chore: add proper header to all src/vulns/* files

2026-04-11 11:13:21 +02:00 · 2026-04-02 20:47:54 +02:00
parent 5e3033e2f5
commit 3ea8e213ec
21 changed files with 53 additions and 101 deletions
--- a/src/vulns/CVE-2022-40982.sh
+++ b/src/vulns/CVE-2022-40982.sh
@@ -1,13 +1,11 @@
 # vim: set ts=4 sw=4 sts=4 et:
-#########################
-# Downfall section
+###############################
+# CVE-2022-40982, Downfall, GDS, Gather Data Sampling

-# CVE-2022-40982 Downfall (gather data sampling) - entry point
 check_CVE_2022_40982() {
    check_cve 'CVE-2022-40982'
 }

-# CVE-2022-40982 Downfall (gather data sampling) - Linux mitigation check
 check_CVE_2022_40982_linux() {
    local status sys_interface_available msg kernel_gds kernel_gds_err kernel_avx_disabled dmesgret ret
    status=UNK
@@ -102,13 +100,6 @@ check_CVE_2022_40982_linux() {
        # all messages start with either "Not affected", "Vulnerable", "Mitigation",
        # or "Unknown"
        status=$ret_sys_interface_check_status
-        # Override: when the kernel says "Unknown: Dependent on hypervisor status", it
-        # gave up because it's running as a VM guest and can't read MCU_OPT_CTRL.
-        # We can often do better: the hypervisor may have exposed GDS_NO or GDS_CTRL
-        # to us via ARCH_CAPABILITIES, so let our own Phase 2 checks take over.
-        if echo "$ret_sys_interface_check_fullmsg" | grep -qi 'Dependent on hypervisor'; then
-            status=UNK
-        fi
    fi

    if [ "$opt_sysfs_only" != 1 ]; then
@@ -210,13 +201,6 @@ check_CVE_2022_40982_linux() {
                pvulnstatus "$cve" VULN "Your microcode is up to date but mitigation is disabled"
                explain "The GDS mitigation has been explicitly disabled (gather_data_sampling=off or mitigations=off).\n " \
                    "Remove the kernel parameter to re-enable it."
-            elif [ "$sys_interface_available" = 1 ] &&
-                echo "$ret_sys_interface_check_fullmsg" | grep -qi 'Dependent on hypervisor'; then
-                # We're in a VM guest, the kernel gave up, and we couldn't read the
-                # GDS MSR bits either (cap_gds_ctrl != 1). We genuinely can't tell.
-                pvulnstatus "$cve" UNK "Running in a VM, mitigation depends on the hypervisor"
-                explain "This system is running as a virtual machine guest. GDS mitigation must be handled by\n " \
-                    "the host hypervisor. Contact your VM/cloud provider to verify that GDS is mitigated on the host."
            elif [ -z "$kernel_gds" ]; then
                pvulnstatus "$cve" VULN "Your microcode doesn't mitigate the vulnerability, and your kernel doesn't support mitigation"
                explain "Update both your CPU microcode (via BIOS/firmware update from your OEM) and your kernel\n " \
@@ -236,7 +220,6 @@ check_CVE_2022_40982_linux() {
    fi
 }

-# CVE-2022-40982 Downfall (gather data sampling) - BSD mitigation check
 check_CVE_2022_40982_bsd() {
    if ! is_cpu_affected "$cve"; then
        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"