for-xenserver/:
Am I affected?
Meltdown is using a design flaw into Intel CPUs only. This is called by Xen sec team "SP3" (aka rogue data cache load). You are impacted only if you are using:
- 64-bits PV type VM (HVM/PVHVM aren't affected!)
- Intel CPUs (AMD chip design is a bit different and not affected)
- untrusted VMs, ie untrusted users having VM access (even non-root!)
- All XenServer versions are affected
64-bits PV guests are vulnerable because guest and hypervisor share the same address space, but with different privileges. HVM aren't.
The checker returns this on a Xen DomU:
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
* Checking if we're running under Xen PV (64 bits): YES (Xen PV is not vulnerable)
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
I think Xen PV is not vulnerable
is a false negative, am I right ? The test should instead check for Xen HVM / PVHVM DomUs.
Hello and thanks for this tool!
I was able to run it on a PS3 featuring the unique Cell CPU made by STI (Sony, Toshiba, IBM) and thought that this CPU is not vulnerable to Meltdown and/or Spectre.
Unfortunately my results showed the opposite:
Spectre and Meltdown mitigation detection tool v0.16
Checking vulnerabilities against Linux 3.12.6-red-ribbon-powerpc64-ps3 #7 SMP Tue Jan 7 17:09:59 CET 2014 ppc64
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
STATUS: UNKNOWN
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
I rerun yesterday with version 0.31 and the results stayed the same.
I need confirmation from other users if this is really the case. It would show that IBM CPUs are also affected, so far IBM didn't state completely to what extent their CPUs are vulnerable. I read that PowerPC6 and up shouldn't be affected.
Also, please check if it's even possible that the results are of no use at all (which I deny) because the tool simply wasn't written to support the Cell.
Thanks in advance and keep on!
Meltdown mitigation detection doesn't work for Ubuntu kernels.
Seems Ubuntu activates PTI with the Kernel option UNWINDER_FRAME_POINTER.
See https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
=> USN 3523-1 (Ubuntu 17.10)
=> https://usn.ubuntu.com/usn/usn-3523-1/
=> Changelog for 4.13.0-25.29 in section 17.10
=> https://launchpad.net/ubuntu/+source/linux/4.13.0-25.29
root@ubuntu-artful:~/spectre-meltdown-checker# ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.26Checking for vulnerabilities against live running kernel Linux 4.13.0-25-generic #29-Ubuntu SMP Mon Jan 8 21:13:33 UTC 2018 i686
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
- Checking count of LFENCE opcodes in kernel: YES
STATUS: NOT VULNERABLE (808 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
- Mitigation 1
- Hardware (CPU microcode) support for mitigation: NO
- Kernel support for IBRS: NO
- IBRS enabled for Kernel space: NO
- IBRS enabled for User space: NO
- Mitigation 2
- Kernel compiled with retpoline option: NO
- Kernel compiled with a retpoline-aware compiler: NO
STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
- Kernel supports Page Table Isolation (PTI): NO
- PTI enabled and active: NO
STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
Running the script with sudo
on Fedora 27 prints this at the beginning:
Checking for vulnerabilities against live running kernel Linux 4.14.11-300.fc27.x86_64 #1 SMP Wed Jan 3 13:52:28 UTC 2018 x86_64
./spectre-meltdown-checker.sh: line 442: /vmlinuz-4.14.11-300.fc27.x86_64=/boot//vmlinuz-4.14.11-300.fc27.x86_64: No such file or directory
It seems to be a benign error as I get expected results after this message is printed, but it would be nice to fix it. ๐
Official statement Raspberry Pi foundation
doesn't reflect the outcome of the tool:
perhaps a check against not vulnerable CPUs from ARM (lscpu) could be added?
Spectre and Meltdown mitigation detection tool v0.19
Checking for vulnerabilities against live running kernel Linux 4.9.46-v7+ #1032 SMP Wed Aug 30 12:09:14 BST 2017 armv7l
Will use no vmlinux image (accuracy might be reduced)
Will use no kconfig (accuracy might be reduced)
Will use System.map file /proc/kallsymsCVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
- Checking count of LFENCE opcodes in kernel: UNKNOWN (couldn't find your kernel image in /boot, if you used neboot, this is normal)
STATUS: UNKNOWN
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
- Mitigation 1
- Hardware (CPU microcode) support for mitigation: UNKNOWN (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
- Kernel support for IBRS: NO
- IBRS enabled for Kernel space: NO
- IBRS enabled for User space: NO
- Mitigation 2
- Kernel compiled with retpoline option: UNKNOWN (couldn't read your kernel configuration)
- Kernel compiled with a retpoline-aware compiler: NO
STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
- Kernel supports Page Table Isolation (PTI): NO
- PTI enabled and active: NO
STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)**
Hi,
The script seems to look for the kernel in /boot with some specific names, and if you aren't using that you can't do the live mode test.
It would be nice to be able to use --kernel with --live, I'm personally using a pretty simple /boot/kernel-4.14.12 that this script can't find on it's own apparently.
Hi,
Would it be possible to add exitcodes or perhaps an option for easily parsable output. When collecting output from many servers it would be nice with an easier way to get vulnerable yes/no status for each variant.
Perhaps just something like the below:
exitcode 7: vulnerable to: spectre variant 1, spectre variant2, and meltdown
exitcode 6: vulnerable to: spectre variant2 and meltdown
exitcode 5: vulnerable to: spectre variant 1 and meltdown
exitcode 4: vulnerable to: meltdown
exitcode 3: vulnerable to: spectre variant 1 and spectre variant2
exitcode 2: vulnerable to: spectre variant2
exitcode 1: vulnerable to: spectre variant 1
exitcode 0: not vulnerable to any
$ diff -u spectre-meltdown-checker.sh spectre-meltdown-checker.sh.local
--- spectre-meltdown-checker.sh 2018-01-08 14:43:28.509019256 +0100
+++ spectre-meltdown-checker.sh.local 2018-01-08 14:46:34.297937058 +0100
@@ -2,6 +2,7 @@
# Spectre & Meltdown checker
# Stephane Lesimple
VERSION=0.13
+exitcode=7
# print status function
pstatus()
@@ -135,7 +136,7 @@
/bin/echo -ne "> \033[46m\033[30mSTATUS:\033[0m "
[ "$status" = 0 ] && pstatus yellow UNKNOWN
[ "$status" = 1 ] && pstatus red VULNERABLE
-[ "$status" = 2 ] && pstatus green 'NOT VULNERABLE'
+[ "$status" = 2 ] && pstatus green 'NOT VULNERABLE' && exitcode=$((exitcode - 1))
###########
# VARIANT 2
@@ -232,10 +233,13 @@
/bin/echo -ne "> \033[46m\033[30mSTATUS:\033[0m "
if grep -q AMD /proc/cpuinfo; then
pstatus green "NOT VULNERABLE" "your CPU is not vulnerable as per the vendor"
+ exitcode=$((exitcode - 2))
elif [ "$ibrs_enabled" = 1 -o "$ibrs_enabled" = 2 ]; then
pstatus green "NOT VULNERABLE" "IBRS mitigates the vulnerability"
+ exitcode=$((exitcode - 2))
elif [ "$retpoline" = 1 ]; then
pstatus green "NOT VULNERABLE" "retpolines mitigate the vulnerability"
+ exitcode=$((exitcode - 2))
else
pstatus red VULNERABLE "IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability"
fi
@@ -313,8 +317,10 @@
/bin/echo -ne "> \033[46m\033[30mSTATUS:\033[0m "
if grep -q AMD /proc/cpuinfo; then
pstatus green "NOT VULNERABLE" "your CPU is not vulnerable as per the vendor"
+ exitcode=$((exitcode - 4))
elif [ "$kpti_enabled" = 1 ]; then
pstatus green "NOT VULNERABLE" "PTI mitigates the vulnerability"
+ exitcode=$((exitcode - 4))
else
pstatus red "VULNERABLE" "PTI is needed to mitigate the vulnerability"
fi
@@ -322,3 +328,5 @@
/bin/echo
[ -n "$vmlinux" -a -f "$vmlinux" ] && rm -f "$vmlinux"
+
+exit $exitcode
Thank you very much for this tool
Testing the tool against AMI , CentOS 7.4 and SuSE Enterprise Linux after patching with respective vendor patches. All the tests are against your tool ver 0.09. The outputs are given below. Can you please check why the vulnerabilities are reported inspite of installing the patches.
Thank you once again for the tool.
Amazon Linux
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 35 opcodes found, should be >= 60)
> STATUS: VULNERABLE
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: YES
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpolines: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
Suse Linux Enterprise Desktop/Server
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places: YES (91 opcodes found, which is >= 60)
> STATUS: NOT VULNERABLE
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpolines: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
CentOS 7.4
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places: YES (112 opcodes found, which is >= 60)
> STATUS: NOT VULNERABLE
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: YES
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpolines: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
Please update doc/disclaimer that root/superuser privileges are required to get accurate results from the script. Normal user results aren't accurate. This is because /sys is checked by the script and owned by root on most (all?) Linuxes.
Output from Centos 6.7 after yum update -y && reboot
:
[...]
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: YES
* Kernel support for IBRS: YES
YES
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
[...]
Is this expected, even after the updates are installed?
Thanks
I have an example where IBRS is enabled only for Kernel space, but script reports CVE-2017-5715 as not vulnerable. I believe, it should report "partially vulnerable" or something like that in such cases.
This is helpful for programs like help2man.
thanks
I've seen a weird case on a VM:
I believe this to be a bad qemu package/runtime/configuration, but I was wondering: would it make sense to add a check for the spec_ctrl flag in /proc/cpuinfo?
The following verbosity is lost without --no-sysfs
* Mitigation 1
* Hardware (CPU microcode) support for mitigation
* The SPEC_CTRL MSR is available: NO
* The SPEC_CTRL CPUID feature bit is set: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: NO
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
Note: Possibly this output is worse verbosity due to naive test of
/sys/kernel/debug/.whatever/ ย even when /proc/config.gz is showing:
# CONFIG_DEBUG_FS is not set
(edited: earlier reference to: CONFIG_DEBUG_KERNEL was improper)
Not an Issue, informational.
An Automated Spectre Meltdown downloader and checker. Should work on most Linux Distros.
Something for folks who need an easy way to check their system.
https://github.com/linuxlite/Spectre-Meltdown-Checker-Automated
Variant 3 will return a false positive on some ARM-based Android systems that implement busybox, because /system/bin/grep is rather brain dead and cannot handle the following:
grep -qi 'CPU implementer : 0x41' /proc/cpuinfo
However, using the grep that is installed as part of busybox does function properly.
The script makes assumptions about grep that may not hold true on all Linux variants. Please consider implementing some way to override the grep command in the script to allow the use of 'busybox grep' instead. It is possible to do a search and replace, but some of the variables have grep in their name, and this must be done carefully.
mktemp on Slackware for instance follows the BSD convention of requiring 6 Xs rather than 3 Xs.
Otherwise an error message occurs:
mktemp /tmp/blah.XXX
mktemp: cannot create temp file /tmp/blah.XXX: Invalid argument
This should be a simple patch to write, and I'll submit a PR.
I'm glad I found this Repository. I have had everything unplugged for 5 days now. I'm pretty sure everything in my house is infected including my phone I had a new one.
Now today after much research I still have no idea what is really going on. But earlier I wiped my infected Drive using a fresh USB Ubuntu version USB from a different location and on a different machine I use the gparted and broke the zeros to everything and erased all partitions.
After that I booted up with another fresh USB that never touched the system and installed ubuntu to before it get another wipe.
After finally getting into the system I check my files and see the same directory as before the same one you guys see unable to view them CPU microcode stuff all the Meltdown symptoms. I even saw some bash scripts running before it booted up it took about a minute and a half to get in to the desktop which isn't normal. So basically this thing infected a brand new and saw after I wiped the entire hard drive etcetera so I don't know I guess I need new hardware all around this is ridiculous I haven't been able to work for a week and I have to buy a new computer probably
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.