feat: implement CVE-2024-36350 CVE-2024-36357 (Transient Scheduler Attack)

2026-04-01 12:47:07 +02:00 · 2026-03-30 21:13:21 +02:00
parent ce4a019cee
commit 3088a4f72f
7 changed files with 292 additions and 2 deletions
--- a/src/libs/002_core_globals.sh
+++ b/src/libs/002_core_globals.sh
@@ -157,6 +157,8 @@ CVE-2023-20593|ZENBLEED|zenbleed|Zenbleed, cross-process information leak
 CVE-2022-40982|DOWNFALL|downfall|Downfall, gather data sampling (GDS)
 CVE-2023-20569|INCEPTION|inception|Inception, return address security (RAS)
 CVE-2023-23583|REPTAR|reptar|Reptar, redundant prefix issue
+CVE-2024-36350|TSA_SQ|tsa|Transient Scheduler Attack - Store Queue (TSA-SQ)
+CVE-2024-36357|TSA_L1|tsa|Transient Scheduler Attack - L1 (TSA-L1)
 '

 # Derive the supported CVE list from the registry
--- a/src/libs/200_cpu_affected.sh
+++ b/src/libs/200_cpu_affected.sh
@@ -74,6 +74,8 @@ is_cpu_affected() {
    # Zenbleed and Inception are both AMD specific, look for "is_amd" below:
    affected_zenbleed=immune
    affected_inception=immune
+    # TSA is AMD specific (Zen 3/4), look for "is_amd" below:
+    affected_tsa=immune
    # Downfall & Reptar are Intel specific, look for "is_intel" below:
    affected_downfall=immune
    affected_reptar=immune
@@ -295,6 +297,16 @@ is_cpu_affected() {
            affected_inception=vuln
        fi

+        # TSA (Zen 3/4 are affected, unless CPUID says otherwise)
+        if [ "$cap_tsa_sq_no" = 1 ] && [ "$cap_tsa_l1_no" = 1 ]; then
+            # capability bits for AMD processors that explicitly state
+            # they're not affected to TSA-SQ and TSA-L1
+            # these vars are set in check_cpu()
+            pr_debug "is_cpu_affected: TSA_SQ_NO and TSA_L1_NO are set so not vuln to TSA"
+        elif [ "$cpu_family" = $((0x19)) ]; then
+            affected_tsa=vuln
+        fi
+
    elif [ "$cpu_vendor" = CAVIUM ]; then
        affected_variant3=immune
        affected_variant3a=immune
@@ -455,6 +467,7 @@ is_cpu_affected() {
    [ "$affected_downfall" = "immune" ] && affected_downfall=1 || affected_downfall=0
    [ "$affected_inception" = "immune" ] && affected_inception=1 || affected_inception=0
    [ "$affected_reptar" = "immune" ] && affected_reptar=1 || affected_reptar=0
+    [ "$affected_tsa" = "immune" ] && affected_tsa=1 || affected_tsa=0
    affected_variantl1tf_sgx="$affected_variantl1tf"
    # even if we are affected to L1TF, if there's no SGX, we're not affected to the original foreshadow
    [ "$cap_sgx" = 0 ] && affected_variantl1tf_sgx=1
--- a/src/libs/230_util_optparse.sh
+++ b/src/libs/230_util_optparse.sh
@@ -166,7 +166,7 @@ while [ -n "${1:-}" ]; do
        case "$2" in
            help)
                echo "The following parameters are supported for --variant (can be used multiple times):"
-                echo "1, 2, 3, 3a, 4, msbds, mfbds, mlpds, mdsum, l1tf, taa, mcepsc, srbds, zenbleed, downfall, inception"
+                echo "1, 2, 3, 3a, 4, msbds, mfbds, mlpds, mdsum, l1tf, taa, mcepsc, srbds, zenbleed, downfall, inception, reptar, tsa, tsa-sq, tsa-l1"
                exit 0
                ;;
            1)
@@ -237,6 +237,18 @@ while [ -n "${1:-}" ]; do
                opt_cve_list="$opt_cve_list CVE-2023-23583"
                opt_cve_all=0
                ;;
+            tsa)
+                opt_cve_list="$opt_cve_list CVE-2024-36350 CVE-2024-36357"
+                opt_cve_all=0
+                ;;
+            tsa-sq)
+                opt_cve_list="$opt_cve_list CVE-2024-36350"
+                opt_cve_all=0
+                ;;
+            tsa-l1)
+                opt_cve_list="$opt_cve_list CVE-2024-36357"
+                opt_cve_all=0
+                ;;
            *)
                echo "$0: error: invalid parameter '$2' for --variant, see --variant help for a list" >&2
                exit 255
--- a/src/libs/400_hw_check.sh
+++ b/src/libs/400_hw_check.sh
@@ -963,6 +963,51 @@ check_cpu() {
        fi
    fi

+    if is_amd || is_hygon; then
+        pr_info "  * Transient Scheduler Attacks"
+        pr_info_nol "    * CPU indicates TSA_SQ_NO: "
+        cap_tsa_sq_no=''
+        read_cpuid 0x80000021 0x0 $ECX 1 1 1
+        ret=$?
+        if [ $ret = $READ_CPUID_RET_OK ]; then
+            pstatus green YES
+            cap_tsa_sq_no=1
+        elif [ $ret = $READ_CPUID_RET_KO ]; then
+            pstatus yellow NO
+            cap_tsa_sq_no=0
+        else
+            pstatus yellow UNKNOWN "$ret_read_cpuid_msg"
+        fi
+
+        pr_info_nol "    * CPU indicates TSA_L1_NO: "
+        cap_tsa_l1_no=''
+        read_cpuid 0x80000021 0x0 $ECX 2 1 1
+        ret=$?
+        if [ $ret = $READ_CPUID_RET_OK ]; then
+            pstatus green YES
+            cap_tsa_l1_no=1
+        elif [ $ret = $READ_CPUID_RET_KO ]; then
+            pstatus yellow NO
+            cap_tsa_l1_no=0
+        else
+            pstatus yellow UNKNOWN "$ret_read_cpuid_msg"
+        fi
+
+        pr_info_nol "    * CPU indicates VERW clears CPU buffers: "
+        cap_verw_clear=''
+        read_cpuid 0x80000021 0x0 $EAX 5 1 1
+        ret=$?
+        if [ $ret = $READ_CPUID_RET_OK ]; then
+            pstatus green YES
+            cap_verw_clear=1
+        elif [ $ret = $READ_CPUID_RET_KO ]; then
+            pstatus yellow NO
+            cap_verw_clear=0
+        else
+            pstatus yellow UNKNOWN "$ret_read_cpuid_msg"
+        fi
+    fi
+
    pr_info_nol "  * CPU supports Transactional Synchronization Extensions (TSX): "
    ret=$READ_CPUID_RET_KO
    cap_rtm=0