Bug in the detection script "spectre-meltdown--a79614b.sh" (Version: 2.3)?

Latest response

Hi support.

From my comment on article "Kernel Side-Channel Attacks - CVE-2017-5754 CVE-2017-5753 CVE-2017-5715" ( https://access.redhat.com/security/vulnerabilities/speculativeexecution#comment-1285831 ):

The detection script "spectre-meltdown--a79614b.sh" (Version: 2.3) does not accurately identify vulnerabilities for pre-Skylake CPUs. For example, from your article (https://access.redhat.com/articles/3311301#architectural-defaults-11):

"pti=1 ibrs=0 retp=1 ibpb=1-> fix variant#1 #2 #3 for pre-Skylake cpus"

It's true on my old server with a fresh BIOS:

Kernel is Linux 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64
CPU is Intel(R) Pentium(R) CPU G850 @ 2.90GHz
# cat /sys/kernel/debug/x86/pti_enabled
1
# cat /sys/kernel/debug/x86/ibrs_enabled
0
# cat /sys/kernel/debug/x86/retp_enabled
1
# cat /sys/kernel/debug/x86/ibpb_enabled
1

I.e., again from your article above:

"For Intel processors prior to Skylake, Retpolines are used instead of the ibrs feature for mitigation against Spectre variant 2."

I.e., my old server with fresh BIOS and kernel is completely protected from the above-mentioned vulnerabilities. But your detection script claims the opposite, for example:

# ./spectre-meltdown--a79614b.sh

This script is primarily designed to detect Spectre / Meltdown on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.

Detected CPU vendor: Intel
Running kernel: 3.10.0-693.21.1.el7.x86_64

Variant #1 (Spectre): Mitigated
CVE-2017-5753 - speculative execution bounds-check bypass
   - Kernel with mitigation patches: OK

Variant #2 (Spectre): Vulnerable
CVE-2017-5715 - speculative execution branch target injection
   - Kernel with mitigation patches: OK
   - HW support / updated microcode: YES
   - IBRS: Not disabled on kernel commandline
   - IBPB: Not disabled on kernel commandline

Variant #3 (Meltdown): Vulnerable
CVE-2017-5754 - speculative execution permission faults handling
   - Kernel with mitigation patches: OK
   - PTI: Not disabled on kernel commandline

Red Hat recommends that you:

Note about virtualization
In virtualized environment, there are more steps to mitigate the issue, including:
* Host needs to have updated kernel and CPU microcode
* Host needs to have updated virtualization software
* Guest needs to have updated kernel
* Hypervisor needs to propagate new CPU features correctly
For more details about mitigations in virtualized environment see:
https://access.redhat.com/articles/3331571

For more information about the vulnerabilities see:
https://access.redhat.com/security/vulnerabilities/speculativeexecution

It's like a script bug. What do you say about this?

AL

Responses