fix: --sysfs-only path for CVE-2018-12207 CVE-2018-3620

2026-04-02 05:07:07 +02:00 · 2026-03-31 21:35:18 +02:00
parent 123ad1c8e6
commit 35d83e19a8
2 changed files with 24 additions and 12 deletions
--- a/src/vulns/CVE-2018-12207.sh
+++ b/src/vulns/CVE-2018-12207.sh
@@ -64,17 +64,23 @@ check_CVE_2018_12207_linux() {
        pvulnstatus "$cve" OK "this system is not running a hypervisor"
    elif [ -z "$msg" ]; then
        # if msg is empty, sysfs check didn't fill it, rely on our own test
-        if [ "$opt_live" = 1 ]; then
-            # if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
-            pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it"
-        else
-            if [ -n "$kernel_itlbmh" ]; then
-                pvulnstatus "$cve" OK "Your kernel supports iTLB Multihit mitigation"
-            else
+        if [ "$opt_sysfs_only" != 1 ]; then
+            if [ "$opt_live" = 1 ]; then
+                # if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
                pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it"
+            else
+                if [ -n "$kernel_itlbmh" ]; then
+                    pvulnstatus "$cve" OK "Your kernel supports iTLB Multihit mitigation"
+                else
+                    pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it"
+                fi
            fi
+        else
+            # --sysfs-only: sysfs was available (otherwise msg would be set), use its result
+            pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
        fi
    else
+        # msg was set explicitly: either sysfs-not-available error, or a sysfs override
        pvulnstatus "$cve" "$status" "$msg"
    fi
 }
--- a/src/vulns/CVE-2018-3620.sh
+++ b/src/vulns/CVE-2018-3620.sh
@@ -63,16 +63,22 @@ check_CVE_2018_3620_linux() {
        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
    elif [ -z "$msg" ]; then
        # if msg is empty, sysfs check didn't fill it, rely on our own test
-        if [ "$pteinv_supported" = 1 ]; then
-            if [ "$pteinv_active" = 1 ] || [ "$opt_live" != 1 ]; then
-                pvulnstatus "$cve" OK "PTE inversion mitigates the vulnerability"
+        if [ "$opt_sysfs_only" != 1 ]; then
+            if [ "$pteinv_supported" = 1 ]; then
+                if [ "$pteinv_active" = 1 ] || [ "$opt_live" != 1 ]; then
+                    pvulnstatus "$cve" OK "PTE inversion mitigates the vulnerability"
+                else
+                    pvulnstatus "$cve" VULN "Your kernel supports PTE inversion but it doesn't seem to be enabled"
+                fi
            else
-                pvulnstatus "$cve" VULN "Your kernel supports PTE inversion but it doesn't seem to be enabled"
+                pvulnstatus "$cve" VULN "Your kernel doesn't support PTE inversion, update it"
            fi
        else
-            pvulnstatus "$cve" VULN "Your kernel doesn't support PTE inversion, update it"
+            # --sysfs-only: sysfs was available (otherwise msg would be set), use its result
+            pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
        fi
    else
+        # msg was set explicitly: either sysfs-not-available error, or a sysfs override
        pvulnstatus "$cve" "$status" "$msg"
    fi
 }