From 43c515ac74b409f89c43cccc65772665567b9c3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= <speed47_github@speed47.net>
Date: Wed, 1 Apr 2026 21:34:12 +0200
Subject: [PATCH] enh: CVE-2017-5715 (spectre v2): make vuln assessment
 cap_bhi-aware

---
 src/vulns/CVE-2017-5715.sh | 27 ++++++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/src/vulns/CVE-2017-5715.sh b/src/vulns/CVE-2017-5715.sh
index c76e792..e3add2d 100644
--- a/src/vulns/CVE-2017-5715.sh
+++ b/src/vulns/CVE-2017-5715.sh
@@ -788,7 +788,11 @@ check_CVE_2017_5715_linux() {
             esac
         elif [ "$opt_live" != 1 ] && [ -n "$opt_config" ] && [ -r "$opt_config" ]; then
             if grep -q '^CONFIG_\(MITIGATION_\)\?SPECTRE_BHI' "$opt_config"; then
-                v2_bhi_status=sw-loop
+                if [ "$cap_bhi" = 1 ]; then
+                    v2_bhi_status=bhi_dis_s
+                else
+                    v2_bhi_status=sw-loop
+                fi
             else
                 v2_bhi_status=unknown
             fi
@@ -859,8 +863,13 @@ check_CVE_2017_5715_linux() {
                 if [ "$v2_bhi_status" = "vulnerable" ]; then
                     _v2_ok=0
                     _v2_add_caveat "BHI vulnerable"
-                elif [ "$v2_bhi_status" = "unknown" ] && is_intel && [ "$cap_rrsba" != 0 ]; then
-                    _v2_add_caveat "BHI status unknown (kernel may lack BHI mitigation)"
+                elif [ "$v2_bhi_status" = "unknown" ] && is_intel; then
+                    if [ "$cap_bhi" = 0 ]; then
+                        _v2_ok=0
+                        _v2_add_caveat "BHI vulnerable (no BHI_DIS_S hardware support, no kernel mitigation detected)"
+                    elif [ "$cap_rrsba" != 0 ]; then
+                        _v2_add_caveat "BHI status unknown (kernel may lack BHI mitigation)"
+                    fi
                 fi
 
                 # PBRSB check (only matters for VMM hosts)
@@ -946,6 +955,9 @@ check_CVE_2017_5715_linux() {
                 if [ "$v2_bhi_status" = "vulnerable" ]; then
                     _v2_ok=0
                     _v2_add_caveat "BHI vulnerable"
+                elif [ "$v2_bhi_status" = "unknown" ] && is_intel && [ "$cap_bhi" = 0 ]; then
+                    _v2_ok=0
+                    _v2_add_caveat "BHI vulnerable (no BHI_DIS_S hardware support, no kernel mitigation detected)"
                 fi
 
                 # Vulnerable module check
@@ -999,8 +1011,13 @@ check_CVE_2017_5715_linux() {
                 if [ "$v2_bhi_status" = "vulnerable" ]; then
                     _v2_ok=0
                     _v2_add_caveat "BHI vulnerable"
-                elif [ "$v2_bhi_status" = "unknown" ] && is_intel && [ "$cap_rrsba" = 1 ]; then
-                    _v2_add_caveat "BHI status unknown with RRSBA"
+                elif [ "$v2_bhi_status" = "unknown" ] && is_intel; then
+                    if [ "$cap_bhi" = 0 ] && [ "$cap_rrsba" = 1 ]; then
+                        _v2_ok=0
+                        _v2_add_caveat "BHI vulnerable (no BHI_DIS_S hardware support, RRSBA bypasses retpoline)"
+                    elif [ "$cap_rrsba" = 1 ]; then
+                        _v2_add_caveat "BHI status unknown with RRSBA"
+                    fi
                 fi
 
                 # Vulnerable module