feat: implement CVE-2024-36350 CVE-2024-36357 (Transient Scheduler Attack)

2026-04-02 13:17:07 +02:00 · 2026-03-30 21:13:21 +02:00
parent 5a0c391b06
commit 05e09bb7f4
7 changed files with 292 additions and 2 deletions
--- a/src/vulns/CVE-2024-36357.sh
+++ b/src/vulns/CVE-2024-36357.sh
@@ -0,0 +1,102 @@
+# vim: set ts=4 sw=4 sts=4 et:
+####################
+# TSA-L1 section
+
+# CVE-2024-36357 TSA-L1 (transient scheduler attack - L1 cache) - entry point
+check_CVE_2024_36357() {
+    check_cve 'CVE-2024-36357'
+}
+
+# CVE-2024-36357 TSA-L1 (transient scheduler attack - L1 cache) - Linux mitigation check
+check_CVE_2024_36357_linux() {
+    local status sys_interface_available msg kernel_tsa kernel_tsa_err ret
+    status=UNK
+    sys_interface_available=0
+    msg=''
+
+    if sys_interface_check "$VULN_SYSFS_BASE/tsa"; then
+        # this kernel has the /sys interface, trust it over everything
+        sys_interface_available=1
+        status=$ret_sys_interface_check_status
+    fi
+
+    if [ "$opt_sysfs_only" != 1 ]; then
+        pr_info_nol "* Kernel supports TSA mitigation: "
+        kernel_tsa=''
+        kernel_tsa_err=''
+        if [ -n "$g_kernel_err" ]; then
+            kernel_tsa_err="$g_kernel_err"
+        # commit d8010d4ba43e: "Transient Scheduler Attacks:" is printed by tsa_select_mitigation()
+        elif grep -q 'Transient Scheduler Attacks' "$g_kernel"; then
+            kernel_tsa="found TSA mitigation message in kernel image"
+        fi
+        if [ -z "$kernel_tsa" ] && [ -r "$opt_config" ]; then
+            if grep -q '^CONFIG_MITIGATION_TSA=y' "$opt_config"; then
+                kernel_tsa="CONFIG_MITIGATION_TSA=y found in kernel config"
+            fi
+        fi
+        if [ -z "$kernel_tsa" ] && [ -n "$g_kernel_map" ]; then
+            if grep -q 'tsa_select_mitigation' "$g_kernel_map"; then
+                kernel_tsa="found tsa_select_mitigation in System.map"
+            fi
+        fi
+        if [ -n "$kernel_tsa" ]; then
+            pstatus green YES "$kernel_tsa"
+        elif [ -n "$kernel_tsa_err" ]; then
+            pstatus yellow UNKNOWN "$kernel_tsa_err"
+        else
+            pstatus yellow NO
+        fi
+
+        pr_info_nol "* CPU explicitly indicates not vulnerable to TSA-L1 (TSA_L1_NO): "
+        if [ "$cap_tsa_l1_no" = 1 ]; then
+            pstatus green YES
+        elif [ "$cap_tsa_l1_no" = 0 ]; then
+            pstatus yellow NO
+        else
+            pstatus yellow UNKNOWN "couldn't read CPUID leaf 0x80000021"
+        fi
+
+        pr_info_nol "* Microcode supports VERW buffer clearing: "
+        if [ "$cap_verw_clear" = 1 ]; then
+            pstatus green YES
+        elif [ "$cap_verw_clear" = 0 ]; then
+            pstatus yellow NO
+        else
+            pstatus yellow UNKNOWN "couldn't read CPUID leaf 0x80000021"
+        fi
+
+    elif [ "$sys_interface_available" = 0 ]; then
+        # we have no sysfs but were asked to use it only!
+        msg="/sys vulnerability interface use forced, but it's not available!"
+        status=UNK
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ -z "$msg" ]; then
+        # if msg is empty, sysfs check didn't fill it, rely on our own test
+        if [ "$opt_sysfs_only" != 1 ]; then
+            if [ "$cap_verw_clear" = 1 ] && [ -n "$kernel_tsa" ]; then
+                pvulnstatus "$cve" OK "Both kernel and microcode mitigate the vulnerability"
+            elif [ "$cap_verw_clear" = 1 ]; then
+                pvulnstatus "$cve" VULN "Microcode supports mitigation but kernel is too old"
+                explain "Update your kernel to a version that supports CONFIG_MITIGATION_TSA (Linux 6.16+),\n " \
+                    "or check if your distribution has backported the TSA mitigation."
+            elif [ -n "$kernel_tsa" ]; then
+                pvulnstatus "$cve" VULN "Kernel supports mitigation but microcode is too old"
+                explain "Update your CPU microcode via a BIOS/firmware update from your OEM.\n " \
+                    "The microcode must expose the VERW_CLEAR capability (CPUID 0x80000021 EAX bit 5)."
+            else
+                pvulnstatus "$cve" VULN "Neither kernel nor microcode mitigate the vulnerability"
+                explain "Both a kernel update (CONFIG_MITIGATION_TSA, Linux 6.16+) and a microcode/firmware update\n " \
+                    "from your OEM are needed to mitigate this vulnerability."
+            fi
+        else
+            pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
+        fi
+    else
+        pvulnstatus "$cve" "$status" "$msg"
+    fi
+}