peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2026-04-03 13:47:08 +02:00
Code Issues Projects Releases Wiki Activity

feat: implement Retbleed (CVE-2022-29900 CVE-2022-29901) mitigation detection

Browse Source
This commit is contained in:
Stéphane Lesimple
2026-04-02 22:12:56 +02:00
parent d644941a76
commit 4f6dbb36c8
6 changed files with 458 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/expected_cve_count vendored
View File

@@ -1 +1 @@
21 23

12
dist/README.md vendored
View File

@@ -22,6 +22,8 @@ CVE | Name | Aliases
[CVE-2019-11135](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135) | TSX Asynchronous Abort | TAA, ZombieLoad V2 [CVE-2019-11135](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135) | TSX Asynchronous Abort | TAA, ZombieLoad V2
[CVE-2018-12207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207) | Machine Check Exception on Page Size Changes | iTLB Multihit, No eXcuses [CVE-2018-12207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207) | Machine Check Exception on Page Size Changes | iTLB Multihit, No eXcuses
[CVE-2020-0543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543) | Special Register Buffer Data Sampling | SRBDS, CROSSTalk [CVE-2020-0543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543) | Special Register Buffer Data Sampling | SRBDS, CROSSTalk
[CVE-2022-29900](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29900) | Arbitrary Speculative Code Execution with Return Instructions | Retbleed (AMD)
[CVE-2022-29901](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29901) | Arbitrary Speculative Code Execution with Return Instructions | Retbleed (Intel), RSBA
[CVE-2022-40982](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982) | Gather Data Sampling | Downfall, GDS [CVE-2022-40982](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982) | Gather Data Sampling | Downfall, GDS
[CVE-2023-20569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569) | Return Address Security | Inception, SRSO [CVE-2023-20569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569) | Return Address Security | Inception, SRSO
[CVE-2023-20593](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593) | Cross-Process Information Leak | Zenbleed [CVE-2023-20593](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593) | Cross-Process Information Leak | Zenbleed
@@ -51,6 +53,8 @@ CVE-2019-11091 (MDSUM, RIDL) | 💥 | 💥 (1) | 💥 | 💥 (1) | Microcode + k
CVE-2019-11135 (TAA, ZombieLoad V2) | 💥 | 💥 (1) | 💥 | 💥 (1) | Microcode + kernel update CVE-2019-11135 (TAA, ZombieLoad V2) | 💥 | 💥 (1) | 💥 | 💥 (1) | Microcode + kernel update
CVE-2018-12207 (iTLB Multihit, No eXcuses) | ✅ | ✅ | ☠️ | ✅ | Hypervisor update (or disable hugepages) CVE-2018-12207 (iTLB Multihit, No eXcuses) | ✅ | ✅ | ☠️ | ✅ | Hypervisor update (or disable hugepages)
CVE-2020-0543 (SRBDS, CROSSTalk) | 💥 (2) | 💥 (2) | 💥 (2) | 💥 (2) | Microcode + kernel update CVE-2020-0543 (SRBDS, CROSSTalk) | 💥 (2) | 💥 (2) | 💥 (2) | 💥 (2) | Microcode + kernel update
CVE-2022-29900 (Retbleed AMD) | 💥 | ✅ | 💥 | ✅ | Kernel update (+ microcode for IBPB)
CVE-2022-29901 (Retbleed Intel, RSBA) | 💥 | ✅ | 💥 | ✅ | Microcode + kernel update (eIBRS or IBRS)
CVE-2022-40982 (Downfall, GDS) | 💥 | 💥 | 💥 | 💥 | Microcode update (or disable AVX) CVE-2022-40982 (Downfall, GDS) | 💥 | 💥 | 💥 | 💥 | Microcode update (or disable AVX)
CVE-2023-20569 (Inception, SRSO) | 💥 | ✅ | 💥 | ✅ | Microcode + kernel update CVE-2023-20569 (Inception, SRSO) | 💥 | ✅ | 💥 | ✅ | Microcode + kernel update
CVE-2023-20593 (Zenbleed) | 💥 | 💥 | 💥 | 💥 | Microcode update (or kernel workaround) CVE-2023-20593 (Zenbleed) | 💥 | 💥 | 💥 | 💥 | Microcode update (or kernel workaround)
@@ -129,6 +133,14 @@ A malicious guest VM can trigger a machine check exception (MCE) — crashing th
Certain special CPU instructions (RDRAND, RDSEED, EGETKEY) read data through a shared staging buffer that is accessible across all cores via speculative execution. An attacker running code on any core can observe the output of these instructions from a victim on a different core, including extracting cryptographic keys from SGX enclaves (a complete ECDSA key was demonstrated). This is notable as one of the first cross-core speculative execution attacks. Mitigation requires a microcode update that serializes access to the staging buffer, plus a kernel update to manage the mitigation. Performance impact is low, mainly affecting workloads that heavily use RDRAND/RDSEED. Certain special CPU instructions (RDRAND, RDSEED, EGETKEY) read data through a shared staging buffer that is accessible across all cores via speculative execution. An attacker running code on any core can observe the output of these instructions from a victim on a different core, including extracting cryptographic keys from SGX enclaves (a complete ECDSA key was demonstrated). This is notable as one of the first cross-core speculative execution attacks. Mitigation requires a microcode update that serializes access to the staging buffer, plus a kernel update to manage the mitigation. Performance impact is low, mainly affecting workloads that heavily use RDRAND/RDSEED.
**CVE-2022-29900 — Arbitrary Speculative Code Execution with Return Instructions (Retbleed AMD)**
On AMD processors from families 0x15 through 0x17 (Bulldozer through Zen 2) and Hygon family 0x18, an attacker can exploit return instructions to redirect speculative execution and leak kernel memory, bypassing retpoline mitigations that were effective against Spectre V2. Unlike Spectre V2 which targets indirect jumps and calls, Retbleed specifically targets return instructions, which were previously considered safe. Mitigation requires a kernel update providing either the untrained return thunk (safe RET) or IBPB-on-entry mechanism, plus a microcode update providing IBPB support on Zen 1/2. On Zen 1/2, SMT should be disabled for full protection when using IBPB-based mitigation. Performance impact is medium.
**CVE-2022-29901 — Arbitrary Speculative Code Execution with Return Instructions (Retbleed Intel, RSBA)**
On Intel Skylake through Rocket Lake processors with RSB Alternate Behavior (RSBA), return instructions can be speculatively redirected via the Branch Target Buffer when the Return Stack Buffer underflows, bypassing retpoline mitigations. Mitigation requires either Enhanced IBRS (eIBRS, via microcode update) or a kernel compiled with IBRS-on-entry support (Linux 5.19+). Call depth tracking (stuffing) is an alternative mitigation available from Linux 6.2+. Plain retpoline does NOT mitigate this vulnerability on RSBA-capable CPUs. Performance impact is medium to high.
**CVE-2022-40982 — Gather Data Sampling (GDS, Downfall)** **CVE-2022-40982 — Gather Data Sampling (GDS, Downfall)**
The AVX GATHER instructions can leak data from previously used vector registers across privilege boundaries through the shared gather data buffer. This affects any software using AVX2 or AVX-512 on vulnerable Intel processors. Mitigation is provided by a microcode update that clears the gather buffer, or alternatively by disabling the AVX feature entirely. Performance impact is negligible for most workloads but can be significant (up to 50%) for AVX-heavy applications such as HPC and AI inference. The AVX GATHER instructions can leak data from previously used vector registers across privilege boundaries through the shared gather data buffer. This affects any software using AVX2 or AVX-512 on vulnerable Intel processors. Mitigation is provided by a microcode update that clears the gather buffer, or alternatively by disabling the AVX feature entirely. Performance impact is negligible for most workloads but can be significant (up to 50%) for AVX-heavy applications such as HPC and AI inference.

2
src/libs/002_core_globals.sh
View File

@@ -155,6 +155,8 @@ CVE-2018-12207|ITLBMH|itlbmh|No eXcuses, iTLB Multihit, machine check exception
CVE-2020-0543|SRBDS|srbds|Special Register Buffer Data Sampling (SRBDS) CVE-2020-0543|SRBDS|srbds|Special Register Buffer Data Sampling (SRBDS)
CVE-2023-20593|ZENBLEED|zenbleed|Zenbleed, cross-process information leak CVE-2023-20593|ZENBLEED|zenbleed|Zenbleed, cross-process information leak
CVE-2022-40982|DOWNFALL|downfall|Downfall, gather data sampling (GDS) CVE-2022-40982|DOWNFALL|downfall|Downfall, gather data sampling (GDS)
CVE-2022-29900|RETBLEED AMD|retbleed|Retbleed, arbitrary speculative code execution with return instructions (AMD)
CVE-2022-29901|RETBLEED INTEL|retbleed|Retbleed, arbitrary speculative code execution with return instructions (Intel)
CVE-2023-20569|INCEPTION|inception|Inception, return address security (RAS) CVE-2023-20569|INCEPTION|inception|Inception, return address security (RAS)
CVE-2023-23583|REPTAR|reptar|Reptar, redundant prefix issue CVE-2023-23583|REPTAR|reptar|Reptar, redundant prefix issue
CVE-2024-36350|TSA_SQ|tsa|Transient Scheduler Attack - Store Queue (TSA-SQ) CVE-2024-36350|TSA_SQ|tsa|Transient Scheduler Attack - Store Queue (TSA-SQ)

36
src/libs/200_cpu_affected.sh
View File

@@ -104,6 +104,8 @@ is_cpu_affected() {
_set_immune inception _set_immune inception
# TSA is AMD specific (Zen 3/4), look for "is_amd" below: # TSA is AMD specific (Zen 3/4), look for "is_amd" below:
_set_immune tsa _set_immune tsa
# Retbleed: AMD (CVE-2022-29900) and Intel (CVE-2022-29901) specific:
_set_immune retbleed
# Downfall & Reptar are Intel specific, look for "is_intel" below: # Downfall & Reptar are Intel specific, look for "is_intel" below:
_set_immune downfall _set_immune downfall
_set_immune reptar _set_immune reptar
@@ -203,7 +205,7 @@ is_cpu_affected() {
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_D" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_D" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT_MID" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID2" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT_NP" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT_NP" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_D" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_D" ] ||
@@ -314,6 +316,27 @@ is_cpu_affected() {
fi fi
done done
# Retbleed (Intel, CVE-2022-29901): Skylake through Rocket Lake, or any CPU with RSBA
# kernel cpu_vuln_blacklist for RETBLEED (6b80b59b3555, 6ad0ad2bf8a6, f54d45372c6a)
# plus ARCH_CAP_RSBA catch-all (bit 2 of IA32_ARCH_CAPABILITIES)
if [ "$cap_rsba" = 1 ]; then
_set_vuln retbleed
elif [ "$cpu_family" = 6 ]; then
if [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_L" ] ||
[ "$cpu_model" = "$INTEL_FAM6_SKYLAKE" ] ||
[ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_X" ] ||
[ "$cpu_model" = "$INTEL_FAM6_KABYLAKE_L" ] ||
[ "$cpu_model" = "$INTEL_FAM6_KABYLAKE" ] ||
[ "$cpu_model" = "$INTEL_FAM6_CANNONLAKE_L" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ICELAKE_L" ] ||
[ "$cpu_model" = "$INTEL_FAM6_COMETLAKE" ] ||
[ "$cpu_model" = "$INTEL_FAM6_COMETLAKE_L" ] ||
[ "$cpu_model" = "$INTEL_FAM6_LAKEFIELD" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ROCKETLAKE" ]; then
_set_vuln retbleed
fi
fi
elif is_amd || is_hygon; then elif is_amd || is_hygon; then
# AMD revised their statement about affected_variant2 => affected # AMD revised their statement about affected_variant2 => affected
# https://www.amd.com/en/corporate/speculative-execution # https://www.amd.com/en/corporate/speculative-execution
@@ -350,6 +373,11 @@ is_cpu_affected() {
_set_vuln tsa _set_vuln tsa
fi fi
# Retbleed (AMD, CVE-2022-29900): families 0x15-0x17 (kernel X86_BUG_RETBLEED)
if [ "$cpu_family" = $((0x15)) ] || [ "$cpu_family" = $((0x16)) ] || [ "$cpu_family" = $((0x17)) ]; then
_set_vuln retbleed
fi
elif [ "$cpu_vendor" = CAVIUM ]; then elif [ "$cpu_vendor" = CAVIUM ]; then
_set_immune variant3 _set_immune variant3
_set_immune variant3a _set_immune variant3a
@@ -473,7 +501,7 @@ is_cpu_affected() {
[ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT" ] ||
[ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] || [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] ||
[ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ] || [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT_MID" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID2" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_D" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_D" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_PLUS" ]; then [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_PLUS" ]; then
@@ -492,12 +520,12 @@ is_cpu_affected() {
_infer_immune itlbmh _infer_immune itlbmh
fi fi
# shellcheck disable=SC2154 # affected_zenbleed/inception/tsa/downfall/reptar set via eval (_set_immune) # shellcheck disable=SC2154 # affected_zenbleed/inception/retbleed/tsa/downfall/reptar set via eval (_set_immune)
{ {
pr_debug "is_cpu_affected: final results: variant1=$affected_variant1 variant2=$affected_variant2 variant3=$affected_variant3 variant3a=$affected_variant3a" pr_debug "is_cpu_affected: final results: variant1=$affected_variant1 variant2=$affected_variant2 variant3=$affected_variant3 variant3a=$affected_variant3a"
pr_debug "is_cpu_affected: final results: variant4=$affected_variant4 variantl1tf=$affected_variantl1tf msbds=$affected_msbds mfbds=$affected_mfbds" pr_debug "is_cpu_affected: final results: variant4=$affected_variant4 variantl1tf=$affected_variantl1tf msbds=$affected_msbds mfbds=$affected_mfbds"
pr_debug "is_cpu_affected: final results: mlpds=$affected_mlpds mdsum=$affected_mdsum taa=$affected_taa itlbmh=$affected_itlbmh srbds=$affected_srbds" pr_debug "is_cpu_affected: final results: mlpds=$affected_mlpds mdsum=$affected_mdsum taa=$affected_taa itlbmh=$affected_itlbmh srbds=$affected_srbds"
pr_debug "is_cpu_affected: final results: zenbleed=$affected_zenbleed inception=$affected_inception tsa=$affected_tsa downfall=$affected_downfall reptar=$affected_reptar" pr_debug "is_cpu_affected: final results: zenbleed=$affected_zenbleed inception=$affected_inception retbleed=$affected_retbleed tsa=$affected_tsa downfall=$affected_downfall reptar=$affected_reptar"
} }
affected_variantl1tf_sgx="$affected_variantl1tf" affected_variantl1tf_sgx="$affected_variantl1tf"
# even if we are affected to L1TF, if there's no SGX, we're not affected to the original foreshadow # even if we are affected to L1TF, if there's no SGX, we're not affected to the original foreshadow

254
src/vulns/CVE-2022-29900.sh Normal file
View File

@@ -0,0 +1,254 @@
# vim: set ts=4 sw=4 sts=4 et:
###############################
# CVE-2022-29900, Retbleed (AMD), Arbitrary Speculative Code Execution with Return Instructions
check_CVE_2022_29900() {
check_cve 'CVE-2022-29900'
}
check_CVE_2022_29900_linux() {
local status sys_interface_available msg kernel_retbleed kernel_retbleed_err kernel_unret kernel_ibpb_entry smt_enabled
status=UNK
sys_interface_available=0
msg=''
#
# Kernel source inventory for retbleed (CVE-2022-29900 / CVE-2022-29901)
#
# --- sysfs messages ---
# all versions:
# "Not affected" (cpu_show_common, pre-existing)
#
# --- mainline ---
# 6b80b59b3555 (v5.19-rc7, initial retbleed sysfs):
# "Vulnerable\n" (hardcoded, no enum yet)
# 7fbf47c7ce50 (v5.19-rc7, retbleed= boot parameter):
# "Vulnerable" (RETBLEED_MITIGATION_NONE)
# "Mitigation: untrained return thunk" (RETBLEED_MITIGATION_UNRET)
# "Vulnerable: untrained return thunk on non-Zen uarch" (UNRET on non-AMD/Hygon)
# 6ad0ad2bf8a6 (v5.19-rc7, Intel mitigations):
# "Mitigation: IBRS" (RETBLEED_MITIGATION_IBRS)
# "Mitigation: Enhanced IBRS" (RETBLEED_MITIGATION_EIBRS)
# 3ebc17006888 (v5.19-rc7, retbleed=ibpb):
# "Mitigation: IBPB" (RETBLEED_MITIGATION_IBPB)
# e8ec1b6e08a2 (v5.19-rc7, STIBP for JMP2RET):
# UNRET now appends SMT status:
# "Mitigation: untrained return thunk; SMT disabled"
# "Mitigation: untrained return thunk; SMT enabled with STIBP protection"
# "Mitigation: untrained return thunk; SMT vulnerable"
# e6cfcdda8cbe (v6.0-rc1, STIBP for IBPB):
# IBPB now appends SMT status, non-AMD message changed:
# "Vulnerable: untrained return thunk / IBPB on non-AMD based uarch"
# "Mitigation: IBPB; SMT disabled"
# "Mitigation: IBPB; SMT enabled with STIBP protection"
# "Mitigation: IBPB; SMT vulnerable"
# d82a0345cf21 (v6.2-rc1, call depth tracking):
# "Mitigation: Stuffing" (RETBLEED_MITIGATION_STUFF)
# e3b78a7ad5ea (v6.16-rc1, restructure):
# added RETBLEED_MITIGATION_AUTO (internal, resolved before display)
# no new sysfs strings
#
# all messages start with either "Not affected", "Vulnerable", or "Mitigation"
#
# --- stable backports ---
# 4.14.y, 4.19.y, 5.4.y: Intel-only mitigations (IBRS, eIBRS); no UNRET, IBPB, STUFF;
# no SMT status display; simplified retbleed_show_state().
# 5.10.y, 5.15.y, 6.1.y: full mitigations (NONE, UNRET, IBPB, IBRS, EIBRS);
# SMT status appended for UNRET/IBPB; no STUFF.
# 6.6.y, 6.12.y: adds STUFF (call depth tracking). 6.12.y uses INTEL_ model prefix.
# all stable: single retbleed_select_mitigation() (no update/apply split).
#
# --- RHEL/CentOS ---
# centos7 (~4.18): NONE, UNRET, IBPB, IBRS, EIBRS; no STUFF; SMT status for UNRET;
# no Hygon check; no UNRET_ENTRY/IBPB_ENTRY/IBRS_ENTRY Kconfig symbols;
# unique cpu_in_retbleed_whitelist() function for Intel.
# rocky8 (~4.18/5.14): NONE, UNRET, IBPB, IBRS, EIBRS; no STUFF;
# CONFIG_CPU_UNRET_ENTRY, CONFIG_CPU_IBPB_ENTRY, CONFIG_CPU_IBRS_ENTRY (old names).
# rocky9 (~6.x): same as mainline; CONFIG_MITIGATION_* names; has STUFF.
# rocky10 (~6.12+): same as mainline; has select/update/apply split.
#
# --- Kconfig symbols ---
# f43b9876e857 (v5.19-rc7): CONFIG_CPU_UNRET_ENTRY, CONFIG_CPU_IBPB_ENTRY,
# CONFIG_CPU_IBRS_ENTRY
# 80e4c1cd42ff (v6.2-rc1): CONFIG_CALL_DEPTH_TRACKING
# ac61d43983a4 (v6.9-rc1): renamed to CONFIG_MITIGATION_UNRET_ENTRY,
# CONFIG_MITIGATION_IBPB_ENTRY, CONFIG_MITIGATION_IBRS_ENTRY,
# CONFIG_MITIGATION_CALL_DEPTH_TRACKING
# 894e28857c11 (v6.12-rc1): CONFIG_MITIGATION_RETBLEED (master switch)
#
# --- kernel functions (for $opt_map / System.map) ---
# 7fbf47c7ce50 (v5.19-rc7): retbleed_select_mitigation()
# e3b78a7ad5ea (v6.16-rc1): split into retbleed_select_mitigation() +
# retbleed_update_mitigation() + retbleed_apply_mitigation()
# vendor kernels: centos7/rocky8/rocky9 have retbleed_select_mitigation() only;
# rocky10 has the full split.
#
# --- CPU affection logic (for is_cpu_affected) ---
# X86_BUG_RETBLEED is set when X86_FEATURE_BTC_NO is NOT set AND either:
# (a) CPU matches cpu_vuln_blacklist[] RETBLEED entries, OR
# (b) ARCH_CAP_RSBA is set in IA32_ARCH_CAPABILITIES MSR
# 6b80b59b3555 (v5.19-rc7, initial AMD):
# AMD: family 0x15, 0x16, 0x17; Hygon: family 0x18
# 6ad0ad2bf8a6 (v5.19-rc7, Intel):
# Intel: SKYLAKE_L, SKYLAKE, SKYLAKE_X, KABYLAKE_L, KABYLAKE,
# ICELAKE_L, COMETLAKE, COMETLAKE_L, LAKEFIELD, ROCKETLAKE
# + any Intel with ARCH_CAP_RSBA set
# 26aae8ccbc19 (v5.19-rc7, BTC_NO):
# AMD Zen 3+ with BTC_NO are excluded
# f54d45372c6a (post-v5.19, Cannon Lake):
# Intel: + CANNONLAKE_L
# immunity: X86_FEATURE_BTC_NO (AMD) — Zen 3+ declare not affected
# vendor scope: AMD (0x15-0x17), Hygon (0x18), Intel (Skylake through Rocket Lake + RSBA)
#
if sys_interface_check "$VULN_SYSFS_BASE/retbleed"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
status=$ret_sys_interface_check_status
fi
if [ "$opt_sysfs_only" != 1 ]; then
pr_info_nol "* Kernel supports mitigation: "
if [ -n "$g_kernel_err" ]; then
kernel_retbleed_err="$g_kernel_err"
elif grep -q 'retbleed' "$g_kernel"; then
kernel_retbleed="found retbleed mitigation logic in kernel image"
fi
if [ -z "$kernel_retbleed" ] && [ -n "$opt_map" ]; then
if grep -q 'retbleed_select_mitigation' "$opt_map"; then
kernel_retbleed="found retbleed_select_mitigation in System.map"
fi
fi
if [ -n "$kernel_retbleed" ]; then
pstatus green YES "$kernel_retbleed"
elif [ -n "$kernel_retbleed_err" ]; then
pstatus yellow UNKNOWN "$kernel_retbleed_err"
else
pstatus yellow NO
fi
pr_info_nol "* Kernel compiled with UNRET_ENTRY support (untrained return thunk): "
if [ -r "$opt_config" ]; then
# CONFIG_CPU_UNRET_ENTRY: Linux < 6.9
# CONFIG_MITIGATION_UNRET_ENTRY: Linux >= 6.9
if grep -Eq '^CONFIG_(CPU|MITIGATION)_UNRET_ENTRY=y' "$opt_config"; then
pstatus green YES
kernel_unret="CONFIG_(CPU|MITIGATION)_UNRET_ENTRY=y found in kernel config"
else
pstatus yellow NO
fi
else
if [ -n "$g_kernel_err" ]; then
pstatus yellow UNKNOWN "$g_kernel_err"
elif [ -n "$kernel_retbleed" ]; then
# if the kernel has retbleed logic, assume UNRET_ENTRY is likely compiled in
# (we can't tell for certain without the config)
kernel_unret="retbleed mitigation logic present in kernel (UNRET_ENTRY status unknown)"
pstatus yellow UNKNOWN "kernel has retbleed mitigation but config not available to verify"
else
pstatus yellow NO "your kernel is too old and doesn't have the retbleed mitigation logic"
fi
fi
pr_info_nol "* Kernel compiled with IBPB_ENTRY support: "
if [ -r "$opt_config" ]; then
# CONFIG_CPU_IBPB_ENTRY: Linux < 6.9
# CONFIG_MITIGATION_IBPB_ENTRY: Linux >= 6.9
if grep -Eq '^CONFIG_(CPU|MITIGATION)_IBPB_ENTRY=y' "$opt_config"; then
pstatus green YES
kernel_ibpb_entry="CONFIG_(CPU|MITIGATION)_IBPB_ENTRY=y found in kernel config"
else
pstatus yellow NO
fi
else
if [ -n "$g_kernel_err" ]; then
pstatus yellow UNKNOWN "$g_kernel_err"
elif [ -n "$kernel_retbleed" ]; then
kernel_ibpb_entry="retbleed mitigation logic present in kernel (IBPB_ENTRY status unknown)"
pstatus yellow UNKNOWN "kernel has retbleed mitigation but config not available to verify"
else
pstatus yellow NO "your kernel is too old and doesn't have the retbleed mitigation logic"
fi
fi
# Zen/Zen+/Zen2: check IBPB microcode support and SMT
if [ "$cpu_family" = $((0x17)) ]; then
pr_info_nol "* CPU supports IBPB: "
if [ "$opt_live" = 1 ]; then
if [ -n "$cap_ibpb" ]; then
pstatus green YES "$cap_ibpb"
else
pstatus yellow NO
fi
else
pstatus blue N/A "not testable in offline mode"
fi
pr_info_nol "* Hyper-Threading (SMT) is enabled: "
is_cpu_smt_enabled
smt_enabled=$?
if [ "$smt_enabled" = 0 ]; then
pstatus yellow YES
else
pstatus green NO
fi
fi
elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only!
msg="/sys vulnerability interface use forced, but it's not available!"
status=UNK
fi
if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_sysfs_only" != 1 ]; then
if [ "$cpu_family" = $((0x17)) ]; then
# Zen/Zen+/Zen2
if [ -z "$kernel_retbleed" ]; then
pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the retbleed mitigation logic"
elif [ "$opt_paranoid" = 1 ] && [ "$smt_enabled" = 0 ]; then
pvulnstatus "$cve" VULN "SMT is enabled, which weakens the IBPB-based mitigation"
explain "For Zen/Zen+/Zen2 CPUs in paranoid mode, proper mitigation needs SMT to be disabled\n" \
"(this can be done by adding \`nosmt\` to your kernel command line), because IBPB alone\n" \
"doesn't fully protect cross-thread speculation."
elif [ -z "$kernel_unret" ] && [ -z "$kernel_ibpb_entry" ]; then
pvulnstatus "$cve" VULN "Your kernel doesn't have either UNRET_ENTRY or IBPB_ENTRY compiled-in"
elif [ "$smt_enabled" = 0 ] && [ -z "$cap_ibpb" ] && [ "$opt_live" = 1 ]; then
pvulnstatus "$cve" VULN "SMT is enabled and your microcode doesn't support IBPB"
explain "Update your CPU microcode to get IBPB support, or disable SMT by adding\n" \
"\`nosmt\` to your kernel command line."
else
pvulnstatus "$cve" OK "Your kernel and CPU support mitigation"
fi
elif [ "$cpu_family" = $((0x15)) ] || [ "$cpu_family" = $((0x16)) ]; then
# older AMD families: basic mitigation check
if [ -z "$kernel_retbleed" ]; then
pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the retbleed mitigation logic"
elif [ -n "$kernel_unret" ] || [ -n "$kernel_ibpb_entry" ]; then
pvulnstatus "$cve" OK "Your kernel supports mitigation"
else
pvulnstatus "$cve" VULN "Your kernel doesn't have UNRET_ENTRY or IBPB_ENTRY compiled-in"
fi
else
# not supposed to happen
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
fi
else
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
fi
else
pvulnstatus "$cve" "$status" "$msg"
fi
}
check_CVE_2022_29900_bsd() {
if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
else
pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
fi
}

157
src/vulns/CVE-2022-29901.sh Normal file
View File

@@ -0,0 +1,157 @@
# vim: set ts=4 sw=4 sts=4 et:
###############################
# CVE-2022-29901, Retbleed (Intel), RSB Alternate Behavior (RSBA)
check_CVE_2022_29901() {
check_cve 'CVE-2022-29901'
}
check_CVE_2022_29901_linux() {
local status sys_interface_available msg kernel_retbleed kernel_retbleed_err kernel_ibrs_entry
status=UNK
sys_interface_available=0
msg=''
#
# Kernel source inventory for retbleed (CVE-2022-29900 / CVE-2022-29901)
#
# See CVE-2022-29900.sh for the full sysfs/Kconfig/function/stable/vendor inventory.
#
# Intel-specific notes:
# - eIBRS (IBRS_ALL) mitigates the vulnerability on Intel
# - plain retpoline does NOT mitigate on RSBA-capable CPUs (Retbleed bypasses retpoline)
# - IBRS entry also mitigates
# - call depth tracking / stuffing mitigates (v6.2+)
#
# --- Kconfig symbols (Intel-relevant) ---
# CONFIG_CPU_IBRS_ENTRY (< 6.9) / CONFIG_MITIGATION_IBRS_ENTRY (>= 6.9): Intel IBRS
# CONFIG_CALL_DEPTH_TRACKING (< 6.9) / CONFIG_MITIGATION_CALL_DEPTH_TRACKING (>= 6.9): stuffing
#
# --- CPU affection logic (Intel) ---
# 6ad0ad2bf8a6 (v5.19-rc7, initial Intel list):
# SKYLAKE_L, SKYLAKE, SKYLAKE_X, KABYLAKE_L, KABYLAKE,
# ICELAKE_L, COMETLAKE, COMETLAKE_L, LAKEFIELD, ROCKETLAKE
# f54d45372c6a (post-v5.19): + CANNONLAKE_L
# + any Intel with ARCH_CAP_RSBA set in IA32_ARCH_CAPABILITIES MSR (bit 2)
# immunity: none (no _NO bit for RETBLEED on Intel; eIBRS is a mitigation, not immunity)
#
if sys_interface_check "$VULN_SYSFS_BASE/retbleed"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
status=$ret_sys_interface_check_status
fi
if [ "$opt_sysfs_only" != 1 ]; then
pr_info_nol "* Kernel supports mitigation: "
if [ -n "$g_kernel_err" ]; then
kernel_retbleed_err="$g_kernel_err"
elif grep -q 'retbleed' "$g_kernel"; then
kernel_retbleed="found retbleed mitigation logic in kernel image"
fi
if [ -z "$kernel_retbleed" ] && [ -n "$opt_map" ]; then
if grep -q 'retbleed_select_mitigation' "$opt_map"; then
kernel_retbleed="found retbleed_select_mitigation in System.map"
fi
fi
if [ -n "$kernel_retbleed" ]; then
pstatus green YES "$kernel_retbleed"
elif [ -n "$kernel_retbleed_err" ]; then
pstatus yellow UNKNOWN "$kernel_retbleed_err"
else
pstatus yellow NO
fi
pr_info_nol "* Kernel compiled with IBRS_ENTRY support: "
if [ -r "$opt_config" ]; then
# CONFIG_CPU_IBRS_ENTRY: Linux < 6.9
# CONFIG_MITIGATION_IBRS_ENTRY: Linux >= 6.9
if grep -Eq '^CONFIG_(CPU|MITIGATION)_IBRS_ENTRY=y' "$opt_config"; then
pstatus green YES
kernel_ibrs_entry="CONFIG_(CPU|MITIGATION)_IBRS_ENTRY=y found in kernel config"
else
pstatus yellow NO
fi
else
if [ -n "$g_kernel_err" ]; then
pstatus yellow UNKNOWN "$g_kernel_err"
elif [ -n "$kernel_retbleed" ]; then
kernel_ibrs_entry="retbleed mitigation logic present in kernel (IBRS_ENTRY status unknown)"
pstatus yellow UNKNOWN "kernel has retbleed mitigation but config not available to verify"
else
pstatus yellow NO "your kernel is too old and doesn't have the retbleed mitigation logic"
fi
fi
pr_info_nol "* CPU supports Enhanced IBRS (IBRS_ALL): "
if [ "$opt_live" = 1 ] || [ "$cap_ibrs_all" != -1 ]; then
if [ "$cap_ibrs_all" = 1 ]; then
pstatus green YES
elif [ "$cap_ibrs_all" = 0 ]; then
pstatus yellow NO
else
pstatus yellow UNKNOWN
fi
else
pstatus blue N/A "not testable in offline mode"
fi
pr_info_nol "* CPU has RSB Alternate Behavior (RSBA): "
if [ "$opt_live" = 1 ] || [ "$cap_rsba" != -1 ]; then
if [ "$cap_rsba" = 1 ]; then
pstatus yellow YES "this CPU is affected by RSB underflow"
elif [ "$cap_rsba" = 0 ]; then
pstatus green NO
else
pstatus yellow UNKNOWN
fi
else
pstatus blue N/A "not testable in offline mode"
fi
elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only!
msg="/sys vulnerability interface use forced, but it's not available!"
status=UNK
fi
if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_sysfs_only" != 1 ]; then
if [ -z "$kernel_retbleed" ]; then
pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the retbleed mitigation logic"
elif [ "$cap_ibrs_all" = 1 ]; then
if [ "$opt_paranoid" = 1 ] && [ "$cap_rrsba" = 1 ]; then
pvulnstatus "$cve" VULN "eIBRS is enabled but RRSBA is present, which may weaken the mitigation"
explain "In paranoid mode, the combination of eIBRS and RRSBA (Restricted RSB Alternate Behavior)\n" \
"is flagged because RRSBA means the RSB can still be influenced in some scenarios.\n" \
"Check if your firmware/kernel supports disabling RRSBA via RRSBA_CTRL."
else
pvulnstatus "$cve" OK "Enhanced IBRS (IBRS_ALL) mitigates the vulnerability"
fi
elif [ -n "$kernel_ibrs_entry" ]; then
pvulnstatus "$cve" OK "Your kernel has IBRS_ENTRY mitigation compiled-in"
else
pvulnstatus "$cve" VULN "Your kernel has retbleed mitigation but IBRS_ENTRY is not compiled-in and eIBRS is not available"
explain "Retpoline alone does NOT mitigate Retbleed on RSBA-capable Intel CPUs.\n" \
"You need either Enhanced IBRS (eIBRS, via firmware/microcode update) or a kernel\n" \
"compiled with IBRS_ENTRY support (Linux 5.19+, CONFIG_(CPU|MITIGATION)_IBRS_ENTRY)."
fi
else
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
fi
else
pvulnstatus "$cve" "$status" "$msg"
fi
}
check_CVE_2022_29901_bsd() {
if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
else
pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
fi
}