From a76f400af6d586b38ec679a73228fd4a2bef0b7e Mon Sep 17 00:00:00 2001 From: Michal Date: Thu, 15 Jun 2023 14:35:23 +0200 Subject: [PATCH] Fix CPUVulnerabilities() reporting from sysfs (#532) Fix CPUVulnerabilities() reporting from sysfs --------- Signed-off-by: Michal Wasilewski Signed-off-by: Michal Co-authored-by: Ben Kochie --- README.md | 4 +- sysfs/vulnerability.go | 81 +++++++++++++++++++++++-------------- sysfs/vulnerability_test.go | 61 ++++++++++++++++++++++++++++ testdata/fixtures.ttar | 43 ++++++++++++++++++++ 4 files changed, 156 insertions(+), 33 deletions(-) create mode 100644 sysfs/vulnerability_test.go diff --git a/README.md b/README.md index 43c37735a..1224816c2 100644 --- a/README.md +++ b/README.md @@ -51,11 +51,11 @@ ensure the `fixtures` directory is up to date by removing the existing directory extracting the ttar file using `make fixtures/.unpacked` or just `make test`. ```bash -rm -rf fixtures +rm -rf testdata/fixtures make test ``` Next, make the required changes to the extracted files in the `fixtures` directory. When the changes are complete, run `make update_fixtures` to create a new `fixtures.ttar` file based on the updated `fixtures` directory. And finally, verify the changes using -`git diff fixtures.ttar`. +`git diff testdata/fixtures.ttar`. diff --git a/sysfs/vulnerability.go b/sysfs/vulnerability.go index 87e701602..08927a21c 100644 --- a/sysfs/vulnerability.go +++ b/sysfs/vulnerability.go @@ -24,33 +24,49 @@ import ( ) const ( - notAffected = "Not Affected" - vulnerable = "Vulnerable" - mitigation = "Mitigation" + notAffected = "not affected" // based on: https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-devices-system-cpu + vulnerable = "vulnerable" + mitigation = "mitigation" +) + +const ( + VulnerabilityStateNotAffected = iota + VulnerabilityStateVulnerable + VulnerabilityStateMitigation +) + +var ( + // VulnerabilityHumanEncoding allows mapping the vulnerability state (encoded as an int) onto a human friendly + // string. It can be used by consumers of this library to expose to the user the state of the vulnerability. + VulnerabilityHumanEncoding = map[int]string{ + VulnerabilityStateNotAffected: notAffected, + VulnerabilityStateVulnerable: vulnerable, + VulnerabilityStateMitigation: mitigation, + } ) // CPUVulnerabilities retrieves a map of vulnerability names to their mitigations. -func (fs FS) CPUVulnerabilities() ([]Vulnerability, error) { - matches, err := filepath.Glob(fs.sys.Path("devices/system/cpu/vulnerabilities/*")) +func (fs FS) CPUVulnerabilities() (map[string]*Vulnerability, error) { + matchingFilepaths, err := filepath.Glob(fs.sys.Path("devices/system/cpu/vulnerabilities/*")) if err != nil { return nil, err } - vulnerabilities := make([]Vulnerability, 0, len(matches)) - for _, match := range matches { - name := filepath.Base(match) + vulnerabilities := make(map[string]*Vulnerability, len(matchingFilepaths)) + for _, path := range matchingFilepaths { + filename := filepath.Base(path) - value, err := os.ReadFile(match) + rawContent, err := os.ReadFile(path) if err != nil { return nil, err } - v, err := parseVulnerability(name, string(value)) + v, err := parseVulnerability(filename, string(rawContent)) if err != nil { return nil, err } - vulnerabilities = append(vulnerabilities, v) + vulnerabilities[filename] = v } return vulnerabilities, nil @@ -59,29 +75,32 @@ func (fs FS) CPUVulnerabilities() ([]Vulnerability, error) { // Vulnerability represents a single vulnerability extracted from /sys/devices/system/cpu/vulnerabilities/. type Vulnerability struct { CodeName string - State string + State int Mitigation string } -func parseVulnerability(name, value string) (Vulnerability, error) { - v := Vulnerability{CodeName: name} - value = strings.TrimSpace(value) - if value == notAffected { - v.State = notAffected - return v, nil - } - - if strings.HasPrefix(value, vulnerable) { - v.State = vulnerable - v.Mitigation = strings.TrimPrefix(strings.TrimPrefix(value, vulnerable), ": ") - return v, nil - } +func parseVulnerability(name, rawContent string) (*Vulnerability, error) { + v := &Vulnerability{CodeName: name} + rawContent = strings.TrimSpace(rawContent) + rawContentLower := strings.ToLower(rawContent) + switch { + case strings.HasPrefix(rawContentLower, notAffected): + v.State = VulnerabilityStateNotAffected + case strings.HasPrefix(rawContentLower, vulnerable): + v.State = VulnerabilityStateVulnerable + m := strings.Fields(rawContent) + if len(m) > 1 { + v.Mitigation = strings.Join(m[1:], " ") + } + case strings.HasPrefix(rawContentLower, mitigation): + v.State = VulnerabilityStateMitigation + m := strings.Fields(rawContent) + if len(m) > 1 { + v.Mitigation = strings.Join(m[1:], " ") + } + default: + return nil, fmt.Errorf("unknown vulnerability state for %s: %s", name, rawContent) - if strings.HasPrefix(value, mitigation) { - v.State = mitigation - v.Mitigation = strings.TrimPrefix(strings.TrimPrefix(value, mitigation), ": ") - return v, nil } - - return v, fmt.Errorf("unknown vulnerability state for %s: %s", name, value) + return v, nil } diff --git a/sysfs/vulnerability_test.go b/sysfs/vulnerability_test.go new file mode 100644 index 000000000..255586d83 --- /dev/null +++ b/sysfs/vulnerability_test.go @@ -0,0 +1,61 @@ +// Copyright 2023 The Prometheus Authors +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +//go:build linux +// +build linux + +package sysfs + +import ( + "fmt" + "reflect" + "testing" +) + +func TestFS_CPUVulnerabilities(t *testing.T) { + sysFs, err := NewFS(sysTestFixtures) + if err != nil { + t.Fatal(fmt.Errorf("failed to get sysfs FS: %w", err)) + } + got, err := sysFs.CPUVulnerabilities() + if err != nil { + t.Fatal(fmt.Errorf("failed to parse sysfs vulnerabilities files: %w", err)) + } + + tests := []struct { + name string + vulnerabilityName string + want *Vulnerability + wantErr bool + }{ + {"Not affected", "itlb_multihit", &Vulnerability{CodeName: "itlb_multihit", State: VulnerabilityStateNotAffected, Mitigation: ""}, false}, + {"Not affected with underscores", "tsx_async_abort", &Vulnerability{CodeName: "tsx_async_abort", State: VulnerabilityStateNotAffected, Mitigation: ""}, false}, + {"Mitigation simple string", "spec_store_bypass", &Vulnerability{CodeName: "spec_store_bypass", State: VulnerabilityStateMitigation, Mitigation: "Speculative Store Bypass disabled via prctl"}, false}, + {"Mitigation special chars", "retbleed", &Vulnerability{CodeName: "retbleed", State: VulnerabilityStateMitigation, Mitigation: "untrained return thunk; SMT enabled with STIBP protection"}, false}, + {"Mitigation more special chars", "spectre_v1", &Vulnerability{CodeName: "spectre_v1", State: VulnerabilityStateMitigation, Mitigation: "usercopy/swapgs barriers and __user pointer sanitization"}, false}, + {"Mitigation with multiple subsections", "spectre_v2", &Vulnerability{CodeName: "spectre_v2", State: VulnerabilityStateMitigation, Mitigation: "Retpolines, IBPB: conditional, STIBP: always-on, RSB filling, PBRSB-eIBRS: Not affected"}, false}, + {"Vulnerable", "mds", &Vulnerability{CodeName: "mds", State: VulnerabilityStateVulnerable, Mitigation: ""}, false}, + {"Vulnerable with mitigation available", "mmio_stale_data", &Vulnerability{CodeName: "mmio_stale_data", State: VulnerabilityStateVulnerable, Mitigation: "Clear CPU buffers attempted, no microcode"}, false}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + gotVulnerability, ok := got[tt.vulnerabilityName] + if !ok && !tt.wantErr { + t.Errorf("CPUVulnerabilities() vulnerability %s not found", tt.vulnerabilityName) + } + if !reflect.DeepEqual(gotVulnerability, tt.want) { + t.Errorf("CPUVulnerabilities() gotVulnerability = %v, want %v", gotVulnerability, tt.want) + } + }) + } +} diff --git a/testdata/fixtures.ttar b/testdata/fixtures.ttar index cc2ff45d8..decfe168b 100644 --- a/testdata/fixtures.ttar +++ b/testdata/fixtures.ttar @@ -13234,6 +13234,49 @@ Lines: 1 2 Mode: 664 # ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Directory: fixtures/sys/devices/system/cpu/vulnerabilities +Mode: 755 +# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Path: fixtures/sys/devices/system/cpu/vulnerabilities/itlb_multihit +Lines: 1 +Not affected +Mode: 444 +# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Path: fixtures/sys/devices/system/cpu/vulnerabilities/mds +Lines: 1 +Vulnerable +Mode: 644 +# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Path: fixtures/sys/devices/system/cpu/vulnerabilities/mmio_stale_data +Lines: 1 +Vulnerable: Clear CPU buffers attempted, no microcode +Mode: 644 +# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Path: fixtures/sys/devices/system/cpu/vulnerabilities/retbleed +Lines: 1 +Mitigation: untrained return thunk; SMT enabled with STIBP protection +Mode: 444 +# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Path: fixtures/sys/devices/system/cpu/vulnerabilities/spec_store_bypass +Lines: 1 +Mitigation: Speculative Store Bypass disabled via prctl +Mode: 444 +# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Path: fixtures/sys/devices/system/cpu/vulnerabilities/spectre_v1 +Lines: 1 +Mitigation: usercopy/swapgs barriers and __user pointer sanitization +Mode: 444 +# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Path: fixtures/sys/devices/system/cpu/vulnerabilities/spectre_v2 +Lines: 1 +Mitigation: Retpolines, IBPB: conditional, STIBP: always-on, RSB filling, PBRSB-eIBRS: Not affected +Mode: 444 +# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Path: fixtures/sys/devices/system/cpu/vulnerabilities/tsx_async_abort +Lines: 1 +Not affected +Mode: 444 +# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Directory: fixtures/sys/devices/system/node Mode: 775 # ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -