Reptar, Downfall, Zenbleed, ZombieLoad, RIDL, Fallout, Foreshadow, Spectre, Meltdown vulnerability/mitigation checker for Linux & BSD
Bot releases are visible (Hide)
This release mainly focuses on the detection of the new Zenbleed (CVE-2023-20593) vulnerability, among few other changes that were in line waiting for a release:
Thanks to the following contributors: @ShadowCurse and @rakino
Published by speed47 over 2 years ago
An intermediary release with preparatory work needed to integrate support for new vulns BHI and intra-mode BTI (Spectre V2-like), along with other changes that were in the pipe in the last few months:
--cpu
, to conduct MSR read/writes and cpuinfo checks on a given CPU/core number. By default, the first core is used (id 0). --cpu all
is also supported, to query all cores and report whether there is discrepancies between coresIPRED_CTRL
, RRSBA_CTRL
, and BHI_CTRL
feature bits checks in cpuinfo, these are needed to mitigate BHI and Intra-mode BTI (https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html)read_cpuid
, needed to query support of new bits in the IA32_SPEC_CTRL
MSR--allow-msr-write
, and no longer write to MSRs by default, to avoid spurious messages in kernel logs, as more and more distros default having msr.allow_writes to default (allow but log a warning) or even off, which prevents writing from userspace altogether. This also fixes #385. When the cpuid bit indicating the presence of a write-only MSR is set, we'll now make the assumption that it exists, unless --allow-msr-write
is specified, in which case we'll also check that.TMPDIR
(#415 #424)extract_kernel
: don't overwrite kernel_err if already setread_cpuid
/read_msr
/write_msr
: use named constants for better maintainabilityfwdb
to v222+i20220208
Published by speed47 almost 4 years ago
Quite a big release this time again:
A lot of changes made it to this release:
--update-mcedb
to update it (a builtin version is included)--batch short
option for one line result--cve
parameter to selectively test vulnerabilities--batch
now implies --no-color
to avoid colored warningsdd
binary: using perl
or the msr-tools
when these are presentdd
versions--no-explain
)retp_enabled
knob in sysfs--paranoid
to make IBPB required in addition to retpoline for Variant 2Published by speed47 over 6 years ago