Skip to content

Commit

Permalink
Improve sysfs vulnerability parsing (#568)
Browse files Browse the repository at this point in the history
The existing sysfs vulnerability parsing routines expected the data provided by the kernel to start with either "Not Affected"/"Vulnerable"/"Mitigation"; however, there are a handful of vulnerabilities that can provide data not matching this expectation:

- https://elixir.bootlin.com/linux/v6.1.53/source/arch/x86/kernel/cpu/bugs.c#L2519
- https://elixir.bootlin.com/linux/v6.1.53/source/arch/x86/kernel/cpu/bugs.c#L546
- https://elixir.bootlin.com/linux/v6.1.53/source/arch/x86/kernel/cpu/bugs.c#L2578

Modify the vulnerability parsing to make use of a 4th state ("Unknown"), which is used when the vulnerability information can't be parsed to any of the other vulnerability states, and output the information provided by the kernel, rather than erroring out.

Vulnerability parsing tests have been updated to include the aforementioned vulnerability data.

Signed-off-by: João Lima <jlima@cloudflare.com>
Co-authored-by: Ben Kochie <superq@gmail.com>
  • Loading branch information
jopelima and SuperQ authored Sep 22, 2023
1 parent 340d4b8 commit 5056707
Showing 3 changed files with 22 additions and 6 deletions.
16 changes: 13 additions & 3 deletions sysfs/vulnerability.go
Original file line number Diff line number Diff line change
@@ -17,7 +17,6 @@
package sysfs

import (
"fmt"
"os"
"path/filepath"
"strings"
@@ -27,12 +26,14 @@ const (
notAffected = "not affected" // based on: https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-devices-system-cpu
vulnerable = "vulnerable"
mitigation = "mitigation"
unknown = "unknown"
)

const (
VulnerabilityStateNotAffected = iota
VulnerabilityStateVulnerable
VulnerabilityStateMitigation
VulnerabilityStateUnknown
)

var (
@@ -42,6 +43,7 @@ var (
VulnerabilityStateNotAffected: notAffected,
VulnerabilityStateVulnerable: vulnerable,
VulnerabilityStateMitigation: mitigation,
VulnerabilityStateUnknown: unknown,
}
)

@@ -98,9 +100,17 @@ func parseVulnerability(name, rawContent string) (*Vulnerability, error) {
if len(m) > 1 {
v.Mitigation = strings.Join(m[1:], " ")
}
case strings.HasPrefix(rawContentLower, unknown):
v.State = VulnerabilityStateUnknown
m := strings.Fields(rawContent)
if len(m) > 1 {
v.Mitigation = strings.Join(m[1:], " ")
}
default:
return nil, fmt.Errorf("unknown vulnerability state for %s: %s", name, rawContent)

// Output the raw data obtained from the vulnerability, with state
// unknown, rather than erroring out
v.State = VulnerabilityStateUnknown
v.Mitigation = rawContent
}
return v, nil
}
5 changes: 3 additions & 2 deletions sysfs/vulnerability_test.go
Original file line number Diff line number Diff line change
@@ -38,14 +38,15 @@ func TestFS_CPUVulnerabilities(t *testing.T) {
want *Vulnerability
wantErr bool
}{
{"Not affected", "itlb_multihit", &Vulnerability{CodeName: "itlb_multihit", State: VulnerabilityStateNotAffected, Mitigation: ""}, false},
{"Not affected with underscores", "tsx_async_abort", &Vulnerability{CodeName: "tsx_async_abort", State: VulnerabilityStateNotAffected, Mitigation: ""}, false},
{"Not affected", "tsx_async_abort", &Vulnerability{CodeName: "tsx_async_abort", State: VulnerabilityStateNotAffected, Mitigation: ""}, false},
{"Mitigation simple string", "spec_store_bypass", &Vulnerability{CodeName: "spec_store_bypass", State: VulnerabilityStateMitigation, Mitigation: "Speculative Store Bypass disabled via prctl"}, false},
{"Mitigation special chars", "retbleed", &Vulnerability{CodeName: "retbleed", State: VulnerabilityStateMitigation, Mitigation: "untrained return thunk; SMT enabled with STIBP protection"}, false},
{"Mitigation more special chars", "spectre_v1", &Vulnerability{CodeName: "spectre_v1", State: VulnerabilityStateMitigation, Mitigation: "usercopy/swapgs barriers and __user pointer sanitization"}, false},
{"Mitigation with multiple subsections", "spectre_v2", &Vulnerability{CodeName: "spectre_v2", State: VulnerabilityStateMitigation, Mitigation: "Retpolines, IBPB: conditional, STIBP: always-on, RSB filling, PBRSB-eIBRS: Not affected"}, false},
{"Vulnerable", "mds", &Vulnerability{CodeName: "mds", State: VulnerabilityStateVulnerable, Mitigation: ""}, false},
{"Vulnerable with mitigation available", "mmio_stale_data", &Vulnerability{CodeName: "mmio_stale_data", State: VulnerabilityStateVulnerable, Mitigation: "Clear CPU buffers attempted, no microcode"}, false},
{"Unknown", "srbds", &Vulnerability{CodeName: "srbds", State: VulnerabilityStateUnknown, Mitigation: "Dependent on hypervisor status"}, false},
{"Unknown with unparseable mitigation", "itlb_multihit", &Vulnerability{CodeName: "itlb_multihit", State: VulnerabilityStateUnknown, Mitigation: "KVM: Mitigation: VMX unsupported"}, false},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
7 changes: 6 additions & 1 deletion testdata/fixtures.ttar
Original file line number Diff line number Diff line change
@@ -13239,7 +13239,7 @@ Mode: 755
# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Path: fixtures/sys/devices/system/cpu/vulnerabilities/itlb_multihit
Lines: 1
Not affected
KVM: Mitigation: VMX unsupported
Mode: 444
# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Path: fixtures/sys/devices/system/cpu/vulnerabilities/mds
@@ -13272,6 +13272,11 @@ Lines: 1
Mitigation: Retpolines, IBPB: conditional, STIBP: always-on, RSB filling, PBRSB-eIBRS: Not affected
Mode: 444
# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Path: fixtures/sys/devices/system/cpu/vulnerabilities/srbds
Lines: 1
Unknown: Dependent on hypervisor status
Mode: 444
# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Path: fixtures/sys/devices/system/cpu/vulnerabilities/tsx_async_abort
Lines: 1
Not affected

0 comments on commit 5056707

Please sign in to comment.