Merge pull request #532 from speed47/test

built from commit 6fac2d8ff1
 dated 2026-04-02 21:32:39 +0000
 by Stéphane Lesimple (speed47_github@speed47.net)

 Retbleed / Downfall overhald / doc updates

.github/workflows/build.yml

@@ -17,6 +17,8 @@ jobs:
         persist-credentials: true
     - name: install prerequisites
       run: sudo apt-get update && sudo apt-get install -y shellcheck shfmt jq sqlite3 iucode-tool make
+    - name: update Intel model list
+      run: ./scripts/update_intel_models.sh
     - name: build and check
       run: |
         make build fmt-check shellcheck

.github/workflows/expected_cve_count

@@ -1 +1 @@
-21
+23

README.md

@@ -22,6 +22,8 @@ CVE | Name | Aliases
 [CVE-2019-11135](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135) | TSX Asynchronous Abort | TAA, ZombieLoad V2
 [CVE-2018-12207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207) | Machine Check Exception on Page Size Changes | iTLB Multihit, No eXcuses
 [CVE-2020-0543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543) | Special Register Buffer Data Sampling | SRBDS, CROSSTalk
+[CVE-2022-29900](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29900) | Arbitrary Speculative Code Execution with Return Instructions | Retbleed (AMD)
+[CVE-2022-29901](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29901) | Arbitrary Speculative Code Execution with Return Instructions | Retbleed (Intel), RSBA
 [CVE-2022-40982](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982) | Gather Data Sampling | Downfall, GDS
 [CVE-2023-20569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569) | Return Address Security | Inception, SRSO
 [CVE-2023-20593](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593) | Cross-Process Information Leak | Zenbleed
@@ -51,6 +53,8 @@ CVE-2019-11091 (MDSUM, RIDL) | 💥 | 💥 (1) | 💥 | 💥 (1) | Microcode + k
 CVE-2019-11135 (TAA, ZombieLoad V2) | 💥 | 💥 (1) | 💥 | 💥 (1) | Microcode + kernel update
 CVE-2018-12207 (iTLB Multihit, No eXcuses) | ✅ | ✅ | ☠️ | ✅ | Hypervisor update (or disable hugepages)
 CVE-2020-0543 (SRBDS, CROSSTalk) | 💥 (2) | 💥 (2) | 💥 (2) | 💥 (2) | Microcode + kernel update
+CVE-2022-29900 (Retbleed AMD) | 💥 | ✅ | 💥 | ✅ | Kernel update (+ microcode for IBPB)
+CVE-2022-29901 (Retbleed Intel, RSBA) | 💥 | ✅ | 💥 | ✅ | Microcode + kernel update (eIBRS or IBRS)
 CVE-2022-40982 (Downfall, GDS) | 💥 | 💥 | 💥 | 💥 | Microcode update (or disable AVX)
 CVE-2023-20569 (Inception, SRSO) | 💥 | ✅ | 💥 | ✅ | Microcode + kernel update
 CVE-2023-20593 (Zenbleed) | 💥 | 💥 | 💥 | 💥 | Microcode update (or kernel workaround)
@@ -129,6 +133,14 @@ A malicious guest VM can trigger a machine check exception (MCE) — crashing th
 
 Certain special CPU instructions (RDRAND, RDSEED, EGETKEY) read data through a shared staging buffer that is accessible across all cores via speculative execution. An attacker running code on any core can observe the output of these instructions from a victim on a different core, including extracting cryptographic keys from SGX enclaves (a complete ECDSA key was demonstrated). This is notable as one of the first cross-core speculative execution attacks. Mitigation requires a microcode update that serializes access to the staging buffer, plus a kernel update to manage the mitigation. Performance impact is low, mainly affecting workloads that heavily use RDRAND/RDSEED.
 
+**CVE-2022-29900 — Arbitrary Speculative Code Execution with Return Instructions (Retbleed AMD)**
+
+On AMD processors from families 0x15 through 0x17 (Bulldozer through Zen 2) and Hygon family 0x18, an attacker can exploit return instructions to redirect speculative execution and leak kernel memory, bypassing retpoline mitigations that were effective against Spectre V2. Unlike Spectre V2 which targets indirect jumps and calls, Retbleed specifically targets return instructions, which were previously considered safe. Mitigation requires a kernel update providing either the untrained return thunk (safe RET) or IBPB-on-entry mechanism, plus a microcode update providing IBPB support on Zen 1/2. On Zen 1/2, SMT should be disabled for full protection when using IBPB-based mitigation. Performance impact is medium.
+
+**CVE-2022-29901 — Arbitrary Speculative Code Execution with Return Instructions (Retbleed Intel, RSBA)**
+
+On Intel Skylake through Rocket Lake processors with RSB Alternate Behavior (RSBA), return instructions can be speculatively redirected via the Branch Target Buffer when the Return Stack Buffer underflows, bypassing retpoline mitigations. Mitigation requires either Enhanced IBRS (eIBRS, via microcode update) or a kernel compiled with IBRS-on-entry support (Linux 5.19+). Call depth tracking (stuffing) is an alternative mitigation available from Linux 6.2+. Plain retpoline does NOT mitigate this vulnerability on RSBA-capable CPUs. Performance impact is medium to high.
+
 **CVE-2022-40982 — Gather Data Sampling (GDS, Downfall)**
 
 The AVX GATHER instructions can leak data from previously used vector registers across privilege boundaries through the shared gather data buffer. This affects any software using AVX2 or AVX-512 on vulnerable Intel processors. Mitigation is provided by a microcode update that clears the gather buffer, or alternatively by disabling the AVX feature entirely. Performance impact is negligible for most workloads but can be significant (up to 50%) for AVX-heavy applications such as HPC and AI inference.
@@ -155,6 +167,13 @@ On AMD Zen 3 and Zen 4 processors, the CPU's transient scheduler may speculative
 
 </details>
 
+## Unsupported CVEs
+
+Several transient execution CVEs are not covered by this tool, for various reasons (duplicates, only
+affecting non-supported hardware or OS, theoretical with no known exploitation, etc.).
+The complete list along with the reason for each exclusion is available in the
+[UNSUPPORTED_CVE_LIST.md](https://github.com/speed47/spectre-meltdown-checker/blob/source/UNSUPPORTED_CVE_LIST.md) file.
+
 ## Scope
 
 Supported operating systems:

src/libs/003_intel_models.sh

@@ -0,0 +1,105 @@
+# vim: set ts=4 sw=4 sts=4 et:
+# AUTO-GENERATED FILE — DO NOT EDIT MANUALLY.
+# Generated by scripts/update_intel_models.sh from:
+#   https://raw.githubusercontent.com/torvalds/linux/refs/heads/master/arch/x86/include/asm/intel-family.h
+# Run scripts/update_intel_models.sh to refresh when new Intel CPU families are added to the kernel.
+# shellcheck disable=SC2034
+{
+    readonly INTEL_FAM5_PENTIUM_75=$((0x02))  # /* P54C */
+    readonly INTEL_FAM5_PENTIUM_MMX=$((0x04)) # /* P55C */
+    readonly INTEL_FAM5_QUARK_X1000=$((0x09)) # /* Quark X1000 SoC */
+    readonly INTEL_FAM6_PENTIUM_PRO=$((0x01))
+    readonly INTEL_FAM6_PENTIUM_II_KLAMATH=$((0x03))
+    readonly INTEL_FAM6_PENTIUM_III_DESCHUTES=$((0x05))
+    readonly INTEL_FAM6_PENTIUM_III_TUALATIN=$((0x0B))
+    readonly INTEL_FAM6_PENTIUM_M_DOTHAN=$((0x0D))
+    readonly INTEL_FAM6_CORE_YONAH=$((0x0E))
+    readonly INTEL_FAM6_CORE2_MEROM=$((0x0F))
+    readonly INTEL_FAM6_CORE2_MEROM_L=$((0x16))
+    readonly INTEL_FAM6_CORE2_PENRYN=$((0x17))
+    readonly INTEL_FAM6_CORE2_DUNNINGTON=$((0x1D))
+    readonly INTEL_FAM6_NEHALEM=$((0x1E))
+    readonly INTEL_FAM6_NEHALEM_G=$((0x1F)) # /* Auburndale / Havendale */
+    readonly INTEL_FAM6_NEHALEM_EP=$((0x1A))
+    readonly INTEL_FAM6_NEHALEM_EX=$((0x2E))
+    readonly INTEL_FAM6_WESTMERE=$((0x25))
+    readonly INTEL_FAM6_WESTMERE_EP=$((0x2C))
+    readonly INTEL_FAM6_WESTMERE_EX=$((0x2F))
+    readonly INTEL_FAM6_SANDYBRIDGE=$((0x2A))
+    readonly INTEL_FAM6_SANDYBRIDGE_X=$((0x2D))
+    readonly INTEL_FAM6_IVYBRIDGE=$((0x3A))
+    readonly INTEL_FAM6_IVYBRIDGE_X=$((0x3E))
+    readonly INTEL_FAM6_HASWELL=$((0x3C))
+    readonly INTEL_FAM6_HASWELL_X=$((0x3F))
+    readonly INTEL_FAM6_HASWELL_L=$((0x45))
+    readonly INTEL_FAM6_HASWELL_G=$((0x46))
+    readonly INTEL_FAM6_BROADWELL=$((0x3D))
+    readonly INTEL_FAM6_BROADWELL_G=$((0x47))
+    readonly INTEL_FAM6_BROADWELL_X=$((0x4F))
+    readonly INTEL_FAM6_BROADWELL_D=$((0x56))
+    readonly INTEL_FAM6_SKYLAKE_L=$((0x4E))        # /* Sky Lake */
+    readonly INTEL_FAM6_SKYLAKE=$((0x5E))          # /* Sky Lake */
+    readonly INTEL_FAM6_SKYLAKE_X=$((0x55))        # /* Sky Lake */
+    readonly INTEL_FAM6_KABYLAKE_L=$((0x8E))       # /* Sky Lake */
+    readonly INTEL_FAM6_KABYLAKE=$((0x9E))         # /* Sky Lake */
+    readonly INTEL_FAM6_COMETLAKE=$((0xA5))        # /* Sky Lake */
+    readonly INTEL_FAM6_COMETLAKE_L=$((0xA6))      # /* Sky Lake */
+    readonly INTEL_FAM6_CANNONLAKE_L=$((0x66))     # /* Palm Cove */
+    readonly INTEL_FAM6_ICELAKE_X=$((0x6A))        # /* Sunny Cove */
+    readonly INTEL_FAM6_ICELAKE_D=$((0x6C))        # /* Sunny Cove */
+    readonly INTEL_FAM6_ICELAKE=$((0x7D))          # /* Sunny Cove */
+    readonly INTEL_FAM6_ICELAKE_L=$((0x7E))        # /* Sunny Cove */
+    readonly INTEL_FAM6_ICELAKE_NNPI=$((0x9D))     # /* Sunny Cove */
+    readonly INTEL_FAM6_ROCKETLAKE=$((0xA7))       # /* Cypress Cove */
+    readonly INTEL_FAM6_TIGERLAKE_L=$((0x8C))      # /* Willow Cove */
+    readonly INTEL_FAM6_TIGERLAKE=$((0x8D))        # /* Willow Cove */
+    readonly INTEL_FAM6_SAPPHIRERAPIDS_X=$((0x8F)) # /* Golden Cove */
+    readonly INTEL_FAM6_EMERALDRAPIDS_X=$((0xCF))  # /* Raptor Cove */
+    readonly INTEL_FAM6_GRANITERAPIDS_X=$((0xAD))  # /* Redwood Cove */
+    readonly INTEL_FAM6_GRANITERAPIDS_D=$((0xAE))
+    readonly INTEL_FAM19_DIAMONDRAPIDS_X=$((0x01)) # /* Panther Cove */
+    readonly INTEL_FAM6_BARTLETTLAKE=$((0xD7))     # /* Raptor Cove */
+    readonly INTEL_FAM6_LAKEFIELD=$((0x8A))        # /* Sunny Cove / Tremont */
+    readonly INTEL_FAM6_ALDERLAKE=$((0x97))        # /* Golden Cove / Gracemont */
+    readonly INTEL_FAM6_ALDERLAKE_L=$((0x9A))      # /* Golden Cove / Gracemont */
+    readonly INTEL_FAM6_RAPTORLAKE=$((0xB7))       # /* Raptor Cove / Enhanced Gracemont */
+    readonly INTEL_FAM6_RAPTORLAKE_P=$((0xBA))
+    readonly INTEL_FAM6_RAPTORLAKE_S=$((0xBF))
+    readonly INTEL_FAM6_METEORLAKE=$((0xAC)) # /* Redwood Cove / Crestmont */
+    readonly INTEL_FAM6_METEORLAKE_L=$((0xAA))
+    readonly INTEL_FAM6_ARROWLAKE_H=$((0xC5)) # /* Lion Cove / Skymont */
+    readonly INTEL_FAM6_ARROWLAKE=$((0xC6))
+    readonly INTEL_FAM6_ARROWLAKE_U=$((0xB5))
+    readonly INTEL_FAM6_LUNARLAKE_M=$((0xBD))   # /* Lion Cove / Skymont */
+    readonly INTEL_FAM6_PANTHERLAKE_L=$((0xCC)) # /* Cougar Cove / Darkmont */
+    readonly INTEL_FAM6_WILDCATLAKE_L=$((0xD5))
+    readonly INTEL_FAM18_NOVALAKE=$((0x01))            # /* Coyote Cove / Arctic Wolf */
+    readonly INTEL_FAM18_NOVALAKE_L=$((0x03))          # /* Coyote Cove / Arctic Wolf */
+    readonly INTEL_FAM6_ATOM_BONNELL=$((0x1C))         # /* Diamondville, Pineview */
+    readonly INTEL_FAM6_ATOM_BONNELL_MID=$((0x26))     # /* Silverthorne, Lincroft */
+    readonly INTEL_FAM6_ATOM_SALTWELL=$((0x36))        # /* Cedarview */
+    readonly INTEL_FAM6_ATOM_SALTWELL_MID=$((0x27))    # /* Penwell */
+    readonly INTEL_FAM6_ATOM_SALTWELL_TABLET=$((0x35)) # /* Cloverview */
+    readonly INTEL_FAM6_ATOM_SILVERMONT=$((0x37))      # /* Bay Trail, Valleyview */
+    readonly INTEL_FAM6_ATOM_SILVERMONT_D=$((0x4D))    # /* Avaton, Rangely */
+    readonly INTEL_FAM6_ATOM_SILVERMONT_MID=$((0x4A))  # /* Merriefield */
+    readonly INTEL_FAM6_ATOM_SILVERMONT_MID2=$((0x5A)) # /* Anniedale */
+    readonly INTEL_FAM6_ATOM_AIRMONT=$((0x4C))         # /* Cherry Trail, Braswell */
+    readonly INTEL_FAM6_ATOM_AIRMONT_NP=$((0x75))      # /* Lightning Mountain */
+    readonly INTEL_FAM6_ATOM_GOLDMONT=$((0x5C))        # /* Apollo Lake */
+    readonly INTEL_FAM6_ATOM_GOLDMONT_D=$((0x5F))      # /* Denverton */
+    readonly INTEL_FAM6_ATOM_GOLDMONT_PLUS=$((0x7A))   # /* Gemini Lake */
+    readonly INTEL_FAM6_ATOM_TREMONT_D=$((0x86))       # /* Jacobsville */
+    readonly INTEL_FAM6_ATOM_TREMONT=$((0x96))         # /* Elkhart Lake */
+    readonly INTEL_FAM6_ATOM_TREMONT_L=$((0x9C))       # /* Jasper Lake */
+    readonly INTEL_FAM6_ATOM_GRACEMONT=$((0xBE))       # /* Alderlake N */
+    readonly INTEL_FAM6_ATOM_CRESTMONT_X=$((0xAF))     # /* Sierra Forest */
+    readonly INTEL_FAM6_ATOM_CRESTMONT=$((0xB6))       # /* Grand Ridge */
+    readonly INTEL_FAM6_ATOM_DARKMONT_X=$((0xDD))      # /* Clearwater Forest */
+    readonly INTEL_FAM6_XEON_PHI_KNL=$((0x57))         # /* Knights Landing */
+    readonly INTEL_FAM6_XEON_PHI_KNM=$((0x85))         # /* Knights Mill */
+    readonly INTEL_FAM15_P4_WILLAMETTE=$((0x01))       # /* Also Xeon Foster */
+    readonly INTEL_FAM15_P4_PRESCOTT=$((0x03))
+    readonly INTEL_FAM15_P4_PRESCOTT_2M=$((0x04))
+    readonly INTEL_FAM15_P4_CEDARMILL=$((0x06)) # /* Also Xeon Dempsey */
+}