From 3f7e0a11f79ee00c03cfcfcb9f778fe93f39ed2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Wed, 8 Apr 2026 20:52:22 +0200 Subject: [PATCH] enh: CVE-2018-3640 (Spectre 3a): enhance ARM mitigation detection --- src/vulns/CVE-2018-3640.sh | 74 ++++++++++++++++++++++++++++++-------- 1 file changed, 59 insertions(+), 15 deletions(-) diff --git a/src/vulns/CVE-2018-3640.sh b/src/vulns/CVE-2018-3640.sh index 42a23e4..72064e7 100644 --- a/src/vulns/CVE-2018-3640.sh +++ b/src/vulns/CVE-2018-3640.sh @@ -3,7 +3,7 @@ # CVE-2018-3640, Variant 3a, Rogue System Register Read check_CVE_2018_3640() { - local status sys_interface_available msg cve + local status sys_interface_available msg cve is_arm64_kernel arm_v3a_mitigation cve='CVE-2018-3640' pr_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" @@ -11,22 +11,66 @@ check_CVE_2018_3640() { sys_interface_available=0 msg='' - pr_info_nol "* CPU microcode mitigates the vulnerability: " - if [ -n "$cap_ssbd" ]; then - # microcodes that ship with SSBD are known to also fix affected_variant3a - # there is no specific cpuid bit as far as we know - pstatus green YES - else - pstatus yellow NO + # Detect whether the target kernel is ARM64, for both live and offline modes. + # In offline cross-inspection (x86 host, ARM kernel), cpu_vendor reflects the host, + # so also check for arm64_sys_ symbols (same pattern used in CVE-2018-3639). + is_arm64_kernel=0 + if [ "$cpu_vendor" = ARM ] || [ "$cpu_vendor" = CAVIUM ] || [ "$cpu_vendor" = PHYTIUM ]; then + is_arm64_kernel=1 + elif [ -n "$opt_map" ] && grep -q 'arm64_sys_' "$opt_map" 2>/dev/null; then + is_arm64_kernel=1 + elif [ -n "$g_kernel" ] && grep -q 'arm64_sys_' "$g_kernel" 2>/dev/null; then + is_arm64_kernel=1 + elif [ -n "$opt_config" ] && grep -qw 'CONFIG_ARM64=y' "$opt_config" 2>/dev/null; then + is_arm64_kernel=1 fi - if ! is_cpu_affected "$cve"; then - # override status & msg in case CPU is not vulnerable after all - pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" - elif [ -n "$cap_ssbd" ]; then - pvulnstatus "$cve" OK "your CPU microcode mitigates the vulnerability" + if [ "$is_arm64_kernel" = 1 ]; then + # ARM64: mitigation is via an EL2 indirect trampoline (spectre_v3a_enable_mitigation), + # applied automatically at boot for affected CPUs (Cortex-A57, Cortex-A72). + # No microcode update is involved. + arm_v3a_mitigation='' + if [ -n "$opt_map" ] && grep -qw spectre_v3a_enable_mitigation "$opt_map" 2>/dev/null; then + arm_v3a_mitigation="found spectre_v3a_enable_mitigation in System.map" + fi + if [ -z "$arm_v3a_mitigation" ] && [ -n "$g_kernel" ]; then + if "${opt_arch_prefix}strings" "$g_kernel" 2>/dev/null | grep -qw spectre_v3a_enable_mitigation; then + arm_v3a_mitigation="found spectre_v3a_enable_mitigation in kernel image" + fi + fi + + pr_info_nol "* Kernel mitigates the vulnerability via EL2 hardening: " + if [ -n "$arm_v3a_mitigation" ]; then + pstatus green YES "$arm_v3a_mitigation" + else + pstatus yellow NO + fi + + if ! is_cpu_affected "$cve"; then + pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" + elif [ -n "$arm_v3a_mitigation" ]; then + pvulnstatus "$cve" OK "your kernel mitigates the vulnerability via EL2 vector hardening" + else + pvulnstatus "$cve" VULN "your kernel does not include the EL2 vector hardening mitigation" + explain "ARM64 Spectre v3a mitigation is provided by the kernel using an indirect trampoline for EL2 (hypervisor) vectors (spectre_v3a_enable_mitigation). Ensure you are running a recent kernel. If you're using a distro kernel, upgrading your distro should provide a kernel with this mitigation included." + fi else - pvulnstatus "$cve" VULN "an up-to-date CPU microcode is needed to mitigate this vulnerability" - explain "The microcode of your CPU needs to be upgraded to mitigate this vulnerability. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). The microcode update is enough, there is no additional OS, kernel or software change needed." + # x86: microcodes that ship with SSBD are known to also fix variant 3a; + # there is no specific CPUID bit for variant 3a as far as we know. + pr_info_nol "* CPU microcode mitigates the vulnerability: " + if [ -n "$cap_ssbd" ]; then + pstatus green YES + else + pstatus yellow NO + fi + + if ! is_cpu_affected "$cve"; then + pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" + elif [ -n "$cap_ssbd" ]; then + pvulnstatus "$cve" OK "your CPU microcode mitigates the vulnerability" + else + pvulnstatus "$cve" VULN "an up-to-date CPU microcode is needed to mitigate this vulnerability" + explain "The microcode of your CPU needs to be upgraded to mitigate this vulnerability. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). The microcode update is enough, there is no additional OS, kernel or software change needed." + fi fi }