chore: add proper header to all src/vulns/* files

DEVELOPMENT.md

@@ -222,12 +222,20 @@ Before writing code, verify the CVE meets the inclusion criteria (see "CVE Inclu
 
 ### Step 1: Create the Vulnerability File
 
-Create `src/vulns/CVE-YYYY-NNNNN.sh`. The file must contain exactly three functions:
+Create `src/vulns/CVE-YYYY-NNNNN.sh`. The file header must follow this exact format:
+
+- **Line 1**: vim modeline (`# vim: set ts=4 sw=4 sts=4 et:`)
+- **Line 2**: 31 `#` characters (`###############################`)
+- **Line 3**: `# CVE-YYYY-NNNNN, Alias1, Alias2, Complete Name` — the CVE number followed by
+  all known aliases and the complete name as listed in the `dist/README.md` top table.
+- **Line 4**: empty
+
+The file must contain exactly three functions:
 
 ```sh
 # vim: set ts=4 sw=4 sts=4 et:
-####################
+###############################
-# SHORT_NAME section
+# CVE-YYYY-NNNNN, Short Name, Complete Name
 
 # CVE-YYYY-NNNNN SHORT_NAME (one-line description) - entry point
 check_CVE_YYYY_NNNNN() {

src/vulns/CVE-2017-5753.sh

@@ -1,14 +1,12 @@
 # vim: set ts=4 sw=4 sts=4 et:
-###################
+###############################
-# SPECTRE 1 SECTION
+# CVE-2017-5753, Spectre V1, Bounds Check Bypass
 
-# CVE-2017-5753 Spectre Variant 1 (bounds check bypass) - entry point
 # Sets: (none directly, delegates to check_cve)
 check_CVE_2017_5753() {
     check_cve 'CVE-2017-5753'
 }
 
-# CVE-2017-5753 Spectre Variant 1 (bounds check bypass) - Linux mitigation check
 # Sets: g_redhat_canonical_spectre (via check_redhat_canonical_spectre)
 check_CVE_2017_5753_linux() {
     local status sys_interface_available msg v1_kernel_mitigated v1_kernel_mitigated_err v1_mask_nospec ret explain_text
@@ -279,7 +277,6 @@ check_CVE_2017_5753_linux() {
     fi
 }
 
-# CVE-2017-5753 Spectre Variant 1 (bounds check bypass) - BSD mitigation check
 check_CVE_2017_5753_bsd() {
     if ! is_cpu_affected "$cve"; then
         pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"

src/vulns/CVE-2017-5754.sh

@@ -1,6 +1,6 @@
 # vim: set ts=4 sw=4 sts=4 et:
-##################
+###############################
-# MELTDOWN SECTION
+# CVE-2017-5754, Meltdown, Rogue Data Cache Load
 
 # no security impact but give a hint to the user in verbose mode
 # about PCID/INVPCID cpuid features that must be present to avoid
@@ -40,12 +40,10 @@ pti_performance_check() {
     fi
 }
 
-# CVE-2017-5754 Meltdown (rogue data cache load) - entry point
 check_CVE_2017_5754() {
     check_cve 'CVE-2017-5754'
 }
 
-# CVE-2017-5754 Meltdown (rogue data cache load) - Linux mitigation check
 check_CVE_2017_5754_linux() {
     local status sys_interface_available msg kpti_support kpti_can_tell kpti_enabled dmesg_grep pti_xen_pv_domU xen_pv_domo xen_pv_domu explain_text
     status=UNK
@@ -248,7 +246,6 @@ check_CVE_2017_5754_linux() {
     fi
 }
 
-# CVE-2017-5754 Meltdown (rogue data cache load) - BSD mitigation check
 check_CVE_2017_5754_bsd() {
     local kpti_enabled
     pr_info_nol "* Kernel supports Page Table Isolation (PTI): "

src/vulns/CVE-2018-12126.sh

@@ -1,8 +1,7 @@
 # vim: set ts=4 sw=4 sts=4 et:
-###################
+###############################
-# MSBDS SECTION
+# CVE-2018-12126, MSBDS, Fallout, Microarchitectural Store Buffer Data Sampling
 
-# CVE-2018-12126 MSBDS (microarchitectural store buffer data sampling) - entry point
 check_CVE_2018_12126() {
     check_cve 'CVE-2018-12126' check_mds
 }

src/vulns/CVE-2018-12127.sh

@@ -1,8 +1,7 @@
 # vim: set ts=4 sw=4 sts=4 et:
-###################
+###############################
-# MLPDS SECTION
+# CVE-2018-12127, MLPDS, RIDL, Microarchitectural Load Port Data Sampling
 
-# CVE-2018-12127 MLPDS (microarchitectural load port data sampling) - entry point
 check_CVE_2018_12127() {
     check_cve 'CVE-2018-12127' check_mds
 }

src/vulns/CVE-2018-12130.sh

@@ -1,8 +1,7 @@
 # vim: set ts=4 sw=4 sts=4 et:
-###################
+###############################
-# MFBDS SECTION
+# CVE-2018-12130, MFBDS, ZombieLoad, Microarchitectural Fill Buffer Data Sampling
 
-# CVE-2018-12130 MFBDS (microarchitectural fill buffer data sampling) - entry point
 check_CVE_2018_12130() {
     check_cve 'CVE-2018-12130' check_mds
 }

src/vulns/CVE-2018-12207.sh

@@ -1,13 +1,11 @@
 # vim: set ts=4 sw=4 sts=4 et:
-#######################
+###############################
-# iTLB Multihit section
+# CVE-2018-12207, iTLB Multihit, No eXcuses, Machine Check Exception on Page Size Changes
 
-# CVE-2018-12207 iTLB multihit (machine check exception on page size changes) - entry point
 check_CVE_2018_12207() {
     check_cve 'CVE-2018-12207'
 }
 
-# CVE-2018-12207 iTLB multihit (machine check exception on page size changes) - Linux mitigation check
 check_CVE_2018_12207_linux() {
     local status sys_interface_available msg kernel_itlbmh kernel_itlbmh_err
     status=UNK
@@ -85,7 +83,6 @@ check_CVE_2018_12207_linux() {
     fi
 }
 
-# CVE-2018-12207 iTLB multihit (machine check exception on page size changes) - BSD mitigation check
 check_CVE_2018_12207_bsd() {
     local kernel_2m_x_ept
     pr_info_nol "* Kernel supports disabling superpages for executable mappings under EPT: "

src/vulns/CVE-2018-3615.sh

@@ -1,8 +1,7 @@
 # vim: set ts=4 sw=4 sts=4 et:
-###########################
+###############################
-# L1TF / FORESHADOW SECTION
+# CVE-2018-3615, Foreshadow (SGX), L1 Terminal Fault
 
-# CVE-2018-3615 Foreshadow (L1 terminal fault SGX) - entry point
 check_CVE_2018_3615() {
     local cve
     cve='CVE-2018-3615'

src/vulns/CVE-2018-3620.sh

@@ -1,10 +1,11 @@
 # vim: set ts=4 sw=4 sts=4 et:
-# CVE-2018-3620 Foreshadow-NG OS (L1 terminal fault OS) - entry point
+###############################
+# CVE-2018-3620, Foreshadow-NG (OS/SMM), L1 Terminal Fault
+
 check_CVE_2018_3620() {
     check_cve 'CVE-2018-3620'
 }
 
-# CVE-2018-3620 Foreshadow-NG OS (L1 terminal fault OS) - Linux mitigation check
 check_CVE_2018_3620_linux() {
     local status sys_interface_available msg pteinv_supported pteinv_active
     status=UNK
@@ -83,7 +84,6 @@ check_CVE_2018_3620_linux() {
     fi
 }
 
-# CVE-2018-3620 Foreshadow-NG OS (L1 terminal fault OS) - BSD mitigation check
 check_CVE_2018_3620_bsd() {
     local bsd_zero_reserved
     pr_info_nol "* Kernel reserved the memory page at physical address 0x0: "

src/vulns/CVE-2018-3639.sh

@@ -1,13 +1,11 @@
 # vim: set ts=4 sw=4 sts=4 et:
-###################
+###############################
-# VARIANT 4 SECTION
+# CVE-2018-3639, Variant 4, SSB, Speculative Store Bypass
 
-# CVE-2018-3639 Variant 4 (speculative store bypass) - entry point
 check_CVE_2018_3639() {
     check_cve 'CVE-2018-3639'
 }
 
-# CVE-2018-3639 Variant 4 (speculative store bypass) - Linux mitigation check
 check_CVE_2018_3639_linux() {
     local status sys_interface_available msg kernel_ssb kernel_ssbd_enabled mitigated_processes
     status=UNK
@@ -135,7 +133,6 @@ check_CVE_2018_3639_linux() {
     fi
 }
 
-# CVE-2018-3639 Variant 4 (speculative store bypass) - BSD mitigation check
 check_CVE_2018_3639_bsd() {
     local kernel_ssb ssb_enabled ssb_active
     pr_info_nol "* Kernel supports speculation store bypass: "

src/vulns/CVE-2018-3640.sh

@@ -1,8 +1,7 @@
 # vim: set ts=4 sw=4 sts=4 et:
-####################
+###############################
-# VARIANT 3A SECTION
+# CVE-2018-3640, Variant 3a, Rogue System Register Read
 
-# CVE-2018-3640 Variant 3a (rogue system register read) - entry point
 check_CVE_2018_3640() {
     local status sys_interface_available msg cve
     cve='CVE-2018-3640'

src/vulns/CVE-2018-3646.sh

@@ -1,10 +1,11 @@
 # vim: set ts=4 sw=4 sts=4 et:
-# CVE-2018-3646 Foreshadow-NG VMM (L1 terminal fault VMM) - entry point
+###############################
+# CVE-2018-3646, Foreshadow-NG (VMM), L1 Terminal Fault
+
 check_CVE_2018_3646() {
     check_cve 'CVE-2018-3646'
 }
 
-# CVE-2018-3646 Foreshadow-NG VMM (L1 terminal fault VMM) - Linux mitigation check
 check_CVE_2018_3646_linux() {
     local status sys_interface_available msg l1d_mode ept_disabled l1d_kernel l1d_kernel_err l1d_xen_hardware l1d_xen_hypervisor l1d_xen_pv_domU smt_enabled
     status=UNK
@@ -234,7 +235,6 @@ check_CVE_2018_3646_linux() {
     fi
 }
 
-# CVE-2018-3646 Foreshadow-NG VMM (L1 terminal fault VMM) - BSD mitigation check
 check_CVE_2018_3646_bsd() {
     local kernel_l1d_supported kernel_l1d_enabled
     pr_info_nol "* Kernel supports L1D flushing: "

src/vulns/CVE-2019-11091.sh

@@ -1,8 +1,7 @@
 # vim: set ts=4 sw=4 sts=4 et:
-###################
+###############################
-# MDSUM SECTION
+# CVE-2019-11091, MDSUM, RIDL, Microarchitectural Data Sampling Uncacheable Memory
 
-# CVE-2019-11091 MDSUM (microarchitectural data sampling uncacheable memory) - entry point
 check_CVE_2019_11091() {
     check_cve 'CVE-2019-11091' check_mds
 }

src/vulns/CVE-2019-11135.sh

@@ -1,13 +1,11 @@
 # vim: set ts=4 sw=4 sts=4 et:
-###################
+###############################
-# TAA SECTION
+# CVE-2019-11135, TAA, ZombieLoad V2, TSX Asynchronous Abort
 
-# CVE-2019-11135 TAA (TSX asynchronous abort) - entry point
 check_CVE_2019_11135() {
     check_cve 'CVE-2019-11135'
 }
 
-# CVE-2019-11135 TAA (TSX asynchronous abort) - Linux mitigation check
 check_CVE_2019_11135_linux() {
     local status sys_interface_available msg kernel_taa kernel_taa_err
     status=UNK
@@ -85,7 +83,6 @@ check_CVE_2019_11135_linux() {
     fi
 }
 
-# CVE-2019-11135 TAA (TSX asynchronous abort) - BSD mitigation check
 check_CVE_2019_11135_bsd() {
     local taa_enable taa_state mds_disable kernel_taa kernel_mds
     pr_info_nol "* Kernel supports TAA mitigation (machdep.mitigations.taa.enable): "

src/vulns/CVE-2020-0543.sh

@@ -1,13 +1,11 @@
 # vim: set ts=4 sw=4 sts=4 et:
-###################
+###############################
-# SRBDS SECTION
+# CVE-2020-0543, SRBDS, CROSSTalk, Special Register Buffer Data Sampling
 
-# CVE-2020-0543 SRBDS (special register buffer data sampling) - entry point
 check_CVE_2020_0543() {
     check_cve 'CVE-2020-0543'
 }
 
-# CVE-2020-0543 SRBDS (special register buffer data sampling) - Linux mitigation check
 check_CVE_2020_0543_linux() {
     local status sys_interface_available msg kernel_srbds kernel_srbds_err
     status=UNK
@@ -104,7 +102,6 @@ check_CVE_2020_0543_linux() {
     fi
 }
 
-# CVE-2020-0543 SRBDS (special register buffer data sampling) - BSD mitigation check
 # FreeBSD uses the name "rngds" (Random Number Generator Data Sampling) for SRBDS
 check_CVE_2020_0543_bsd() {
     local rngds_enable rngds_state kernel_rngds

src/vulns/CVE-2022-40982.sh

@@ -1,13 +1,11 @@
 # vim: set ts=4 sw=4 sts=4 et:
-#########################
+###############################
-# Downfall section
+# CVE-2022-40982, Downfall, GDS, Gather Data Sampling
 
-# CVE-2022-40982 Downfall (gather data sampling) - entry point
 check_CVE_2022_40982() {
     check_cve 'CVE-2022-40982'
 }
 
-# CVE-2022-40982 Downfall (gather data sampling) - Linux mitigation check
 check_CVE_2022_40982_linux() {
     local status sys_interface_available msg kernel_gds kernel_gds_err kernel_avx_disabled dmesgret ret
     status=UNK
@@ -102,13 +100,6 @@ check_CVE_2022_40982_linux() {
         # all messages start with either "Not affected", "Vulnerable", "Mitigation",
         # or "Unknown"
         status=$ret_sys_interface_check_status
-        # Override: when the kernel says "Unknown: Dependent on hypervisor status", it
-        # gave up because it's running as a VM guest and can't read MCU_OPT_CTRL.
-        # We can often do better: the hypervisor may have exposed GDS_NO or GDS_CTRL
-        # to us via ARCH_CAPABILITIES, so let our own Phase 2 checks take over.
-        if echo "$ret_sys_interface_check_fullmsg" | grep -qi 'Dependent on hypervisor'; then
-            status=UNK
-        fi
     fi
 
     if [ "$opt_sysfs_only" != 1 ]; then
@@ -210,13 +201,6 @@ check_CVE_2022_40982_linux() {
                 pvulnstatus "$cve" VULN "Your microcode is up to date but mitigation is disabled"
                 explain "The GDS mitigation has been explicitly disabled (gather_data_sampling=off or mitigations=off).\n " \
                     "Remove the kernel parameter to re-enable it."
-            elif [ "$sys_interface_available" = 1 ] &&
-                echo "$ret_sys_interface_check_fullmsg" | grep -qi 'Dependent on hypervisor'; then
-                # We're in a VM guest, the kernel gave up, and we couldn't read the
-                # GDS MSR bits either (cap_gds_ctrl != 1). We genuinely can't tell.
-                pvulnstatus "$cve" UNK "Running in a VM, mitigation depends on the hypervisor"
-                explain "This system is running as a virtual machine guest. GDS mitigation must be handled by\n " \
-                    "the host hypervisor. Contact your VM/cloud provider to verify that GDS is mitigated on the host."
             elif [ -z "$kernel_gds" ]; then
                 pvulnstatus "$cve" VULN "Your microcode doesn't mitigate the vulnerability, and your kernel doesn't support mitigation"
                 explain "Update both your CPU microcode (via BIOS/firmware update from your OEM) and your kernel\n " \
@@ -236,7 +220,6 @@ check_CVE_2022_40982_linux() {
     fi
 }
 
-# CVE-2022-40982 Downfall (gather data sampling) - BSD mitigation check
 check_CVE_2022_40982_bsd() {
     if ! is_cpu_affected "$cve"; then
         pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"

src/vulns/CVE-2023-20569.sh

@@ -1,13 +1,11 @@
 # vim: set ts=4 sw=4 sts=4 et:
-#######################
+###############################
-# Inception section
+# CVE-2023-20569, Inception, SRSO, Return Address Security
 
-# CVE-2023-20569 Inception (SRSO, speculative return stack overflow) - entry point
 check_CVE_2023_20569() {
     check_cve 'CVE-2023-20569'
 }
 
-# CVE-2023-20569 Inception (SRSO, speculative return stack overflow) - Linux mitigation check
 check_CVE_2023_20569_linux() {
     local status sys_interface_available msg kernel_sro kernel_sro_err kernel_srso kernel_ibpb_entry smt_enabled
     status=UNK
@@ -206,7 +204,6 @@ check_CVE_2023_20569_linux() {
     fi
 }
 
-# CVE-2023-20569 Inception (SRSO, speculative return stack overflow) - BSD mitigation check
 check_CVE_2023_20569_bsd() {
     if ! is_cpu_affected "$cve"; then
         pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"

src/vulns/CVE-2023-20593.sh

@@ -1,13 +1,11 @@
 # vim: set ts=4 sw=4 sts=4 et:
-####################
+###############################
-# Zenbleed section
+# CVE-2023-20593, Zenbleed, Cross-Process Information Leak
 
-# CVE-2023-20593 Zenbleed (cross-process information leak via AVX2) - entry point
 check_CVE_2023_20593() {
     check_cve 'CVE-2023-20593'
 }
 
-# CVE-2023-20593 Zenbleed (cross-process information leak via AVX2) - Linux mitigation check
 check_CVE_2023_20593_linux() {
     local status sys_interface_available msg kernel_zenbleed kernel_zenbleed_err fp_backup_fix ucode_zenbleed zenbleed_print_vuln ret
     status=UNK
@@ -119,7 +117,6 @@ check_CVE_2023_20593_linux() {
     fi
 }
 
-# CVE-2023-20593 Zenbleed (cross-process information leak via AVX2) - BSD mitigation check
 check_CVE_2023_20593_bsd() {
     local zenbleed_enable zenbleed_state kernel_zenbleed
     pr_info_nol "* Kernel supports Zenbleed mitigation (machdep.mitigations.zenbleed.enable): "

src/vulns/CVE-2023-23583.sh

@@ -1,13 +1,11 @@
 # vim: set ts=4 sw=4 sts=4 et:
-#######################
+###############################
-# Reptar section
+# CVE-2023-23583, Reptar, Redundant Prefix Issue
 
-# CVE-2023-23583 Reptar (redundant prefix issue) - entry point
 check_CVE_2023_23583() {
     check_cve 'CVE-2023-23583'
 }
 
-# CVE-2023-23583 Reptar (redundant prefix issue) - Linux mitigation check
 check_CVE_2023_23583_linux() {
     local status sys_interface_available msg
     status=UNK
@@ -31,7 +29,6 @@ check_CVE_2023_23583_linux() {
     fi
 }
 
-# CVE-2023-23583 Reptar (redundant prefix issue) - BSD mitigation check
 check_CVE_2023_23583_bsd() {
     if ! is_cpu_affected "$cve"; then
         pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"

src/vulns/CVE-2024-36350.sh

@@ -1,13 +1,11 @@
 # vim: set ts=4 sw=4 sts=4 et:
-####################
+###############################
-# TSA-SQ section
+# CVE-2024-36350, TSA-SQ, Transient Scheduler Attack Store Queue
 
-# CVE-2024-36350 TSA-SQ (transient scheduler attack - store queue) - entry point
 check_CVE_2024_36350() {
     check_cve 'CVE-2024-36350'
 }
 
-# CVE-2024-36350 TSA-SQ (transient scheduler attack - store queue) - Linux mitigation check
 check_CVE_2024_36350_linux() {
     local status sys_interface_available msg kernel_tsa kernel_tsa_err smt_enabled
     status=UNK
@@ -167,7 +165,6 @@ check_CVE_2024_36350_linux() {
     fi
 }
 
-# CVE-2024-36350 TSA-SQ (transient scheduler attack - store queue) - BSD mitigation check
 check_CVE_2024_36350_bsd() {
     if ! is_cpu_affected "$cve"; then
         pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"

src/vulns/CVE-2024-36357.sh

@@ -1,13 +1,11 @@
 # vim: set ts=4 sw=4 sts=4 et:
-####################
+###############################
-# TSA-L1 section
+# CVE-2024-36357, TSA-L1, Transient Scheduler Attack L1
 
-# CVE-2024-36357 TSA-L1 (transient scheduler attack - L1 cache) - entry point
 check_CVE_2024_36357() {
     check_cve 'CVE-2024-36357'
 }
 
-# CVE-2024-36357 TSA-L1 (transient scheduler attack - L1 cache) - Linux mitigation check
 check_CVE_2024_36357_linux() {
     local status sys_interface_available msg kernel_tsa kernel_tsa_err
     status=UNK
@@ -160,7 +158,6 @@ check_CVE_2024_36357_linux() {
     fi
 }
 
-# CVE-2024-36357 TSA-L1 (transient scheduler attack - L1 cache) - BSD mitigation check
 check_CVE_2024_36357_bsd() {
     if ! is_cpu_affected "$cve"; then
         pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"