peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2026-04-03 05:37:11 +02:00
Code Issues Projects Releases Wiki Activity

enh: rework VERSION adjust when we're cloned

Browse Source 
built from commit cb3b9a37fa
 dated 2026-04-02 22:32:22 +0200
 by Stéphane Lesimple (speed47_github@speed47.net)
This commit is contained in:
github-actions[bot]
2026-04-02 20:35:00 +00:00
parent fbfdb89e7a
commit 240d6db210
5 changed files with 682 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/build.yml vendored
View File

@@ -17,6 +17,8 @@ jobs:
persist-credentials: true
- name: install prerequisites
run: sudo apt-get update && sudo apt-get install -y shellcheck shfmt jq sqlite3 iucode-tool make
- name: update Intel model list
run: ./scripts/update_intel_models.sh
- name: build and check
run: |
make build fmt-check shellcheck

2
.github/workflows/expected_cve_count vendored
View File

@@ -1 +1 @@
21
23

12
README.md
View File

@@ -22,6 +22,8 @@ CVE | Name | Aliases
[CVE-2019-11135](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135) | TSX Asynchronous Abort | TAA, ZombieLoad V2
[CVE-2018-12207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207) | Machine Check Exception on Page Size Changes | iTLB Multihit, No eXcuses
[CVE-2020-0543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543) | Special Register Buffer Data Sampling | SRBDS, CROSSTalk
[CVE-2022-29900](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29900) | Arbitrary Speculative Code Execution with Return Instructions | Retbleed (AMD)
[CVE-2022-29901](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29901) | Arbitrary Speculative Code Execution with Return Instructions | Retbleed (Intel), RSBA
[CVE-2022-40982](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982) | Gather Data Sampling | Downfall, GDS
[CVE-2023-20569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569) | Return Address Security | Inception, SRSO
[CVE-2023-20593](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593) | Cross-Process Information Leak | Zenbleed
@@ -51,6 +53,8 @@ CVE-2019-11091 (MDSUM, RIDL) | 💥 | 💥 (1) | 💥 | 💥 (1) | Microcode + k
CVE-2019-11135 (TAA, ZombieLoad V2) | 💥 | 💥 (1) | 💥 | 💥 (1) | Microcode + kernel update
CVE-2018-12207 (iTLB Multihit, No eXcuses) | ✅ | ✅ | ☠️ | ✅ | Hypervisor update (or disable hugepages)
CVE-2020-0543 (SRBDS, CROSSTalk) | 💥 (2) | 💥 (2) | 💥 (2) | 💥 (2) | Microcode + kernel update
CVE-2022-29900 (Retbleed AMD) | 💥 | ✅ | 💥 | ✅ | Kernel update (+ microcode for IBPB)
CVE-2022-29901 (Retbleed Intel, RSBA) | 💥 | ✅ | 💥 | ✅ | Microcode + kernel update (eIBRS or IBRS)
CVE-2022-40982 (Downfall, GDS) | 💥 | 💥 | 💥 | 💥 | Microcode update (or disable AVX)
CVE-2023-20569 (Inception, SRSO) | 💥 | ✅ | 💥 | ✅ | Microcode + kernel update
CVE-2023-20593 (Zenbleed) | 💥 | 💥 | 💥 | 💥 | Microcode update (or kernel workaround)
@@ -129,6 +133,14 @@ A malicious guest VM can trigger a machine check exception (MCE) — crashing th
Certain special CPU instructions (RDRAND, RDSEED, EGETKEY) read data through a shared staging buffer that is accessible across all cores via speculative execution. An attacker running code on any core can observe the output of these instructions from a victim on a different core, including extracting cryptographic keys from SGX enclaves (a complete ECDSA key was demonstrated). This is notable as one of the first cross-core speculative execution attacks. Mitigation requires a microcode update that serializes access to the staging buffer, plus a kernel update to manage the mitigation. Performance impact is low, mainly affecting workloads that heavily use RDRAND/RDSEED.
**CVE-2022-29900 — Arbitrary Speculative Code Execution with Return Instructions (Retbleed AMD)**
On AMD processors from families 0x15 through 0x17 (Bulldozer through Zen 2) and Hygon family 0x18, an attacker can exploit return instructions to redirect speculative execution and leak kernel memory, bypassing retpoline mitigations that were effective against Spectre V2. Unlike Spectre V2 which targets indirect jumps and calls, Retbleed specifically targets return instructions, which were previously considered safe. Mitigation requires a kernel update providing either the untrained return thunk (safe RET) or IBPB-on-entry mechanism, plus a microcode update providing IBPB support on Zen 1/2. On Zen 1/2, SMT should be disabled for full protection when using IBPB-based mitigation. Performance impact is medium.
**CVE-2022-29901 — Arbitrary Speculative Code Execution with Return Instructions (Retbleed Intel, RSBA)**
On Intel Skylake through Rocket Lake processors with RSB Alternate Behavior (RSBA), return instructions can be speculatively redirected via the Branch Target Buffer when the Return Stack Buffer underflows, bypassing retpoline mitigations. Mitigation requires either Enhanced IBRS (eIBRS, via microcode update) or a kernel compiled with IBRS-on-entry support (Linux 5.19+). Call depth tracking (stuffing) is an alternative mitigation available from Linux 6.2+. Plain retpoline does NOT mitigate this vulnerability on RSBA-capable CPUs. Performance impact is medium to high.
**CVE-2022-40982 — Gather Data Sampling (GDS, Downfall)**
The AVX GATHER instructions can leak data from previously used vector registers across privilege boundaries through the shared gather data buffer. This affects any software using AVX2 or AVX-512 on vulnerable Intel processors. Mitigation is provided by a microcode update that clears the gather buffer, or alternatively by disabling the AVX feature entirely. Performance impact is negligible for most workloads but can be significant (up to 50%) for AVX-heavy applications such as HPC and AI inference.

639
spectre-meltdown-checker.sh
View File

@@ -13,7 +13,7 @@
#
# Stephane Lesimple
#
VERSION='26.21.0402815'
VERSION='26.23.0402857'
# --- Common paths and basedirs ---
readonly VULN_SYSFS_BASE="/sys/devices/system/cpu/vulnerabilities"
@@ -46,8 +46,8 @@ exit_cleanup() {
# if we were git clone'd, adjust VERSION
if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1; then
g_describe=$(git -C "$(dirname "$0")" describe --tags --dirty 2>/dev/null)
[ -n "$g_describe" ] && VERSION=$(echo "$g_describe" | sed -e s/^v//)
g_commit=$(git -C "$(dirname "$0")" describe --always --dirty --abbrev=7 --match=- 2>/dev/null)
[ -n "$g_commit" ] && VERSION="$VERSION-git$g_commit"
fi
# >>>>>> libs/002_core_globals.sh <<<<<<
@@ -209,6 +209,8 @@ CVE-2018-12207|ITLBMH|itlbmh|No eXcuses, iTLB Multihit, machine check exception
CVE-2020-0543|SRBDS|srbds|Special Register Buffer Data Sampling (SRBDS)
CVE-2023-20593|ZENBLEED|zenbleed|Zenbleed, cross-process information leak
CVE-2022-40982|DOWNFALL|downfall|Downfall, gather data sampling (GDS)
CVE-2022-29900|RETBLEED AMD|retbleed|Retbleed, arbitrary speculative code execution with return instructions (AMD)
CVE-2022-29901|RETBLEED INTEL|retbleed|Retbleed, arbitrary speculative code execution with return instructions (Intel)
CVE-2023-20569|INCEPTION|inception|Inception, return address security (RAS)
CVE-2023-23583|REPTAR|reptar|Reptar, redundant prefix issue
CVE-2024-36350|TSA_SQ|tsa|Transient Scheduler Attack - Store Queue (TSA-SQ)
@@ -253,6 +255,114 @@ fi
# still empty? fallback to builtin
[ -z "$g_echo_cmd" ] && g_echo_cmd='echo'
# >>>>>> libs/003_intel_models.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et:
# AUTO-GENERATED FILE — DO NOT EDIT MANUALLY.
# Generated by scripts/update_intel_models.sh from:
# https://raw.githubusercontent.com/torvalds/linux/refs/heads/master/arch/x86/include/asm/intel-family.h
# Run scripts/update_intel_models.sh to refresh when new Intel CPU families are added to the kernel.
# shellcheck disable=SC2034
{
readonly INTEL_FAM5_PENTIUM_75=$((0x02)) # /* P54C */
readonly INTEL_FAM5_PENTIUM_MMX=$((0x04)) # /* P55C */
readonly INTEL_FAM5_QUARK_X1000=$((0x09)) # /* Quark X1000 SoC */
readonly INTEL_FAM6_PENTIUM_PRO=$((0x01))
readonly INTEL_FAM6_PENTIUM_II_KLAMATH=$((0x03))
readonly INTEL_FAM6_PENTIUM_III_DESCHUTES=$((0x05))
readonly INTEL_FAM6_PENTIUM_III_TUALATIN=$((0x0B))
readonly INTEL_FAM6_PENTIUM_M_DOTHAN=$((0x0D))
readonly INTEL_FAM6_CORE_YONAH=$((0x0E))
readonly INTEL_FAM6_CORE2_MEROM=$((0x0F))
readonly INTEL_FAM6_CORE2_MEROM_L=$((0x16))
readonly INTEL_FAM6_CORE2_PENRYN=$((0x17))
readonly INTEL_FAM6_CORE2_DUNNINGTON=$((0x1D))
readonly INTEL_FAM6_NEHALEM=$((0x1E))
readonly INTEL_FAM6_NEHALEM_G=$((0x1F)) # /* Auburndale / Havendale */
readonly INTEL_FAM6_NEHALEM_EP=$((0x1A))
readonly INTEL_FAM6_NEHALEM_EX=$((0x2E))
readonly INTEL_FAM6_WESTMERE=$((0x25))
readonly INTEL_FAM6_WESTMERE_EP=$((0x2C))
readonly INTEL_FAM6_WESTMERE_EX=$((0x2F))
readonly INTEL_FAM6_SANDYBRIDGE=$((0x2A))
readonly INTEL_FAM6_SANDYBRIDGE_X=$((0x2D))
readonly INTEL_FAM6_IVYBRIDGE=$((0x3A))
readonly INTEL_FAM6_IVYBRIDGE_X=$((0x3E))
readonly INTEL_FAM6_HASWELL=$((0x3C))
readonly INTEL_FAM6_HASWELL_X=$((0x3F))
readonly INTEL_FAM6_HASWELL_L=$((0x45))
readonly INTEL_FAM6_HASWELL_G=$((0x46))
readonly INTEL_FAM6_BROADWELL=$((0x3D))
readonly INTEL_FAM6_BROADWELL_G=$((0x47))
readonly INTEL_FAM6_BROADWELL_X=$((0x4F))
readonly INTEL_FAM6_BROADWELL_D=$((0x56))
readonly INTEL_FAM6_SKYLAKE_L=$((0x4E)) # /* Sky Lake */
readonly INTEL_FAM6_SKYLAKE=$((0x5E)) # /* Sky Lake */
readonly INTEL_FAM6_SKYLAKE_X=$((0x55)) # /* Sky Lake */
readonly INTEL_FAM6_KABYLAKE_L=$((0x8E)) # /* Sky Lake */
readonly INTEL_FAM6_KABYLAKE=$((0x9E)) # /* Sky Lake */
readonly INTEL_FAM6_COMETLAKE=$((0xA5)) # /* Sky Lake */
readonly INTEL_FAM6_COMETLAKE_L=$((0xA6)) # /* Sky Lake */
readonly INTEL_FAM6_CANNONLAKE_L=$((0x66)) # /* Palm Cove */
readonly INTEL_FAM6_ICELAKE_X=$((0x6A)) # /* Sunny Cove */
readonly INTEL_FAM6_ICELAKE_D=$((0x6C)) # /* Sunny Cove */
readonly INTEL_FAM6_ICELAKE=$((0x7D)) # /* Sunny Cove */
readonly INTEL_FAM6_ICELAKE_L=$((0x7E)) # /* Sunny Cove */
readonly INTEL_FAM6_ICELAKE_NNPI=$((0x9D)) # /* Sunny Cove */
readonly INTEL_FAM6_ROCKETLAKE=$((0xA7)) # /* Cypress Cove */
readonly INTEL_FAM6_TIGERLAKE_L=$((0x8C)) # /* Willow Cove */
readonly INTEL_FAM6_TIGERLAKE=$((0x8D)) # /* Willow Cove */
readonly INTEL_FAM6_SAPPHIRERAPIDS_X=$((0x8F)) # /* Golden Cove */
readonly INTEL_FAM6_EMERALDRAPIDS_X=$((0xCF)) # /* Raptor Cove */
readonly INTEL_FAM6_GRANITERAPIDS_X=$((0xAD)) # /* Redwood Cove */
readonly INTEL_FAM6_GRANITERAPIDS_D=$((0xAE))
readonly INTEL_FAM19_DIAMONDRAPIDS_X=$((0x01)) # /* Panther Cove */
readonly INTEL_FAM6_BARTLETTLAKE=$((0xD7)) # /* Raptor Cove */
readonly INTEL_FAM6_LAKEFIELD=$((0x8A)) # /* Sunny Cove / Tremont */
readonly INTEL_FAM6_ALDERLAKE=$((0x97)) # /* Golden Cove / Gracemont */
readonly INTEL_FAM6_ALDERLAKE_L=$((0x9A)) # /* Golden Cove / Gracemont */
readonly INTEL_FAM6_RAPTORLAKE=$((0xB7)) # /* Raptor Cove / Enhanced Gracemont */
readonly INTEL_FAM6_RAPTORLAKE_P=$((0xBA))
readonly INTEL_FAM6_RAPTORLAKE_S=$((0xBF))
readonly INTEL_FAM6_METEORLAKE=$((0xAC)) # /* Redwood Cove / Crestmont */
readonly INTEL_FAM6_METEORLAKE_L=$((0xAA))
readonly INTEL_FAM6_ARROWLAKE_H=$((0xC5)) # /* Lion Cove / Skymont */
readonly INTEL_FAM6_ARROWLAKE=$((0xC6))
readonly INTEL_FAM6_ARROWLAKE_U=$((0xB5))
readonly INTEL_FAM6_LUNARLAKE_M=$((0xBD)) # /* Lion Cove / Skymont */
readonly INTEL_FAM6_PANTHERLAKE_L=$((0xCC)) # /* Cougar Cove / Darkmont */
readonly INTEL_FAM6_WILDCATLAKE_L=$((0xD5))
readonly INTEL_FAM18_NOVALAKE=$((0x01)) # /* Coyote Cove / Arctic Wolf */
readonly INTEL_FAM18_NOVALAKE_L=$((0x03)) # /* Coyote Cove / Arctic Wolf */
readonly INTEL_FAM6_ATOM_BONNELL=$((0x1C)) # /* Diamondville, Pineview */
readonly INTEL_FAM6_ATOM_BONNELL_MID=$((0x26)) # /* Silverthorne, Lincroft */
readonly INTEL_FAM6_ATOM_SALTWELL=$((0x36)) # /* Cedarview */
readonly INTEL_FAM6_ATOM_SALTWELL_MID=$((0x27)) # /* Penwell */
readonly INTEL_FAM6_ATOM_SALTWELL_TABLET=$((0x35)) # /* Cloverview */
readonly INTEL_FAM6_ATOM_SILVERMONT=$((0x37)) # /* Bay Trail, Valleyview */
readonly INTEL_FAM6_ATOM_SILVERMONT_D=$((0x4D)) # /* Avaton, Rangely */
readonly INTEL_FAM6_ATOM_SILVERMONT_MID=$((0x4A)) # /* Merriefield */
readonly INTEL_FAM6_ATOM_SILVERMONT_MID2=$((0x5A)) # /* Anniedale */
readonly INTEL_FAM6_ATOM_AIRMONT=$((0x4C)) # /* Cherry Trail, Braswell */
readonly INTEL_FAM6_ATOM_AIRMONT_NP=$((0x75)) # /* Lightning Mountain */
readonly INTEL_FAM6_ATOM_GOLDMONT=$((0x5C)) # /* Apollo Lake */
readonly INTEL_FAM6_ATOM_GOLDMONT_D=$((0x5F)) # /* Denverton */
readonly INTEL_FAM6_ATOM_GOLDMONT_PLUS=$((0x7A)) # /* Gemini Lake */
readonly INTEL_FAM6_ATOM_TREMONT_D=$((0x86)) # /* Jacobsville */
readonly INTEL_FAM6_ATOM_TREMONT=$((0x96)) # /* Elkhart Lake */
readonly INTEL_FAM6_ATOM_TREMONT_L=$((0x9C)) # /* Jasper Lake */
readonly INTEL_FAM6_ATOM_GRACEMONT=$((0xBE)) # /* Alderlake N */
readonly INTEL_FAM6_ATOM_CRESTMONT_X=$((0xAF)) # /* Sierra Forest */
readonly INTEL_FAM6_ATOM_CRESTMONT=$((0xB6)) # /* Grand Ridge */
readonly INTEL_FAM6_ATOM_DARKMONT_X=$((0xDD)) # /* Clearwater Forest */
readonly INTEL_FAM6_XEON_PHI_KNL=$((0x57)) # /* Knights Landing */
readonly INTEL_FAM6_XEON_PHI_KNM=$((0x85)) # /* Knights Mill */
readonly INTEL_FAM15_P4_WILLAMETTE=$((0x01)) # /* Also Xeon Foster */
readonly INTEL_FAM15_P4_PRESCOTT=$((0x03))
readonly INTEL_FAM15_P4_PRESCOTT_2M=$((0x04))
readonly INTEL_FAM15_P4_CEDARMILL=$((0x06)) # /* Also Xeon Dempsey */
}
# >>>>>> libs/100_output_print.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et:
@@ -470,6 +580,8 @@ is_cpu_affected() {
_set_immune inception
# TSA is AMD specific (Zen 3/4), look for "is_amd" below:
_set_immune tsa
# Retbleed: AMD (CVE-2022-29900) and Intel (CVE-2022-29901) specific:
_set_immune retbleed
# Downfall & Reptar are Intel specific, look for "is_intel" below:
_set_immune downfall
_set_immune reptar
@@ -569,7 +681,7 @@ is_cpu_affected() {
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_D" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT_MID" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID2" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT_NP" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_D" ] ||
@@ -680,6 +792,27 @@ is_cpu_affected() {
fi
done
# Retbleed (Intel, CVE-2022-29901): Skylake through Rocket Lake, or any CPU with RSBA
# kernel cpu_vuln_blacklist for RETBLEED (6b80b59b3555, 6ad0ad2bf8a6, f54d45372c6a)
# plus ARCH_CAP_RSBA catch-all (bit 2 of IA32_ARCH_CAPABILITIES)
if [ "$cap_rsba" = 1 ]; then
_set_vuln retbleed
elif [ "$cpu_family" = 6 ]; then
if [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_L" ] ||
[ "$cpu_model" = "$INTEL_FAM6_SKYLAKE" ] ||
[ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_X" ] ||
[ "$cpu_model" = "$INTEL_FAM6_KABYLAKE_L" ] ||
[ "$cpu_model" = "$INTEL_FAM6_KABYLAKE" ] ||
[ "$cpu_model" = "$INTEL_FAM6_CANNONLAKE_L" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ICELAKE_L" ] ||
[ "$cpu_model" = "$INTEL_FAM6_COMETLAKE" ] ||
[ "$cpu_model" = "$INTEL_FAM6_COMETLAKE_L" ] ||
[ "$cpu_model" = "$INTEL_FAM6_LAKEFIELD" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ROCKETLAKE" ]; then
_set_vuln retbleed
fi
fi
elif is_amd || is_hygon; then
# AMD revised their statement about affected_variant2 => affected
# https://www.amd.com/en/corporate/speculative-execution
@@ -716,6 +849,11 @@ is_cpu_affected() {
_set_vuln tsa
fi
# Retbleed (AMD, CVE-2022-29900): families 0x15-0x17 (kernel X86_BUG_RETBLEED)
if [ "$cpu_family" = $((0x15)) ] || [ "$cpu_family" = $((0x16)) ] || [ "$cpu_family" = $((0x17)) ]; then
_set_vuln retbleed
fi
elif [ "$cpu_vendor" = CAVIUM ]; then
_set_immune variant3
_set_immune variant3a
@@ -839,7 +977,7 @@ is_cpu_affected() {
[ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT" ] ||
[ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] ||
[ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT_MID" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID2" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_D" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_PLUS" ]; then
@@ -858,12 +996,12 @@ is_cpu_affected() {
_infer_immune itlbmh
fi
# shellcheck disable=SC2154 # affected_zenbleed/inception/tsa/downfall/reptar set via eval (_set_immune)
# shellcheck disable=SC2154 # affected_zenbleed/inception/retbleed/tsa/downfall/reptar set via eval (_set_immune)
{
pr_debug "is_cpu_affected: final results: variant1=$affected_variant1 variant2=$affected_variant2 variant3=$affected_variant3 variant3a=$affected_variant3a"
pr_debug "is_cpu_affected: final results: variant4=$affected_variant4 variantl1tf=$affected_variantl1tf msbds=$affected_msbds mfbds=$affected_mfbds"
pr_debug "is_cpu_affected: final results: mlpds=$affected_mlpds mdsum=$affected_mdsum taa=$affected_taa itlbmh=$affected_itlbmh srbds=$affected_srbds"
pr_debug "is_cpu_affected: final results: zenbleed=$affected_zenbleed inception=$affected_inception tsa=$affected_tsa downfall=$affected_downfall reptar=$affected_reptar"
pr_debug "is_cpu_affected: final results: zenbleed=$affected_zenbleed inception=$affected_inception retbleed=$affected_retbleed tsa=$affected_tsa downfall=$affected_downfall reptar=$affected_reptar"
}
affected_variantl1tf_sgx="$affected_variantl1tf"
# even if we are affected to L1TF, if there's no SGX, we're not affected to the original foreshadow
@@ -2606,76 +2744,6 @@ parse_cpu_details() {
g_ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x pfid 0x%x" \
"$cpu_family" "$cpu_model" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid" "$cpu_platformid")
# also define those that we will need in other funcs
# taken from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/include/asm/intel-family.h
# curl -s 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/arch/x86/include/asm/intel-family.h' | awk '/#define INTEL_FAM6/ {print $2"=$(( "$3" )) # "$4,$5,$6,$7,$8,$9}' | sed -Ee 's/ +$//'
# shellcheck disable=SC2034
{
readonly INTEL_FAM6_CORE_YONAH=$((0x0E)) #
readonly INTEL_FAM6_CORE2_MEROM=$((0x0F)) #
readonly INTEL_FAM6_CORE2_MEROM_L=$((0x16)) #
readonly INTEL_FAM6_CORE2_PENRYN=$((0x17)) #
readonly INTEL_FAM6_CORE2_DUNNINGTON=$((0x1D)) #
readonly INTEL_FAM6_NEHALEM=$((0x1E)) #
readonly INTEL_FAM6_NEHALEM_G=$((0x1F)) # /* Auburndale / Havendale */
readonly INTEL_FAM6_NEHALEM_EP=$((0x1A)) #
readonly INTEL_FAM6_NEHALEM_EX=$((0x2E)) #
readonly INTEL_FAM6_WESTMERE=$((0x25)) #
readonly INTEL_FAM6_WESTMERE_EP=$((0x2C)) #
readonly INTEL_FAM6_WESTMERE_EX=$((0x2F)) #
readonly INTEL_FAM6_SANDYBRIDGE=$((0x2A)) #
readonly INTEL_FAM6_SANDYBRIDGE_X=$((0x2D)) #
readonly INTEL_FAM6_IVYBRIDGE=$((0x3A)) #
readonly INTEL_FAM6_IVYBRIDGE_X=$((0x3E)) #
readonly INTEL_FAM6_HASWELL=$((0x3C)) #
readonly INTEL_FAM6_HASWELL_X=$((0x3F)) #
readonly INTEL_FAM6_HASWELL_L=$((0x45)) #
readonly INTEL_FAM6_HASWELL_G=$((0x46)) #
readonly INTEL_FAM6_BROADWELL=$((0x3D)) #
readonly INTEL_FAM6_BROADWELL_G=$((0x47)) #
readonly INTEL_FAM6_BROADWELL_X=$((0x4F)) #
readonly INTEL_FAM6_BROADWELL_D=$((0x56)) #
readonly INTEL_FAM6_SKYLAKE_L=$((0x4E)) # /* Sky Lake */
readonly INTEL_FAM6_SKYLAKE=$((0x5E)) # /* Sky Lake */
readonly INTEL_FAM6_SKYLAKE_X=$((0x55)) # /* Sky Lake */
readonly INTEL_FAM6_KABYLAKE_L=$((0x8E)) # /* Sky Lake */
readonly INTEL_FAM6_KABYLAKE=$((0x9E)) # /* Sky Lake */
readonly INTEL_FAM6_COMETLAKE=$((0xA5)) # /* Sky Lake */
readonly INTEL_FAM6_COMETLAKE_L=$((0xA6)) # /* Sky Lake */
readonly INTEL_FAM6_CANNONLAKE_L=$((0x66)) # /* Palm Cove */
readonly INTEL_FAM6_ICELAKE_X=$((0x6A)) # /* Sunny Cove */
readonly INTEL_FAM6_ICELAKE_D=$((0x6C)) # /* Sunny Cove */
readonly INTEL_FAM6_ICELAKE=$((0x7D)) # /* Sunny Cove */
readonly INTEL_FAM6_ICELAKE_L=$((0x7E)) # /* Sunny Cove */
readonly INTEL_FAM6_ICELAKE_NNPI=$((0x9D)) # /* Sunny Cove */
readonly INTEL_FAM6_LAKEFIELD=$((0x8A)) # /* Sunny Cove / Tremont */
readonly INTEL_FAM6_ROCKETLAKE=$((0xA7)) # /* Cypress Cove */
readonly INTEL_FAM6_TIGERLAKE_L=$((0x8C)) # /* Willow Cove */
readonly INTEL_FAM6_TIGERLAKE=$((0x8D)) # /* Willow Cove */
readonly INTEL_FAM6_SAPPHIRERAPIDS_X=$((0x8F)) # /* Golden Cove */
readonly INTEL_FAM6_ALDERLAKE=$((0x97)) # /* Golden Cove / Gracemont */
readonly INTEL_FAM6_ALDERLAKE_L=$((0x9A)) # /* Golden Cove / Gracemont */
readonly INTEL_FAM6_RAPTORLAKE=$((0xB7)) #
readonly INTEL_FAM6_ATOM_BONNELL=$((0x1C)) # /* Diamondville, Pineview */
readonly INTEL_FAM6_ATOM_BONNELL_MID=$((0x26)) # /* Silverthorne, Lincroft */
readonly INTEL_FAM6_ATOM_SALTWELL=$((0x36)) # /* Cedarview */
readonly INTEL_FAM6_ATOM_SALTWELL_MID=$((0x27)) # /* Penwell */
readonly INTEL_FAM6_ATOM_SALTWELL_TABLET=$((0x35)) # /* Cloverview */
readonly INTEL_FAM6_ATOM_SILVERMONT=$((0x37)) # /* Bay Trail, Valleyview */
readonly INTEL_FAM6_ATOM_SILVERMONT_D=$((0x4D)) # /* Avaton, Rangely */
readonly INTEL_FAM6_ATOM_SILVERMONT_MID=$((0x4A)) # /* Merriefield */
readonly INTEL_FAM6_ATOM_AIRMONT=$((0x4C)) # /* Cherry Trail, Braswell */
readonly INTEL_FAM6_ATOM_AIRMONT_MID=$((0x5A)) # /* Moorefield */
readonly INTEL_FAM6_ATOM_AIRMONT_NP=$((0x75)) # /* Lightning Mountain */
readonly INTEL_FAM6_ATOM_GOLDMONT=$((0x5C)) # /* Apollo Lake */
readonly INTEL_FAM6_ATOM_GOLDMONT_D=$((0x5F)) # /* Denverton */
readonly INTEL_FAM6_ATOM_GOLDMONT_PLUS=$((0x7A)) # /* Gemini Lake */
readonly INTEL_FAM6_ATOM_TREMONT_D=$((0x86)) # /* Jacobsville */
readonly INTEL_FAM6_ATOM_TREMONT=$((0x96)) # /* Elkhart Lake */
readonly INTEL_FAM6_ATOM_TREMONT_L=$((0x9C)) # /* Jasper Lake */
readonly INTEL_FAM6_XEON_PHI_KNL=$((0x57)) # /* Knights Landing */
readonly INTEL_FAM6_XEON_PHI_KNM=$((0x85)) # /* Knights Mill */
}
g_parse_cpu_details_done=1
}
# Check whether the CPU vendor is Hygon
@@ -7502,6 +7570,423 @@ check_CVE_2020_0543_bsd() {
fi
}
# >>>>>> vulns/CVE-2022-29900.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et:
###############################
# CVE-2022-29900, Retbleed (AMD), Arbitrary Speculative Code Execution with Return Instructions
check_CVE_2022_29900() {
check_cve 'CVE-2022-29900'
}
check_CVE_2022_29900_linux() {
local status sys_interface_available msg kernel_retbleed kernel_retbleed_err kernel_unret kernel_ibpb_entry smt_enabled
status=UNK
sys_interface_available=0
msg=''
#
# Kernel source inventory for retbleed (CVE-2022-29900 / CVE-2022-29901)
#
# --- sysfs messages ---
# all versions:
# "Not affected" (cpu_show_common, pre-existing)
#
# --- mainline ---
# 6b80b59b3555 (v5.19-rc7, initial retbleed sysfs):
# "Vulnerable\n" (hardcoded, no enum yet)
# 7fbf47c7ce50 (v5.19-rc7, retbleed= boot parameter):
# "Vulnerable" (RETBLEED_MITIGATION_NONE)
# "Mitigation: untrained return thunk" (RETBLEED_MITIGATION_UNRET)
# "Vulnerable: untrained return thunk on non-Zen uarch" (UNRET on non-AMD/Hygon)
# 6ad0ad2bf8a6 (v5.19-rc7, Intel mitigations):
# "Mitigation: IBRS" (RETBLEED_MITIGATION_IBRS)
# "Mitigation: Enhanced IBRS" (RETBLEED_MITIGATION_EIBRS)
# 3ebc17006888 (v5.19-rc7, retbleed=ibpb):
# "Mitigation: IBPB" (RETBLEED_MITIGATION_IBPB)
# e8ec1b6e08a2 (v5.19-rc7, STIBP for JMP2RET):
# UNRET now appends SMT status:
# "Mitigation: untrained return thunk; SMT disabled"
# "Mitigation: untrained return thunk; SMT enabled with STIBP protection"
# "Mitigation: untrained return thunk; SMT vulnerable"
# e6cfcdda8cbe (v6.0-rc1, STIBP for IBPB):
# IBPB now appends SMT status, non-AMD message changed:
# "Vulnerable: untrained return thunk / IBPB on non-AMD based uarch"
# "Mitigation: IBPB; SMT disabled"
# "Mitigation: IBPB; SMT enabled with STIBP protection"
# "Mitigation: IBPB; SMT vulnerable"
# d82a0345cf21 (v6.2-rc1, call depth tracking):
# "Mitigation: Stuffing" (RETBLEED_MITIGATION_STUFF)
# e3b78a7ad5ea (v6.16-rc1, restructure):
# added RETBLEED_MITIGATION_AUTO (internal, resolved before display)
# no new sysfs strings
#
# all messages start with either "Not affected", "Vulnerable", or "Mitigation"
#
# --- stable backports ---
# 4.14.y, 4.19.y, 5.4.y: Intel-only mitigations (IBRS, eIBRS); no UNRET, IBPB, STUFF;
# no SMT status display; simplified retbleed_show_state().
# 5.10.y, 5.15.y, 6.1.y: full mitigations (NONE, UNRET, IBPB, IBRS, EIBRS);
# SMT status appended for UNRET/IBPB; no STUFF.
# 6.6.y, 6.12.y: adds STUFF (call depth tracking). 6.12.y uses INTEL_ model prefix.
# all stable: single retbleed_select_mitigation() (no update/apply split).
#
# --- RHEL/CentOS ---
# centos7 (~4.18): NONE, UNRET, IBPB, IBRS, EIBRS; no STUFF; SMT status for UNRET;
# no Hygon check; no UNRET_ENTRY/IBPB_ENTRY/IBRS_ENTRY Kconfig symbols;
# unique cpu_in_retbleed_whitelist() function for Intel.
# rocky8 (~4.18/5.14): NONE, UNRET, IBPB, IBRS, EIBRS; no STUFF;
# CONFIG_CPU_UNRET_ENTRY, CONFIG_CPU_IBPB_ENTRY, CONFIG_CPU_IBRS_ENTRY (old names).
# rocky9 (~6.x): same as mainline; CONFIG_MITIGATION_* names; has STUFF.
# rocky10 (~6.12+): same as mainline; has select/update/apply split.
#
# --- Kconfig symbols ---
# f43b9876e857 (v5.19-rc7): CONFIG_CPU_UNRET_ENTRY, CONFIG_CPU_IBPB_ENTRY,
# CONFIG_CPU_IBRS_ENTRY
# 80e4c1cd42ff (v6.2-rc1): CONFIG_CALL_DEPTH_TRACKING
# ac61d43983a4 (v6.9-rc1): renamed to CONFIG_MITIGATION_UNRET_ENTRY,
# CONFIG_MITIGATION_IBPB_ENTRY, CONFIG_MITIGATION_IBRS_ENTRY,
# CONFIG_MITIGATION_CALL_DEPTH_TRACKING
# 894e28857c11 (v6.12-rc1): CONFIG_MITIGATION_RETBLEED (master switch)
#
# --- kernel functions (for $opt_map / System.map) ---
# 7fbf47c7ce50 (v5.19-rc7): retbleed_select_mitigation()
# e3b78a7ad5ea (v6.16-rc1): split into retbleed_select_mitigation() +
# retbleed_update_mitigation() + retbleed_apply_mitigation()
# vendor kernels: centos7/rocky8/rocky9 have retbleed_select_mitigation() only;
# rocky10 has the full split.
#
# --- CPU affection logic (for is_cpu_affected) ---
# X86_BUG_RETBLEED is set when X86_FEATURE_BTC_NO is NOT set AND either:
# (a) CPU matches cpu_vuln_blacklist[] RETBLEED entries, OR
# (b) ARCH_CAP_RSBA is set in IA32_ARCH_CAPABILITIES MSR
# 6b80b59b3555 (v5.19-rc7, initial AMD):
# AMD: family 0x15, 0x16, 0x17; Hygon: family 0x18
# 6ad0ad2bf8a6 (v5.19-rc7, Intel):
# Intel: SKYLAKE_L, SKYLAKE, SKYLAKE_X, KABYLAKE_L, KABYLAKE,
# ICELAKE_L, COMETLAKE, COMETLAKE_L, LAKEFIELD, ROCKETLAKE
# + any Intel with ARCH_CAP_RSBA set
# 26aae8ccbc19 (v5.19-rc7, BTC_NO):
# AMD Zen 3+ with BTC_NO are excluded
# f54d45372c6a (post-v5.19, Cannon Lake):
# Intel: + CANNONLAKE_L
# immunity: X86_FEATURE_BTC_NO (AMD) — Zen 3+ declare not affected
# vendor scope: AMD (0x15-0x17), Hygon (0x18), Intel (Skylake through Rocket Lake + RSBA)
#
if sys_interface_check "$VULN_SYSFS_BASE/retbleed"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
status=$ret_sys_interface_check_status
fi
if [ "$opt_sysfs_only" != 1 ]; then
pr_info_nol "* Kernel supports mitigation: "
if [ -n "$g_kernel_err" ]; then
kernel_retbleed_err="$g_kernel_err"
elif grep -q 'retbleed' "$g_kernel"; then
kernel_retbleed="found retbleed mitigation logic in kernel image"
fi
if [ -z "$kernel_retbleed" ] && [ -n "$opt_map" ]; then
if grep -q 'retbleed_select_mitigation' "$opt_map"; then
kernel_retbleed="found retbleed_select_mitigation in System.map"
fi
fi
if [ -n "$kernel_retbleed" ]; then
pstatus green YES "$kernel_retbleed"
elif [ -n "$kernel_retbleed_err" ]; then
pstatus yellow UNKNOWN "$kernel_retbleed_err"
else
pstatus yellow NO
fi
pr_info_nol "* Kernel compiled with UNRET_ENTRY support (untrained return thunk): "
if [ -r "$opt_config" ]; then
# CONFIG_CPU_UNRET_ENTRY: Linux < 6.9
# CONFIG_MITIGATION_UNRET_ENTRY: Linux >= 6.9
if grep -Eq '^CONFIG_(CPU|MITIGATION)_UNRET_ENTRY=y' "$opt_config"; then
pstatus green YES
kernel_unret="CONFIG_(CPU|MITIGATION)_UNRET_ENTRY=y found in kernel config"
else
pstatus yellow NO
fi
else
if [ -n "$g_kernel_err" ]; then
pstatus yellow UNKNOWN "$g_kernel_err"
elif [ -n "$kernel_retbleed" ]; then
# if the kernel has retbleed logic, assume UNRET_ENTRY is likely compiled in
# (we can't tell for certain without the config)
kernel_unret="retbleed mitigation logic present in kernel (UNRET_ENTRY status unknown)"
pstatus yellow UNKNOWN "kernel has retbleed mitigation but config not available to verify"
else
pstatus yellow NO "your kernel is too old and doesn't have the retbleed mitigation logic"
fi
fi
pr_info_nol "* Kernel compiled with IBPB_ENTRY support: "
if [ -r "$opt_config" ]; then
# CONFIG_CPU_IBPB_ENTRY: Linux < 6.9
# CONFIG_MITIGATION_IBPB_ENTRY: Linux >= 6.9
if grep -Eq '^CONFIG_(CPU|MITIGATION)_IBPB_ENTRY=y' "$opt_config"; then
pstatus green YES
kernel_ibpb_entry="CONFIG_(CPU|MITIGATION)_IBPB_ENTRY=y found in kernel config"
else
pstatus yellow NO
fi
else
if [ -n "$g_kernel_err" ]; then
pstatus yellow UNKNOWN "$g_kernel_err"
elif [ -n "$kernel_retbleed" ]; then
kernel_ibpb_entry="retbleed mitigation logic present in kernel (IBPB_ENTRY status unknown)"
pstatus yellow UNKNOWN "kernel has retbleed mitigation but config not available to verify"
else
pstatus yellow NO "your kernel is too old and doesn't have the retbleed mitigation logic"
fi
fi
# Zen/Zen+/Zen2: check IBPB microcode support and SMT
if [ "$cpu_family" = $((0x17)) ]; then
pr_info_nol "* CPU supports IBPB: "
if [ "$opt_live" = 1 ]; then
if [ -n "$cap_ibpb" ]; then
pstatus green YES "$cap_ibpb"
else
pstatus yellow NO
fi
else
pstatus blue N/A "not testable in offline mode"
fi
pr_info_nol "* Hyper-Threading (SMT) is enabled: "
is_cpu_smt_enabled
smt_enabled=$?
if [ "$smt_enabled" = 0 ]; then
pstatus yellow YES
else
pstatus green NO
fi
fi
elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only!
msg="/sys vulnerability interface use forced, but it's not available!"
status=UNK
fi
if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_sysfs_only" != 1 ]; then
if [ "$cpu_family" = $((0x17)) ]; then
# Zen/Zen+/Zen2
if [ -z "$kernel_retbleed" ]; then
pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the retbleed mitigation logic"
elif [ "$opt_paranoid" = 1 ] && [ "$smt_enabled" = 0 ]; then
pvulnstatus "$cve" VULN "SMT is enabled, which weakens the IBPB-based mitigation"
explain "For Zen/Zen+/Zen2 CPUs in paranoid mode, proper mitigation needs SMT to be disabled\n" \
"(this can be done by adding \`nosmt\` to your kernel command line), because IBPB alone\n" \
"doesn't fully protect cross-thread speculation."
elif [ -z "$kernel_unret" ] && [ -z "$kernel_ibpb_entry" ]; then
pvulnstatus "$cve" VULN "Your kernel doesn't have either UNRET_ENTRY or IBPB_ENTRY compiled-in"
elif [ "$smt_enabled" = 0 ] && [ -z "$cap_ibpb" ] && [ "$opt_live" = 1 ]; then
pvulnstatus "$cve" VULN "SMT is enabled and your microcode doesn't support IBPB"
explain "Update your CPU microcode to get IBPB support, or disable SMT by adding\n" \
"\`nosmt\` to your kernel command line."
else
pvulnstatus "$cve" OK "Your kernel and CPU support mitigation"
fi
elif [ "$cpu_family" = $((0x15)) ] || [ "$cpu_family" = $((0x16)) ]; then
# older AMD families: basic mitigation check
if [ -z "$kernel_retbleed" ]; then
pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the retbleed mitigation logic"
elif [ -n "$kernel_unret" ] || [ -n "$kernel_ibpb_entry" ]; then
pvulnstatus "$cve" OK "Your kernel supports mitigation"
else
pvulnstatus "$cve" VULN "Your kernel doesn't have UNRET_ENTRY or IBPB_ENTRY compiled-in"
fi
else
# not supposed to happen
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
fi
else
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
fi
else
pvulnstatus "$cve" "$status" "$msg"
fi
}
check_CVE_2022_29900_bsd() {
if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
else
pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
fi
}
# >>>>>> vulns/CVE-2022-29901.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et:
###############################
# CVE-2022-29901, Retbleed (Intel), RSB Alternate Behavior (RSBA)
check_CVE_2022_29901() {
check_cve 'CVE-2022-29901'
}
check_CVE_2022_29901_linux() {
local status sys_interface_available msg kernel_retbleed kernel_retbleed_err kernel_ibrs_entry
status=UNK
sys_interface_available=0
msg=''
#
# Kernel source inventory for retbleed (CVE-2022-29900 / CVE-2022-29901)
#
# See CVE-2022-29900.sh for the full sysfs/Kconfig/function/stable/vendor inventory.
#
# Intel-specific notes:
# - eIBRS (IBRS_ALL) mitigates the vulnerability on Intel
# - plain retpoline does NOT mitigate on RSBA-capable CPUs (Retbleed bypasses retpoline)
# - IBRS entry also mitigates
# - call depth tracking / stuffing mitigates (v6.2+)
#
# --- Kconfig symbols (Intel-relevant) ---
# CONFIG_CPU_IBRS_ENTRY (< 6.9) / CONFIG_MITIGATION_IBRS_ENTRY (>= 6.9): Intel IBRS
# CONFIG_CALL_DEPTH_TRACKING (< 6.9) / CONFIG_MITIGATION_CALL_DEPTH_TRACKING (>= 6.9): stuffing
#
# --- CPU affection logic (Intel) ---
# 6ad0ad2bf8a6 (v5.19-rc7, initial Intel list):
# SKYLAKE_L, SKYLAKE, SKYLAKE_X, KABYLAKE_L, KABYLAKE,
# ICELAKE_L, COMETLAKE, COMETLAKE_L, LAKEFIELD, ROCKETLAKE
# f54d45372c6a (post-v5.19): + CANNONLAKE_L
# + any Intel with ARCH_CAP_RSBA set in IA32_ARCH_CAPABILITIES MSR (bit 2)
# immunity: none (no _NO bit for RETBLEED on Intel; eIBRS is a mitigation, not immunity)
#
if sys_interface_check "$VULN_SYSFS_BASE/retbleed"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
status=$ret_sys_interface_check_status
fi
if [ "$opt_sysfs_only" != 1 ]; then
pr_info_nol "* Kernel supports mitigation: "
if [ -n "$g_kernel_err" ]; then
kernel_retbleed_err="$g_kernel_err"
elif grep -q 'retbleed' "$g_kernel"; then
kernel_retbleed="found retbleed mitigation logic in kernel image"
fi
if [ -z "$kernel_retbleed" ] && [ -n "$opt_map" ]; then
if grep -q 'retbleed_select_mitigation' "$opt_map"; then
kernel_retbleed="found retbleed_select_mitigation in System.map"
fi
fi
if [ -n "$kernel_retbleed" ]; then
pstatus green YES "$kernel_retbleed"
elif [ -n "$kernel_retbleed_err" ]; then
pstatus yellow UNKNOWN "$kernel_retbleed_err"
else
pstatus yellow NO
fi
pr_info_nol "* Kernel compiled with IBRS_ENTRY support: "
if [ -r "$opt_config" ]; then
# CONFIG_CPU_IBRS_ENTRY: Linux < 6.9
# CONFIG_MITIGATION_IBRS_ENTRY: Linux >= 6.9
if grep -Eq '^CONFIG_(CPU|MITIGATION)_IBRS_ENTRY=y' "$opt_config"; then
pstatus green YES
kernel_ibrs_entry="CONFIG_(CPU|MITIGATION)_IBRS_ENTRY=y found in kernel config"
else
pstatus yellow NO
fi
else
if [ -n "$g_kernel_err" ]; then
pstatus yellow UNKNOWN "$g_kernel_err"
elif [ -n "$kernel_retbleed" ]; then
kernel_ibrs_entry="retbleed mitigation logic present in kernel (IBRS_ENTRY status unknown)"
pstatus yellow UNKNOWN "kernel has retbleed mitigation but config not available to verify"
else
pstatus yellow NO "your kernel is too old and doesn't have the retbleed mitigation logic"
fi
fi
pr_info_nol "* CPU supports Enhanced IBRS (IBRS_ALL): "
if [ "$opt_live" = 1 ] || [ "$cap_ibrs_all" != -1 ]; then
if [ "$cap_ibrs_all" = 1 ]; then
pstatus green YES
elif [ "$cap_ibrs_all" = 0 ]; then
pstatus yellow NO
else
pstatus yellow UNKNOWN
fi
else
pstatus blue N/A "not testable in offline mode"
fi
pr_info_nol "* CPU has RSB Alternate Behavior (RSBA): "
if [ "$opt_live" = 1 ] || [ "$cap_rsba" != -1 ]; then
if [ "$cap_rsba" = 1 ]; then
pstatus yellow YES "this CPU is affected by RSB underflow"
elif [ "$cap_rsba" = 0 ]; then
pstatus green NO
else
pstatus yellow UNKNOWN
fi
else
pstatus blue N/A "not testable in offline mode"
fi
elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only!
msg="/sys vulnerability interface use forced, but it's not available!"
status=UNK
fi
if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_sysfs_only" != 1 ]; then
if [ -z "$kernel_retbleed" ]; then
pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the retbleed mitigation logic"
elif [ "$cap_ibrs_all" = 1 ]; then
if [ "$opt_paranoid" = 1 ] && [ "$cap_rrsba" = 1 ]; then
pvulnstatus "$cve" VULN "eIBRS is enabled but RRSBA is present, which may weaken the mitigation"
explain "In paranoid mode, the combination of eIBRS and RRSBA (Restricted RSB Alternate Behavior)\n" \
"is flagged because RRSBA means the RSB can still be influenced in some scenarios.\n" \
"Check if your firmware/kernel supports disabling RRSBA via RRSBA_CTRL."
else
pvulnstatus "$cve" OK "Enhanced IBRS (IBRS_ALL) mitigates the vulnerability"
fi
elif [ -n "$kernel_ibrs_entry" ]; then
pvulnstatus "$cve" OK "Your kernel has IBRS_ENTRY mitigation compiled-in"
else
pvulnstatus "$cve" VULN "Your kernel has retbleed mitigation but IBRS_ENTRY is not compiled-in and eIBRS is not available"
explain "Retpoline alone does NOT mitigate Retbleed on RSBA-capable Intel CPUs.\n" \
"You need either Enhanced IBRS (eIBRS, via firmware/microcode update) or a kernel\n" \
"compiled with IBRS_ENTRY support (Linux 5.19+, CONFIG_(CPU|MITIGATION)_IBRS_ENTRY)."
fi
else
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
fi
else
pvulnstatus "$cve" "$status" "$msg"
fi
}
check_CVE_2022_29901_bsd() {
if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
else
pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
fi
}
# >>>>>> vulns/CVE-2022-40982.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et:

105
src/libs/003_intel_models.sh Normal file
View File

@@ -0,0 +1,105 @@
# vim: set ts=4 sw=4 sts=4 et:
# AUTO-GENERATED FILE — DO NOT EDIT MANUALLY.
# Generated by scripts/update_intel_models.sh from:
# https://raw.githubusercontent.com/torvalds/linux/refs/heads/master/arch/x86/include/asm/intel-family.h
# Run scripts/update_intel_models.sh to refresh when new Intel CPU families are added to the kernel.
# shellcheck disable=SC2034
{
readonly INTEL_FAM5_PENTIUM_75=$((0x02)) # /* P54C */
readonly INTEL_FAM5_PENTIUM_MMX=$((0x04)) # /* P55C */
readonly INTEL_FAM5_QUARK_X1000=$((0x09)) # /* Quark X1000 SoC */
readonly INTEL_FAM6_PENTIUM_PRO=$((0x01))
readonly INTEL_FAM6_PENTIUM_II_KLAMATH=$((0x03))
readonly INTEL_FAM6_PENTIUM_III_DESCHUTES=$((0x05))
readonly INTEL_FAM6_PENTIUM_III_TUALATIN=$((0x0B))
readonly INTEL_FAM6_PENTIUM_M_DOTHAN=$((0x0D))
readonly INTEL_FAM6_CORE_YONAH=$((0x0E))
readonly INTEL_FAM6_CORE2_MEROM=$((0x0F))
readonly INTEL_FAM6_CORE2_MEROM_L=$((0x16))
readonly INTEL_FAM6_CORE2_PENRYN=$((0x17))
readonly INTEL_FAM6_CORE2_DUNNINGTON=$((0x1D))
readonly INTEL_FAM6_NEHALEM=$((0x1E))
readonly INTEL_FAM6_NEHALEM_G=$((0x1F)) # /* Auburndale / Havendale */
readonly INTEL_FAM6_NEHALEM_EP=$((0x1A))
readonly INTEL_FAM6_NEHALEM_EX=$((0x2E))
readonly INTEL_FAM6_WESTMERE=$((0x25))
readonly INTEL_FAM6_WESTMERE_EP=$((0x2C))
readonly INTEL_FAM6_WESTMERE_EX=$((0x2F))
readonly INTEL_FAM6_SANDYBRIDGE=$((0x2A))
readonly INTEL_FAM6_SANDYBRIDGE_X=$((0x2D))
readonly INTEL_FAM6_IVYBRIDGE=$((0x3A))
readonly INTEL_FAM6_IVYBRIDGE_X=$((0x3E))
readonly INTEL_FAM6_HASWELL=$((0x3C))
readonly INTEL_FAM6_HASWELL_X=$((0x3F))
readonly INTEL_FAM6_HASWELL_L=$((0x45))
readonly INTEL_FAM6_HASWELL_G=$((0x46))
readonly INTEL_FAM6_BROADWELL=$((0x3D))
readonly INTEL_FAM6_BROADWELL_G=$((0x47))
readonly INTEL_FAM6_BROADWELL_X=$((0x4F))
readonly INTEL_FAM6_BROADWELL_D=$((0x56))
readonly INTEL_FAM6_SKYLAKE_L=$((0x4E)) # /* Sky Lake */
readonly INTEL_FAM6_SKYLAKE=$((0x5E)) # /* Sky Lake */
readonly INTEL_FAM6_SKYLAKE_X=$((0x55)) # /* Sky Lake */
readonly INTEL_FAM6_KABYLAKE_L=$((0x8E)) # /* Sky Lake */
readonly INTEL_FAM6_KABYLAKE=$((0x9E)) # /* Sky Lake */
readonly INTEL_FAM6_COMETLAKE=$((0xA5)) # /* Sky Lake */
readonly INTEL_FAM6_COMETLAKE_L=$((0xA6)) # /* Sky Lake */
readonly INTEL_FAM6_CANNONLAKE_L=$((0x66)) # /* Palm Cove */
readonly INTEL_FAM6_ICELAKE_X=$((0x6A)) # /* Sunny Cove */
readonly INTEL_FAM6_ICELAKE_D=$((0x6C)) # /* Sunny Cove */
readonly INTEL_FAM6_ICELAKE=$((0x7D)) # /* Sunny Cove */
readonly INTEL_FAM6_ICELAKE_L=$((0x7E)) # /* Sunny Cove */
readonly INTEL_FAM6_ICELAKE_NNPI=$((0x9D)) # /* Sunny Cove */
readonly INTEL_FAM6_ROCKETLAKE=$((0xA7)) # /* Cypress Cove */
readonly INTEL_FAM6_TIGERLAKE_L=$((0x8C)) # /* Willow Cove */
readonly INTEL_FAM6_TIGERLAKE=$((0x8D)) # /* Willow Cove */
readonly INTEL_FAM6_SAPPHIRERAPIDS_X=$((0x8F)) # /* Golden Cove */
readonly INTEL_FAM6_EMERALDRAPIDS_X=$((0xCF)) # /* Raptor Cove */
readonly INTEL_FAM6_GRANITERAPIDS_X=$((0xAD)) # /* Redwood Cove */
readonly INTEL_FAM6_GRANITERAPIDS_D=$((0xAE))
readonly INTEL_FAM19_DIAMONDRAPIDS_X=$((0x01)) # /* Panther Cove */
readonly INTEL_FAM6_BARTLETTLAKE=$((0xD7)) # /* Raptor Cove */
readonly INTEL_FAM6_LAKEFIELD=$((0x8A)) # /* Sunny Cove / Tremont */
readonly INTEL_FAM6_ALDERLAKE=$((0x97)) # /* Golden Cove / Gracemont */
readonly INTEL_FAM6_ALDERLAKE_L=$((0x9A)) # /* Golden Cove / Gracemont */
readonly INTEL_FAM6_RAPTORLAKE=$((0xB7)) # /* Raptor Cove / Enhanced Gracemont */
readonly INTEL_FAM6_RAPTORLAKE_P=$((0xBA))
readonly INTEL_FAM6_RAPTORLAKE_S=$((0xBF))
readonly INTEL_FAM6_METEORLAKE=$((0xAC)) # /* Redwood Cove / Crestmont */
readonly INTEL_FAM6_METEORLAKE_L=$((0xAA))
readonly INTEL_FAM6_ARROWLAKE_H=$((0xC5)) # /* Lion Cove / Skymont */
readonly INTEL_FAM6_ARROWLAKE=$((0xC6))
readonly INTEL_FAM6_ARROWLAKE_U=$((0xB5))
readonly INTEL_FAM6_LUNARLAKE_M=$((0xBD)) # /* Lion Cove / Skymont */
readonly INTEL_FAM6_PANTHERLAKE_L=$((0xCC)) # /* Cougar Cove / Darkmont */
readonly INTEL_FAM6_WILDCATLAKE_L=$((0xD5))
readonly INTEL_FAM18_NOVALAKE=$((0x01)) # /* Coyote Cove / Arctic Wolf */
readonly INTEL_FAM18_NOVALAKE_L=$((0x03)) # /* Coyote Cove / Arctic Wolf */
readonly INTEL_FAM6_ATOM_BONNELL=$((0x1C)) # /* Diamondville, Pineview */
readonly INTEL_FAM6_ATOM_BONNELL_MID=$((0x26)) # /* Silverthorne, Lincroft */
readonly INTEL_FAM6_ATOM_SALTWELL=$((0x36)) # /* Cedarview */
readonly INTEL_FAM6_ATOM_SALTWELL_MID=$((0x27)) # /* Penwell */
readonly INTEL_FAM6_ATOM_SALTWELL_TABLET=$((0x35)) # /* Cloverview */
readonly INTEL_FAM6_ATOM_SILVERMONT=$((0x37)) # /* Bay Trail, Valleyview */
readonly INTEL_FAM6_ATOM_SILVERMONT_D=$((0x4D)) # /* Avaton, Rangely */
readonly INTEL_FAM6_ATOM_SILVERMONT_MID=$((0x4A)) # /* Merriefield */
readonly INTEL_FAM6_ATOM_SILVERMONT_MID2=$((0x5A)) # /* Anniedale */
readonly INTEL_FAM6_ATOM_AIRMONT=$((0x4C)) # /* Cherry Trail, Braswell */
readonly INTEL_FAM6_ATOM_AIRMONT_NP=$((0x75)) # /* Lightning Mountain */
readonly INTEL_FAM6_ATOM_GOLDMONT=$((0x5C)) # /* Apollo Lake */
readonly INTEL_FAM6_ATOM_GOLDMONT_D=$((0x5F)) # /* Denverton */
readonly INTEL_FAM6_ATOM_GOLDMONT_PLUS=$((0x7A)) # /* Gemini Lake */
readonly INTEL_FAM6_ATOM_TREMONT_D=$((0x86)) # /* Jacobsville */
readonly INTEL_FAM6_ATOM_TREMONT=$((0x96)) # /* Elkhart Lake */
readonly INTEL_FAM6_ATOM_TREMONT_L=$((0x9C)) # /* Jasper Lake */
readonly INTEL_FAM6_ATOM_GRACEMONT=$((0xBE)) # /* Alderlake N */
readonly INTEL_FAM6_ATOM_CRESTMONT_X=$((0xAF)) # /* Sierra Forest */
readonly INTEL_FAM6_ATOM_CRESTMONT=$((0xB6)) # /* Grand Ridge */
readonly INTEL_FAM6_ATOM_DARKMONT_X=$((0xDD)) # /* Clearwater Forest */
readonly INTEL_FAM6_XEON_PHI_KNL=$((0x57)) # /* Knights Landing */
readonly INTEL_FAM6_XEON_PHI_KNM=$((0x85)) # /* Knights Mill */
readonly INTEL_FAM15_P4_WILLAMETTE=$((0x01)) # /* Also Xeon Foster */
readonly INTEL_FAM15_P4_PRESCOTT=$((0x03))
readonly INTEL_FAM15_P4_PRESCOTT_2M=$((0x04))
readonly INTEL_FAM15_P4_CEDARMILL=$((0x06)) # /* Also Xeon Dempsey */
}