False positive for CVE-2017-5715 on linux 6.9, retpoline not recognized

[Salz]

Tested on Linux 6.9-rc1 and 6.9-rc2, the script reports being vulnerable to CVE-2017-5715 despite having retpoline enabled in the kernel:

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface:  YES  (Mitigation: Retpolines, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling, PBRSB-eIBRS: Not affected)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES
    * IBRS enabled and active:  YES  (for firmware code only)
  * Kernel is compiled with IBPB support:  YES
    * IBPB enabled and active:  YES
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO
  * Kernel compiled with retpoline option:  NO
> STATUS:  VULNERABLE  (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)

This is because the kernel option name changed from CONFIG_RETPOLINE to CONFIG_MITIGATION_RETPOLINE in 6.9-rc1.

To check for both options i changed the grep call to
grep -q '^CONFIG_\(MITIGATION_\)\?RETPOLINE=y'
in the script, which marks CVS-2017-5715 as fixed again.

[sateuwdie]

The bug is still present in the latest version of git repo, checked today

[EverybodyGetsHurt]

The bug is still present in the latest version of git repo, checked today

Confirmed, same here.

[famzah]

FTR, here is the change of the kernel option name:

• https://patchwork.kernel.org/project/netdevbpf/patch/20231121160740.1249350-6-leitao@debian.org/
• https://lore.kernel.org/lkml/Ze8LpCezZ4yHRBnk@gmail.com/

Breno Leitao (10):
      x86/bugs: Rename CONFIG_GDS_FORCE_MITIGATION => CONFIG_MITIGATION_GDS_FORCE
      x86/bugs: Rename CONFIG_CPU_IBPB_ENTRY       => CONFIG_MITIGATION_IBPB_ENTRY
      x86/bugs: Rename CONFIG_CALL_DEPTH_TRACKING  => CONFIG_MITIGATION_CALL_DEPTH_TRACKING
      x86/bugs: Rename CONFIG_PAGE_TABLE_ISOLATION => CONFIG_MITIGATION_PAGE_TABLE_ISOLATION
      x86/bugs: Rename CONFIG_RETPOLINE            => CONFIG_MITIGATION_RETPOLINE
      x86/bugs: Rename CONFIG_SLS                  => CONFIG_MITIGATION_SLS
      x86/bugs: Rename CONFIG_CPU_UNRET_ENTRY      => CONFIG_MITIGATION_UNRET_ENTRY
      x86/bugs: Rename CONFIG_CPU_IBRS_ENTRY       => CONFIG_MITIGATION_IBRS_ENTRY
      x86/bugs: Rename CONFIG_CPU_SRSO             => CONFIG_MITIGATION_SRSO
      x86/bugs: Rename CONFIG_RETHUNK              => CONFIG_MITIGATION_RETHUNK

[famzah]

A quick "grep" in "spectre-meltdown-checker" shows that the following options are affected and still used with the their old names:

CONFIG_CPU_IBPB_ENTRY
CONFIG_PAGE_TABLE_ISOLATION
CONFIG_RETPOLINE
CONFIG_CPU_SRSO

But let's focus on "CONFIG_RETPOLINE" for which this issue is opened here.

[sateuwdie]

Waiting for a patch I made a SlackBuild with a quick and dirty "fix"

#!/bin/bash
set -e

CWD=`pwd`
TMP=${TMP:-/tmp/MG}
PKG=$TMP/package-spectre-meltdown-checker
PRGNAM=spectre-meltdown-checker
VERSION=`date +%m%ygit`
CHOST=x86_64
ARCH=${ARCH:-x86_64}
BUILD=1mg

if [ "$ARCH" = "i386" ]; then
  SLKCFLAGS="-O2 -march=i386 -mcpu=i686"
elif [ "$ARCH" = "i486" ]; then
  SLKCFLAGS="-O2 -march=i486 -mtune=i686"
elif [ "$ARCH" = "i686" ]; then
  SLKCFLAGS="-O2"
elif [ "$ARCH" = "s390" ]; then
  SLKCFLAGS="-O2"
elif [ "$ARCH" = "x86_64" ]; then
  SLKCFLAGS="-O2 -fPIC"
fi

if [ ! -d $TMP ]; then
 mkdir -p $TMP
fi
if [ ! -d $PKG ]; then
 mkdir -p $PKG
fi

# Prepare
GITURL=https://github.com/speed47/spectre-meltdown-checker.git

cd $TMP

if [ -z "$PRGNAM-$VERSION" -o ! -e "$PRGNAM-$VERSION" ]
then
git clone $GITURL $PRGNAM-$VERSION
elif [ -f "$PRGNAM" ]
then
echo "the dir is a file! EXIT"
exit 1
elif [ -d "$PRGNAM-$VERSION" ]
then
 cd $PRGNAM-$VERSION && git pull && cd ..
fi

cd $PRGNAM-$VERSION

# Install
mkdir -p $PKG/usr/bin/ $PKG/usr/doc/$PRGNAM-$VERSION 
install -m 755  spectre-meltdown-checker.sh $PKG/usr/bin/spectre-meltdown-checker.sh
install -m 644 README.md $PKG/usr/doc/$PRGNAM-$VERSION/README.md

# Fix for kernel 6.9
NUM1=`uname -r`
NUM2=6.9

if [[ `echo "$NUM1 $NUM2" | awk '{print ($NUM1 >= $NUM2)}'` == 1 ]]; then
sed -i s:CONFIG_RETPOLINE:CONFIG_MITIGATION_RETPOLINE:g $PKG/usr/bin/spectre-meltdown-checker.sh
fi

cd $PKG
find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || echo
find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || echo
find . | xargs file | grep "current ar archive" | cut -f 1 -d : | xargs strip -g 2> /dev/null || echo

mkdir -p $PKG/install
cat $CWD/slack-desc > $PKG/install/slack-desc
cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild

# Packaging
makepkg -l y -c n $CWD/$PRGNAM-$VERSION-$ARCH-$BUILD.txz

if [ "$1" = "--cleanup" ]; then
  rm -rf $TMP
fi

[sateuwdie]

Tested and works fine

uname -r
6.9.3

spectre-meltdown-checker.sh
....
 SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK `CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK CVE-2023-20593:OK CVE-2022-40982:OK CVE-2023-20569:OK CVE-2023-23583:OK`

[TinCanTech]

@sateuwdie This is not important but your use of if,elif, elif ... screams case to me.

[sateuwdie]

I ever follow this motto

"when swimming don't care about the time to reach the beach from a long distance
only care about reach it alive and not tired"

in IT

"don't care about the code, the important thing is that works" :)

[TinCanTech]

Your if, elif, needs an else, in case you got eaten by a shark! ;-)

[sateuwdie]

Your if, elif, needs an else, in case you got eaten by a shark! ;-)

There is a solution: avoid warm water which are better for swim (less fatigue)
but also the home of "warm water fauna" like sharks, jellyfish, etc.
and prefer cold water (more fatigue, less sharks)

[TinCanTech]

Deadly sea snakes like to inhabit shore-lines.

My original point was only a coding style note, other than that, this is all hyperbolic.

[sateuwdie]

Deadly sea snakes like to inhabit shore-lines.

My original point was only a coding style note, other than that, this is all hyperbolic.

I understand, but I ever had a "raw" approach: if work don't spent time with not beautify code
but go to the next work :)

[TinCanTech]

I ever had a "raw" approach: if work don't spent time with not beautify code but go to the next work

To state that in human readable form:

• I'm too busy to write good code but I will waste time arguing with you.

It is time to drop this. https://xkcd.com/386/

[speed47]

FTR, here is the change of the kernel option name:

* [patchwork.kernel.org/project/netdevbpf/patch/20231121160740.1249350-6-leitao@debian.org](https://patchwork.kernel.org/project/netdevbpf/patch/20231121160740.1249350-6-leitao@debian.org/)

* [lore.kernel.org/lkml/Ze8LpCezZ4yHRBnk@gmail.com](https://lore.kernel.org/lkml/Ze8LpCezZ4yHRBnk@gmail.com/)

Breno Leitao (10):
      x86/bugs: Rename CONFIG_GDS_FORCE_MITIGATION => CONFIG_MITIGATION_GDS_FORCE
      x86/bugs: Rename CONFIG_CPU_IBPB_ENTRY       => CONFIG_MITIGATION_IBPB_ENTRY
      x86/bugs: Rename CONFIG_CALL_DEPTH_TRACKING  => CONFIG_MITIGATION_CALL_DEPTH_TRACKING
      x86/bugs: Rename CONFIG_PAGE_TABLE_ISOLATION => CONFIG_MITIGATION_PAGE_TABLE_ISOLATION
      x86/bugs: Rename CONFIG_RETPOLINE            => CONFIG_MITIGATION_RETPOLINE
      x86/bugs: Rename CONFIG_SLS                  => CONFIG_MITIGATION_SLS
      x86/bugs: Rename CONFIG_CPU_UNRET_ENTRY      => CONFIG_MITIGATION_UNRET_ENTRY
      x86/bugs: Rename CONFIG_CPU_IBRS_ENTRY       => CONFIG_MITIGATION_IBRS_ENTRY
      x86/bugs: Rename CONFIG_CPU_SRSO             => CONFIG_MITIGATION_SRSO
      x86/bugs: Rename CONFIG_RETHUNK              => CONFIG_MITIGATION_RETHUNK

Thanks, this saved me some research time!