feat: add SLS (Straight-Line Speculation) check with --extra option

2026-04-07 09:13:20 +02:00 · 2026-04-05 23:54:12 +02:00
parent 75d053a0f1
commit 548d504e88
8 changed files with 365 additions and 7 deletions
--- a/.github/workflows/expected_cve_count
+++ b/.github/workflows/expected_cve_count
@@ -1 +1 @@
-26
+27
--- a/UNSUPPORTED_CVE_LIST.md
+++ b/UNSUPPORTED_CVE_LIST.md
@@ -48,6 +48,28 @@ A Spectre V1 subvariant where the `SWAPGS` instruction can be speculatively exec
 **Why out of scope:** This is a Spectre V1 subvariant whose mitigation (SWAPGS barriers) shares the same sysfs entry as CVE-2017-5753. This tool's existing CVE-2017-5753 checks already detect SWAPGS barriers: a mitigated kernel reports `"Mitigation: usercopy/swapgs barriers and __user pointer sanitization"`, while a kernel lacking the fix reports `"Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers"`. CVE-2019-1125 is therefore fully covered as part of Spectre V1.
 ## CVE-2021-26341 — AMD Straight-Line Speculation (direct branches)
 - **Bulletin:** [AMD-SB-1026](https://www.amd.com/en/resources/product-security/bulletin/amd-sb-1026.html)
 - **Affected CPUs:** AMD Zen 1, Zen 2
 - **CVSS:** 6.5 (Medium)
 - **Covered by:** CVE-0000-0001 (SLS supplementary check)
 AMD Zen 1/Zen 2 CPUs may transiently execute instructions beyond unconditional direct branches (JMP, CALL), potentially allowing information disclosure via side channels.
 **Why out of scope:** This is the AMD-specific direct-branch subset of the broader Straight-Line Speculation (SLS) class. The kernel mitigates it via `CONFIG_MITIGATION_SLS` (formerly `CONFIG_SLS`), which enables the GCC flag `-mharden-sls=all` to insert INT3 after unconditional control flow instructions. Since this is a compile-time-only mitigation with no sysfs interface, no MSR, and no per-CVE CPU feature flag, it cannot be checked using the standard CVE framework. A supplementary SLS check is available via `--extra` mode, which covers this CVE's mitigation as well.
 ## CVE-2020-13844 — ARM Straight-Line Speculation
 - **Advisory:** [ARM Developer Security Update (June 2020)](https://developer.arm.com/Arm%20Security%20Center/Speculative%20Processor%20Vulnerability)
 - **Affected CPUs:** Cortex-A32, A34, A35, A53, A57, A72, A73, and broadly all speculative Armv8-A cores
 - **CVSS:** 5.5 (Medium)
 - **Covered by:** CVE-0000-0001 (SLS supplementary check)
 ARM processors may speculatively execute instructions past unconditional control flow changes (RET, BR, BLR). GCC and Clang support `-mharden-sls=all` for aarch64, but the Linux kernel never merged the patches to enable it: a `CONFIG_HARDEN_SLS_ALL` series was submitted in 2021 but rejected upstream.
 **Why out of scope:** This is the ARM-specific subset of the broader Straight-Line Speculation (SLS) class. The supplementary SLS check available via `--extra` mode detects affected ARM CPU models and reports that no kernel mitigation is currently available.
 ## CVE-2025-20623 — Shared Microarchitectural Predictor State (10th Gen Intel)
 - **Advisory:** [INTEL-SA-01247](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01247.html)
--- a/src/libs/001_core_header.sh
+++ b/src/libs/001_core_header.sh
@@ -32,6 +32,7 @@ exit_cleanup() {
    [ -n "${g_dumped_config:-}" ] && [ -f "$g_dumped_config" ] && rm -f "$g_dumped_config"
    [ -n "${g_kerneltmp:-}" ] && [ -f "$g_kerneltmp" ] && rm -f "$g_kerneltmp"
    [ -n "${g_kerneltmp2:-}" ] && [ -f "$g_kerneltmp2" ] && rm -f "$g_kerneltmp2"
    [ -n "${g_sls_text_tmp:-}" ] && [ -f "$g_sls_text_tmp" ] && rm -f "$g_sls_text_tmp"
    [ -n "${g_mcedb_tmp:-}" ] && [ -f "$g_mcedb_tmp" ] && rm -f "$g_mcedb_tmp"
    [ -n "${g_intel_tmp:-}" ] && [ -d "$g_intel_tmp" ] && rm -rf "$g_intel_tmp"
    [ -n "${g_linuxfw_tmp:-}" ] && [ -f "$g_linuxfw_tmp" ] && rm -f "$g_linuxfw_tmp"
--- a/src/libs/002_core_globals.sh
+++ b/src/libs/002_core_globals.sh
@@ -29,9 +29,11 @@ show_usage() {
 		--no-color		don't use color codes
 		--verbose, -v		increase verbosity level, possibly several times
 		--explain		produce an additional human-readable explanation of actions to take to mitigate a vulnerability
-		--paranoid		require IBPB to deem Variant 2 as mitigated
+		--paranoid		require all mitigations to be enabled to the fullest extent, including those that
-					also require SMT disabled + unconditional L1D flush to deem Foreshadow-NG VMM as mitigated
+					are not strictly necessary but provide defense in depth (e.g. SMT disabled, IBPB
-					also require SMT disabled to deem MDS vulnerabilities mitigated
+					always-on); without this flag, the script follows the security community consensus
 		--extra			run additional checks for issues that don't have a CVE but are still security-relevant,
 					such as compile-time mitigations not enabled by default (e.g. Straight-Line Speculation)
 		--no-sysfs		don't use the /sys interface even if present [Linux]
 		--sysfs-only		only use the /sys interface, don't run our own checks [Linux]
@@ -128,6 +130,7 @@ opt_allow_msr_write=0
 opt_cpu=0
 opt_explain=0
 opt_paranoid=0
 opt_extra=0
 opt_mock=0
 opt_intel_db=1
@@ -164,6 +167,7 @@ CVE-2024-36357|TSA_L1|tsa|Transient Scheduler Attack - L1 (TSA-L1)
 CVE-2024-28956|ITS|its|Indirect Target Selection (ITS)
 CVE-2025-40300|VMSCAPE|vmscape|VMScape, VM-exit stale branch prediction
 CVE-2024-45332|BPI|bpi|Branch Privilege Injection (BPI)
 CVE-0000-0001|SLS|sls|Straight-Line Speculation (SLS)
 '
 # Derive the supported CVE list from the registry
--- a/src/libs/200_cpu_affected.sh
+++ b/src/libs/200_cpu_affected.sh
@@ -99,6 +99,7 @@ is_cpu_affected() {
    affected_taa=''
    affected_itlbmh=''
    affected_srbds=''
    affected_sls=''
    # Zenbleed and Inception are both AMD specific, look for "is_amd" below:
    _set_immune zenbleed
    _set_immune inception
@@ -741,13 +742,35 @@ is_cpu_affected() {
        _infer_immune itlbmh
    fi
-    # shellcheck disable=SC2154  # affected_zenbleed/inception/retbleed/tsa/downfall/reptar/its/vmscape/bpi set via eval (_set_immune)
+    # SLS (Straight-Line Speculation):
    # - x86_64: all CPUs are affected (compile-time mitigation CONFIG_MITIGATION_SLS)
    # - arm64 (CVE-2020-13844): Cortex-A32/A34/A35/A53/A57/A72/A73 confirmed affected,
    #   and broadly all speculative Armv8-A cores. No kernel mitigation merged.
    #   Part numbers: A32=0xd01 A34=0xd02 A53=0xd03 A35=0xd04 A57=0xd07 A72=0xd08 A73=0xd09
    #   Plus later speculative cores: A75=0xd0a A76=0xd0b A77=0xd0d N1=0xd0c V1=0xd40 N2=0xd49 V2=0xd4f
    if is_intel || is_amd; then
        _infer_vuln sls
    elif [ "$cpu_vendor" = ARM ]; then
        for cpupart in $cpu_part_list; do
            if echo "$cpupart" | grep -q -w -e 0xd01 -e 0xd02 -e 0xd03 -e 0xd04 \
                -e 0xd07 -e 0xd08 -e 0xd09 -e 0xd0a -e 0xd0b -e 0xd0c -e 0xd0d \
                -e 0xd40 -e 0xd49 -e 0xd4f; then
                _set_vuln sls
            fi
        done
        # non-speculative ARM cores (arch <= 7, or early v8 models) are not affected
        _infer_immune sls
    else
        _infer_immune sls
    fi
    # shellcheck disable=SC2154
    {
        pr_debug "is_cpu_affected: final results: variant1=$affected_variant1 variant2=$affected_variant2 variant3=$affected_variant3 variant3a=$affected_variant3a"
        pr_debug "is_cpu_affected: final results: variant4=$affected_variant4 variantl1tf=$affected_variantl1tf msbds=$affected_msbds mfbds=$affected_mfbds"
        pr_debug "is_cpu_affected: final results: mlpds=$affected_mlpds mdsum=$affected_mdsum taa=$affected_taa itlbmh=$affected_itlbmh srbds=$affected_srbds"
        pr_debug "is_cpu_affected: final results: zenbleed=$affected_zenbleed inception=$affected_inception retbleed=$affected_retbleed tsa=$affected_tsa downfall=$affected_downfall reptar=$affected_reptar its=$affected_its"
-        pr_debug "is_cpu_affected: final results: vmscape=$affected_vmscape bpi=$affected_bpi"
+        pr_debug "is_cpu_affected: final results: vmscape=$affected_vmscape bpi=$affected_bpi sls=$affected_sls"
    }
    affected_variantl1tf_sgx="$affected_variantl1tf"
    # even if we are affected to L1TF, if there's no SGX, we're not affected to the original foreshadow
--- a/src/libs/230_util_optparse.sh
+++ b/src/libs/230_util_optparse.sh
@@ -68,6 +68,9 @@ while [ -n "${1:-}" ]; do
    elif [ "$1" = "--paranoid" ]; then
        opt_paranoid=1
        shift
    elif [ "$1" = "--extra" ]; then
        opt_extra=1
        shift
    elif [ "$1" = "--hw-only" ]; then
        opt_hw_only=1
        shift
@@ -166,7 +169,7 @@ while [ -n "${1:-}" ]; do
        case "$2" in
            help)
                echo "The following parameters are supported for --variant (can be used multiple times):"
-                echo "1, 2, 3, 3a, 4, msbds, mfbds, mlpds, mdsum, l1tf, taa, mcepsc, srbds, zenbleed, downfall, retbleed, inception, reptar, tsa, tsa-sq, tsa-l1, its, vmscape, bpi"
+                echo "1, 2, 3, 3a, 4, msbds, mfbds, mlpds, mdsum, l1tf, taa, mcepsc, srbds, zenbleed, downfall, retbleed, inception, reptar, tsa, tsa-sq, tsa-l1, its, vmscape, bpi, sls"
                exit 0
                ;;
            1)
@@ -265,6 +268,10 @@ while [ -n "${1:-}" ]; do
                opt_cve_list="$opt_cve_list CVE-2024-45332"
                opt_cve_all=0
                ;;
            sls)
                opt_cve_list="$opt_cve_list CVE-0000-0001"
                opt_cve_all=0
                ;;
            *)
                echo "$0: error: invalid parameter '$2' for --variant, see --variant help for a list" >&2
                exit 255
--- a/src/vulns-helpers/check_sls.sh
+++ b/src/vulns-helpers/check_sls.sh
@@ -0,0 +1,286 @@
 # vim: set ts=4 sw=4 sts=4 et:
 ###############################
 # Straight-Line Speculation (SLS) — supplementary check (--extra only)
 #
 # SLS: x86 CPUs may speculatively execute instructions past unconditional
 # control flow changes (RET, indirect JMP/CALL). Mitigated at compile time
 # by CONFIG_MITIGATION_SLS (formerly CONFIG_SLS before kernel 6.8), which
 # enables -mharden-sls=all to insert INT3 after these instructions.
 # No sysfs interface, no MSR, no CPU feature flag.
 # Related: CVE-2021-26341 (AMD Zen1/Zen2 direct-branch SLS subset).
 # Heuristic: scan the kernel .text section for indirect call/jmp thunks
 # (retpoline-style stubs), then check whether tail-call JMPs to those thunks
 # are followed by INT3 (0xcc). With SLS enabled: >80%. Without: <20%.
 #
 # Thunk signature: e8 01 00 00 00 cc 48 89 XX 24
 #   call +1; int3; mov <reg>,(%rsp); ...
 # Tail-call pattern: e9 XX XX XX XX [cc?]
 #   jmp <thunk>; [int3 if SLS]
 # Perl implementation of the SLS heuristic byte scanner.
 # Args: $1 = path to raw .text binary (from objcopy -O binary -j .text)
 # Output: thunks=N jmps=N sls=N
 #
 # The heuristic looks for two types of thunks and counts how many jmp rel32
 # instructions targeting them are followed by INT3 (the SLS mitigation):
 #
 # 1. Indirect call/jmp thunks (retpoline stubs used for indirect tail calls):
 #    e8 01 00 00 00 cc 48 89 XX 24  (call +1; int3; mov <reg>,(%rsp))
 #
 # 2. Return thunk (used for all function returns via jmp __x86_return_thunk):
 #    c3 90 90 90 90 cc cc cc cc cc  (ret; nop*4; int3*5+)
 #    This is the most common jmp target in retpoline-enabled kernels.
 #
 # Some kernels only use indirect thunks, some only the return thunk, and some
 # use both. We check both and combine the results.
 _sls_heuristic_perl() {
    perl -e '
        use strict;
        use warnings;
        local $/;
        open my $fh, "<:raw", $ARGV[0] or die "open: $!";
        my $text = <$fh>;
        close $fh;
        my $len = length($text);
        # Collect two types of thunks separately, as different kernels
        # apply SLS to different thunk types.
        my (%indirect_thunks, %return_thunks);
        # Pattern 1: indirect call/jmp thunks (retpoline stubs)
        while ($text =~ /\xe8\x01\x00\x00\x00\xcc\x48\x89.\x24/gs) {
            $indirect_thunks{ pos($text) - length($&) } = 1;
        }
        # Pattern 2: return thunk (ret; nop*4; int3*5)
        while ($text =~ /\xc3\x90\x90\x90\x90\xcc\xcc\xcc\xcc\xcc/gs) {
            $return_thunks{ pos($text) - length($&) } = 1;
        }
        my $n_indirect = scalar keys %indirect_thunks;
        my $n_return = scalar keys %return_thunks;
        if ($n_indirect + $n_return == 0) {
            print "thunks=0 jmps=0 sls=0\n";
            exit 0;
        }
        # Count jmps to each thunk type separately
        my ($ind_total, $ind_sls) = (0, 0);
        my ($ret_total, $ret_sls) = (0, 0);
        for (my $i = 0; $i + 5 < $len; $i++) {
            next unless substr($text, $i, 1) eq "\xe9";
            my $rel = unpack("V", substr($text, $i + 1, 4));
            $rel -= 4294967296 if $rel >= 2147483648;
            my $target = $i + 5 + $rel;
            my $has_int3 = ($i + 5 < $len && substr($text, $i + 5, 1) eq "\xcc") ? 1 : 0;
            if (exists $indirect_thunks{$target}) {
                $ind_total++;
                $ind_sls += $has_int3;
            }
            if (exists $return_thunks{$target}) {
                $ret_total++;
                $ret_sls += $has_int3;
            }
        }
        # Use whichever thunk type has jmps; prefer indirect thunks if both have data
        my ($total, $sls, $n_thunks);
        if ($ind_total > 0) {
            ($total, $sls, $n_thunks) = ($ind_total, $ind_sls, $n_indirect);
        } elsif ($ret_total > 0) {
            ($total, $sls, $n_thunks) = ($ret_total, $ret_sls, $n_return);
        } else {
            ($total, $sls, $n_thunks) = (0, 0, $n_indirect + $n_return);
        }
        printf "thunks=%d jmps=%d sls=%d\n", $n_thunks, $total, $sls;
    ' "$1" 2>/dev/null
 }
 # Awk fallback implementation of the SLS heuristic byte scanner.
 # Slower than perl but uses only POSIX tools (od + awk).
 # Args: $1 = path to raw .text binary (from objcopy -O binary -j .text)
 # Output: thunks=N jmps=N sls=N
 _sls_heuristic_awk() {
    od -An -tu1 -v "$1" | awk '
    {
        for (i = 1; i <= NF; i++) b[n++] = $i + 0
    }
    END {
        # Pattern 1: indirect call/jmp thunks
        # 232 1 0 0 0 204 72 137 XX 36  (e8 01 00 00 00 cc 48 89 XX 24)
        for (i = 0; i + 9 < n; i++) {
            if (b[i]==232 && b[i+1]==1 && b[i+2]==0 && b[i+3]==0 && \
                b[i+4]==0 && b[i+5]==204 && b[i+6]==72 && b[i+7]==137 && \
                b[i+9]==36) {
                ind[i] = 1
                n_ind++
            }
        }
        # Pattern 2: return thunk (ret; nop*4; int3*5)
        # 195 144 144 144 144 204 204 204 204 204  (c3 90 90 90 90 cc cc cc cc cc)
        for (i = 0; i + 9 < n; i++) {
            if (b[i]==195 && b[i+1]==144 && b[i+2]==144 && b[i+3]==144 && \
                b[i+4]==144 && b[i+5]==204 && b[i+6]==204 && b[i+7]==204 && \
                b[i+8]==204 && b[i+9]==204) {
                ret[i] = 1
                n_ret++
            }
        }
        if (n_ind + n_ret == 0) { print "thunks=0 jmps=0 sls=0"; exit }
        # Count jmps to each thunk type separately
        ind_total = 0; ind_sls = 0
        ret_total = 0; ret_sls = 0
        for (i = 0; i + 5 < n; i++) {
            if (b[i] != 233) continue
            rel = b[i+1] + b[i+2]*256 + b[i+3]*65536 + b[i+4]*16777216
            if (rel >= 2147483648) rel -= 4294967296
            target = i + 5 + rel
            has_int3 = (b[i+5] == 204) ? 1 : 0
            if (target in ind) { ind_total++; ind_sls += has_int3 }
            if (target in ret) { ret_total++; ret_sls += has_int3 }
        }
        # Prefer indirect thunks if they have data, else fall back to return thunk
        if (ind_total > 0)
            printf "thunks=%d jmps=%d sls=%d\n", n_ind, ind_total, ind_sls
        else if (ret_total > 0)
            printf "thunks=%d jmps=%d sls=%d\n", n_ret, ret_total, ret_sls
        else
            printf "thunks=%d jmps=0 sls=0\n", n_ind + n_ret
    }' 2>/dev/null
 }
 check_CVE_0000_0001_linux() {
    local status sys_interface_available msg
    status=UNK
    sys_interface_available=0
    msg=''
    # No sysfs interface for SLS
    # sys_interface_available stays 0
    if [ "$opt_sysfs_only" != 1 ]; then
        # --- CPU affection check ---
        if ! is_cpu_affected "$cve"; then
            pvulnstatus "$cve" OK "your CPU is not affected"
            return
        fi
        # --- arm64: no kernel mitigation available ---
        local _sls_arch
        _sls_arch=$(uname -m 2>/dev/null || echo unknown)
        if echo "$_sls_arch" | grep -qw 'aarch64'; then
            pvulnstatus "$cve" VULN "no kernel mitigation available for arm64 SLS (CVE-2020-13844)"
            explain "Your ARM processor is affected by Straight-Line Speculation (CVE-2020-13844).\n" \
                "GCC and Clang support -mharden-sls=all for aarch64, which inserts SB (Speculation Barrier)\n" \
                "or DSB+ISB after RET and BR instructions. However, the Linux kernel does not enable this flag:\n" \
                "patches to add CONFIG_HARDEN_SLS_ALL were submitted in 2021 but were rejected upstream.\n" \
                "There is currently no kernel-level mitigation for SLS on arm64."
            return
        fi
        # --- method 1: kernel config check (x86_64) ---
        local _sls_config=''
        if [ -n "$opt_config" ] && [ -r "$opt_config" ]; then
            pr_info_nol "  * Kernel compiled with SLS mitigation: "
            if grep -qE '^CONFIG_(MITIGATION_)?SLS=y' "$opt_config"; then
                _sls_config=1
                pstatus green YES
            else
                _sls_config=0
                pstatus yellow NO
            fi
        fi
        # --- method 2: kernel image heuristic (fallback when no config) ---
        local _sls_heuristic=''
        if [ -z "$_sls_config" ]; then
            pr_info_nol "  * Kernel compiled with SLS mitigation: "
            if [ -n "$g_kernel_err" ]; then
                pstatus yellow UNKNOWN "$g_kernel_err"
            elif [ -z "$g_kernel" ]; then
                pstatus yellow UNKNOWN "no kernel image available"
            elif ! command -v "${opt_arch_prefix}objcopy" >/dev/null 2>&1; then
                pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objcopy' tool, usually in the binutils package"
            else
                local _sls_result
                g_sls_text_tmp=$(mktemp -t smc-sls-text-XXXXXX)
                if ! "${opt_arch_prefix}objcopy" -O binary -j .text "$g_kernel" "$g_sls_text_tmp" 2>/dev/null || [ ! -s "$g_sls_text_tmp" ]; then
                    pstatus yellow UNKNOWN "failed to extract .text section from kernel image"
                    rm -f "$g_sls_text_tmp"
                    g_sls_text_tmp=''
                else
                    _sls_result=''
                    if command -v perl >/dev/null 2>&1; then
                        _sls_result=$(_sls_heuristic_perl "$g_sls_text_tmp")
                    elif command -v awk >/dev/null 2>&1; then
                        _sls_result=$(_sls_heuristic_awk "$g_sls_text_tmp")
                    fi
                    rm -f "$g_sls_text_tmp"
                    g_sls_text_tmp=''
                    if [ -z "$_sls_result" ]; then
                        pstatus yellow UNKNOWN "missing 'perl' or 'awk' tool for heuristic scan"
                    else
                        local _sls_thunks _sls_jmps _sls_int3
                        _sls_thunks=$(echo "$_sls_result" | sed -n 's/.*thunks=\([0-9]*\).*/\1/p')
                        _sls_jmps=$(echo "$_sls_result" | sed -n 's/.*jmps=\([0-9]*\).*/\1/p')
                        _sls_int3=$(echo "$_sls_result" | sed -n 's/.*sls=\([0-9]*\).*/\1/p')
                        pr_debug "sls heuristic: thunks=$_sls_thunks jmps=$_sls_jmps int3=$_sls_int3"
                        if [ "${_sls_thunks:-0}" = 0 ] || [ "${_sls_jmps:-0}" = 0 ]; then
                            pstatus yellow UNKNOWN "no retpoline indirect thunks found in kernel image"
                        else
                            local _sls_pct=$((_sls_int3 * 100 / _sls_jmps))
                            if [ "$_sls_pct" -ge 80 ]; then
                                _sls_heuristic=1
                                pstatus green YES "$_sls_int3/$_sls_jmps indirect tail-call JMPs hardened (${_sls_pct}%%)"
                            elif [ "$_sls_pct" -le 20 ]; then
                                _sls_heuristic=0
                                pstatus yellow NO "$_sls_int3/$_sls_jmps indirect tail-call JMPs hardened (${_sls_pct}%%)"
                            else
                                pstatus yellow UNKNOWN "$_sls_int3/$_sls_jmps indirect tail-call JMPs hardened (${_sls_pct}%%, inconclusive)"
                            fi
                        fi
                    fi
                fi
            fi
        fi
        # --- verdict (x86_64) ---
        if [ "$_sls_config" = 1 ] || [ "$_sls_heuristic" = 1 ]; then
            pvulnstatus "$cve" OK "kernel compiled with SLS mitigation"
            explain "Your kernel was compiled with CONFIG_MITIGATION_SLS=y (or CONFIG_SLS=y on kernels before 6.8),\n" \
                "which enables the GCC flag -mharden-sls=all to insert INT3 instructions after unconditional\n" \
                "control flow changes, blocking straight-line speculation."
        elif [ "$_sls_config" = 0 ] || [ "$_sls_heuristic" = 0 ]; then
            pvulnstatus "$cve" VULN "kernel not compiled with SLS mitigation"
            explain "Recompile your kernel with CONFIG_MITIGATION_SLS=y (or CONFIG_SLS=y on kernels before 6.8).\n" \
                "This enables the GCC flag -mharden-sls=all, which inserts INT3 after unconditional control flow\n" \
                "instructions to block straight-line speculation. Note: this option defaults to off in most kernels\n" \
                "and incurs ~2.4%% text size overhead."
        else
            pvulnstatus "$cve" UNK "couldn't determine SLS mitigation status"
        fi
    elif [ "$sys_interface_available" = 0 ]; then
        msg="/sys vulnerability interface use forced, but there is no sysfs entry for SLS"
        status=UNK
        pvulnstatus "$cve" "$status" "$msg"
    fi
 }
 check_CVE_0000_0001_bsd() {
    if ! is_cpu_affected "$cve"; then
        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
    else
        pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
    fi
 }
--- a/src/vulns/CVE-0000-0001.sh
+++ b/src/vulns/CVE-0000-0001.sh
@@ -0,0 +1,15 @@
 # vim: set ts=4 sw=4 sts=4 et:
 ###############################
 # CVE-0000-0001, SLS, Straight-Line Speculation
 # Supplementary check, only runs under --extra
 # shellcheck disable=SC2034
 check_CVE_0000_0001() {
    # SLS is a supplementary check: skip it in the default "all CVEs" run
    # unless --extra is passed, but always run when explicitly selected
    # via --variant sls or --cve CVE-0000-0001
    if [ "$opt_cve_all" = 1 ] && [ "$opt_extra" != 1 ]; then
        return 0
    fi
    check_cve 'CVE-0000-0001'
 }