fix: remove useless checks under ARM for CVE-2023-28746

2026-04-11 11:13:21 +02:00 · 2026-04-10 19:50:15 +02:00
parent e67c9e4265
commit 48454a5344
2 changed files with 43 additions and 38 deletions
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@@ -105,8 +105,8 @@ The entire tool is a single bash script with no external script dependencies. Ke

 - **Output/logging functions** (~line 253): `pr_warn`, `pr_info`, `pr_verbose`, `pr_debug`, `explain`, `pstatus`, `pvulnstatus` - verbosity-aware output with color support
 - **CPU detection** (~line 2171): `parse_cpu_details`, `is_intel`/`is_amd`/`is_hygon`, `read_cpuid`, `read_msr`, `is_cpu_smt_enabled` - hardware identification via CPUID/MSR registers
- **Kernel architecture detection** (`src/libs/365_kernel_arch.sh`): `is_arm_kernel`/`is_x86_kernel` - detects the target kernel's architecture (not the host CPU) using kernel artifacts (System.map symbols, kconfig, kernel image), with `cpu_vendor` as a fast path for live mode. Results are cached in `g_kernel_arch`. Use these helpers to guard arch-specific kernel/kconfig/System.map checks and to select the appropriate verdict messages
- **CPU architecture detection** (`src/libs/360_cpu_smt.sh`): `is_x86_cpu`/`is_arm_cpu` - detects the host CPU's architecture via `cpu_vendor`. Use these to gate hardware operations (CPUID, MSR, microcode). Always use positive logic: `if is_x86_cpu` (not `if ! is_arm_cpu`)
+- **Kernel architecture detection** (`src/libs/365_kernel_arch.sh`): `is_arm_kernel`/`is_x86_kernel` - detects the **target kernel's** architecture (not the host CPU) using kernel artifacts (System.map symbols, kconfig, kernel image), with `cpu_vendor` as a fast path for live mode. Results are cached in `g_kernel_arch`. Use these helpers to guard arch-specific kernel/kconfig/System.map checks and to select the appropriate verdict messages. In no-hw mode, the target kernel may differ from the host CPU architecture.
+- **CPU architecture detection** (`src/libs/360_cpu_smt.sh`): `is_x86_cpu`/`is_arm_cpu` - detects the **host CPU's** architecture via `cpu_vendor`. Use these to gate hardware operations (CPUID, MSR, microcode) that require the physical CPU to be present. Always use positive logic: `if is_x86_cpu` (not `if ! is_arm_cpu`). These two sets of helpers are independent — a vuln check may need both, each guarding different lines.
 - **Microcode database** (embedded): Intel/AMD microcode version lookup via `read_mcedb`/`read_inteldb`; updated automatically via `.github/workflows/autoupdate.yml`
 - **Kernel analysis** (~line 1568): `extract_kernel`, `try_decompress` - extracts and inspects kernel images (handles gzip, bzip2, xz, lz4, zstd compression)
 - **Vulnerability checks**: 19 `check_CVE_<year>_<number>()` functions, each with `_linux()` and `_bsd()` variants. Uses whitelist logic (assumes affected unless proven otherwise)
@@ -396,9 +396,10 @@ This is where the real detection lives. Check for mitigations at each layer:

  Use **positive logic** — always `if is_x86_kernel` (not `if ! is_arm_kernel`) and `if is_x86_cpu` (not `if ! is_arm_cpu`). This ensures unknown architectures (MIPS, RISC-V, PowerPC) are handled safely by defaulting to "skip" rather than "execute."

-  Two sets of helpers serve different purposes:
-  - **`is_x86_kernel`/`is_arm_kernel`**: Gate kernel artifact checks (kernel image strings, kconfig, System.map).
-  - **`is_x86_cpu`/`is_arm_cpu`**: Gate hardware operations (CPUID, MSR, `/proc/cpuinfo` flags).
+  Two sets of helpers serve different purposes — in no-hw mode the host CPU and the kernel being inspected can be different architectures, so the correct guard depends on what is being checked:
+  - **`is_x86_kernel`/`is_arm_kernel`**: Gate checks that inspect **kernel artifacts** (kernel image strings, kconfig, System.map). These detect the architecture of the target kernel, not the host, so they work correctly in offline/no-hw mode when analyzing a foreign kernel.
+  - **`is_x86_cpu`/`is_arm_cpu`**: Gate **hardware operations** that require the host CPU to be a given architecture (CPUID, MSR reads, `/proc/cpuinfo` flags, microcode version checks). These always reflect the running host CPU.
+  - Within a single vuln check, you may need **both** guards independently — e.g. `is_x86_cpu` for the microcode/MSR check and `is_x86_kernel` for the kernel image grep, not one wrapping the other.

  Example:
  ```sh
--- a/src/vulns/CVE-2023-28746.sh
+++ b/src/vulns/CVE-2023-28746.sh
@@ -69,6 +69,7 @@ check_CVE_2023_28746_linux() {
    fi

    if [ "$opt_sysfs_only" != 1 ]; then
+        if is_x86_cpu; then
            pr_info_nol "* CPU microcode mitigates the vulnerability: "
            if [ "$cap_rfds_clear" = 1 ]; then
                pstatus green YES "RFDS_CLEAR capability indicated by microcode"
@@ -77,23 +78,25 @@ check_CVE_2023_28746_linux() {
            else
                pstatus yellow UNKNOWN "couldn't read MSR"
            fi
+        fi

+        if is_x86_kernel; then
            pr_info_nol "* Kernel supports RFDS mitigation (VERW on transitions): "
            kernel_rfds=''
            kernel_rfds_err=''
            if [ -n "$g_kernel_err" ]; then
                kernel_rfds_err="$g_kernel_err"
-        elif is_x86_kernel && grep -q 'Clear Register File' "$g_kernel"; then
+            elif grep -q 'Clear Register File' "$g_kernel"; then
                kernel_rfds="found 'Clear Register File' string in kernel image"
-        elif is_x86_kernel && grep -q 'reg_file_data_sampling' "$g_kernel"; then
+            elif grep -q 'reg_file_data_sampling' "$g_kernel"; then
                kernel_rfds="found reg_file_data_sampling in kernel image"
            fi
-        if [ -z "$kernel_rfds" ] && is_x86_kernel && [ -r "$opt_config" ]; then
+            if [ -z "$kernel_rfds" ] && [ -r "$opt_config" ]; then
                if grep -q '^CONFIG_MITIGATION_RFDS=y' "$opt_config"; then
                    kernel_rfds="RFDS mitigation config option found enabled in kernel config"
                fi
            fi
-        if [ -z "$kernel_rfds" ] && is_x86_kernel && [ -n "$opt_map" ]; then
+            if [ -z "$kernel_rfds" ] && [ -n "$opt_map" ]; then
                if grep -q 'rfds_select_mitigation' "$opt_map"; then
                    kernel_rfds="found rfds_select_mitigation in System.map"
                fi
@@ -105,8 +108,9 @@ check_CVE_2023_28746_linux() {
            else
                pstatus yellow NO
            fi
+        fi

-        if [ "$g_mode" = live ] && [ "$sys_interface_available" = 1 ]; then
+        if is_x86_cpu && [ "$g_mode" = live ] && [ "$sys_interface_available" = 1 ]; then
            pr_info_nol "* RFDS mitigation is enabled and active: "
            if echo "$ret_sys_interface_check_fullmsg" | grep -qi '^Mitigation'; then
                rfds_mitigated=1