diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 522b7f2..e1a8c36 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -17,6 +17,8 @@ jobs: persist-credentials: true - name: install prerequisites run: sudo apt-get update && sudo apt-get install -y shellcheck shfmt jq sqlite3 iucode-tool make + - name: update Intel model list + run: ./scripts/update_intel_models.sh - name: build and check run: | make build fmt-check shellcheck diff --git a/.github/workflows/expected_cve_count b/.github/workflows/expected_cve_count index aabe6ec..4099407 100644 --- a/.github/workflows/expected_cve_count +++ b/.github/workflows/expected_cve_count @@ -1 +1 @@ -21 +23 diff --git a/README.md b/README.md index 9198503..7643ef6 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,8 @@ CVE | Name | Aliases [CVE-2019-11135](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135) | TSX Asynchronous Abort | TAA, ZombieLoad V2 [CVE-2018-12207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207) | Machine Check Exception on Page Size Changes | iTLB Multihit, No eXcuses [CVE-2020-0543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543) | Special Register Buffer Data Sampling | SRBDS, CROSSTalk +[CVE-2022-29900](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29900) | Arbitrary Speculative Code Execution with Return Instructions | Retbleed (AMD) +[CVE-2022-29901](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29901) | Arbitrary Speculative Code Execution with Return Instructions | Retbleed (Intel), RSBA [CVE-2022-40982](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982) | Gather Data Sampling | Downfall, GDS [CVE-2023-20569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569) | Return Address Security | Inception, SRSO [CVE-2023-20593](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593) | Cross-Process Information Leak | Zenbleed @@ -51,6 +53,8 @@ CVE-2019-11091 (MDSUM, RIDL) | 💥 | 💥 (1) | 💥 | 💥 (1) | Microcode + k CVE-2019-11135 (TAA, ZombieLoad V2) | 💥 | 💥 (1) | 💥 | 💥 (1) | Microcode + kernel update CVE-2018-12207 (iTLB Multihit, No eXcuses) | ✅ | ✅ | ☠️ | ✅ | Hypervisor update (or disable hugepages) CVE-2020-0543 (SRBDS, CROSSTalk) | 💥 (2) | 💥 (2) | 💥 (2) | 💥 (2) | Microcode + kernel update +CVE-2022-29900 (Retbleed AMD) | 💥 | ✅ | 💥 | ✅ | Kernel update (+ microcode for IBPB) +CVE-2022-29901 (Retbleed Intel, RSBA) | 💥 | ✅ | 💥 | ✅ | Microcode + kernel update (eIBRS or IBRS) CVE-2022-40982 (Downfall, GDS) | 💥 | 💥 | 💥 | 💥 | Microcode update (or disable AVX) CVE-2023-20569 (Inception, SRSO) | 💥 | ✅ | 💥 | ✅ | Microcode + kernel update CVE-2023-20593 (Zenbleed) | 💥 | 💥 | 💥 | 💥 | Microcode update (or kernel workaround) @@ -129,6 +133,14 @@ A malicious guest VM can trigger a machine check exception (MCE) — crashing th Certain special CPU instructions (RDRAND, RDSEED, EGETKEY) read data through a shared staging buffer that is accessible across all cores via speculative execution. An attacker running code on any core can observe the output of these instructions from a victim on a different core, including extracting cryptographic keys from SGX enclaves (a complete ECDSA key was demonstrated). This is notable as one of the first cross-core speculative execution attacks. Mitigation requires a microcode update that serializes access to the staging buffer, plus a kernel update to manage the mitigation. Performance impact is low, mainly affecting workloads that heavily use RDRAND/RDSEED. +**CVE-2022-29900 — Arbitrary Speculative Code Execution with Return Instructions (Retbleed AMD)** + +On AMD processors from families 0x15 through 0x17 (Bulldozer through Zen 2) and Hygon family 0x18, an attacker can exploit return instructions to redirect speculative execution and leak kernel memory, bypassing retpoline mitigations that were effective against Spectre V2. Unlike Spectre V2 which targets indirect jumps and calls, Retbleed specifically targets return instructions, which were previously considered safe. Mitigation requires a kernel update providing either the untrained return thunk (safe RET) or IBPB-on-entry mechanism, plus a microcode update providing IBPB support on Zen 1/2. On Zen 1/2, SMT should be disabled for full protection when using IBPB-based mitigation. Performance impact is medium. + +**CVE-2022-29901 — Arbitrary Speculative Code Execution with Return Instructions (Retbleed Intel, RSBA)** + +On Intel Skylake through Rocket Lake processors with RSB Alternate Behavior (RSBA), return instructions can be speculatively redirected via the Branch Target Buffer when the Return Stack Buffer underflows, bypassing retpoline mitigations. Mitigation requires either Enhanced IBRS (eIBRS, via microcode update) or a kernel compiled with IBRS-on-entry support (Linux 5.19+). Call depth tracking (stuffing) is an alternative mitigation available from Linux 6.2+. Plain retpoline does NOT mitigate this vulnerability on RSBA-capable CPUs. Performance impact is medium to high. + **CVE-2022-40982 — Gather Data Sampling (GDS, Downfall)** The AVX GATHER instructions can leak data from previously used vector registers across privilege boundaries through the shared gather data buffer. This affects any software using AVX2 or AVX-512 on vulnerable Intel processors. Mitigation is provided by a microcode update that clears the gather buffer, or alternatively by disabling the AVX feature entirely. Performance impact is negligible for most workloads but can be significant (up to 50%) for AVX-heavy applications such as HPC and AI inference. @@ -155,6 +167,13 @@ On AMD Zen 3 and Zen 4 processors, the CPU's transient scheduler may speculative +## Unsupported CVEs + +Several transient execution CVEs are not covered by this tool, for various reasons (duplicates, only +affecting non-supported hardware or OS, theoretical with no known exploitation, etc.). +The complete list along with the reason for each exclusion is available in the +[UNSUPPORTED_CVE_LIST.md](https://github.com/speed47/spectre-meltdown-checker/blob/source/UNSUPPORTED_CVE_LIST.md) file. + ## Scope Supported operating systems: diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index 863afe0..9a90aeb 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -13,7 +13,7 @@ # # Stephane Lesimple # -VERSION='26.21.0402701' +VERSION='26.23.0402897' # --- Common paths and basedirs --- readonly VULN_SYSFS_BASE="/sys/devices/system/cpu/vulnerabilities" @@ -46,8 +46,8 @@ exit_cleanup() { # if we were git clone'd, adjust VERSION if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1; then - g_describe=$(git -C "$(dirname "$0")" describe --tags --dirty 2>/dev/null) - [ -n "$g_describe" ] && VERSION=$(echo "$g_describe" | sed -e s/^v//) + g_commit=$(git -C "$(dirname "$0")" describe --always --dirty --abbrev=7 --match=- 2>/dev/null) + [ -n "$g_commit" ] && VERSION="$VERSION-git$g_commit" fi # >>>>>> libs/002_core_globals.sh <<<<<< @@ -209,6 +209,8 @@ CVE-2018-12207|ITLBMH|itlbmh|No eXcuses, iTLB Multihit, machine check exception CVE-2020-0543|SRBDS|srbds|Special Register Buffer Data Sampling (SRBDS) CVE-2023-20593|ZENBLEED|zenbleed|Zenbleed, cross-process information leak CVE-2022-40982|DOWNFALL|downfall|Downfall, gather data sampling (GDS) +CVE-2022-29900|RETBLEED AMD|retbleed|Retbleed, arbitrary speculative code execution with return instructions (AMD) +CVE-2022-29901|RETBLEED INTEL|retbleed|Retbleed, arbitrary speculative code execution with return instructions (Intel) CVE-2023-20569|INCEPTION|inception|Inception, return address security (RAS) CVE-2023-23583|REPTAR|reptar|Reptar, redundant prefix issue CVE-2024-36350|TSA_SQ|tsa|Transient Scheduler Attack - Store Queue (TSA-SQ) @@ -253,6 +255,114 @@ fi # still empty? fallback to builtin [ -z "$g_echo_cmd" ] && g_echo_cmd='echo' +# >>>>>> libs/003_intel_models.sh <<<<<< + +# vim: set ts=4 sw=4 sts=4 et: +# AUTO-GENERATED FILE — DO NOT EDIT MANUALLY. +# Generated by scripts/update_intel_models.sh from: +# https://raw.githubusercontent.com/torvalds/linux/refs/heads/master/arch/x86/include/asm/intel-family.h +# Run scripts/update_intel_models.sh to refresh when new Intel CPU families are added to the kernel. +# shellcheck disable=SC2034 +{ + readonly INTEL_FAM5_PENTIUM_75=$((0x02)) # /* P54C */ + readonly INTEL_FAM5_PENTIUM_MMX=$((0x04)) # /* P55C */ + readonly INTEL_FAM5_QUARK_X1000=$((0x09)) # /* Quark X1000 SoC */ + readonly INTEL_FAM6_PENTIUM_PRO=$((0x01)) + readonly INTEL_FAM6_PENTIUM_II_KLAMATH=$((0x03)) + readonly INTEL_FAM6_PENTIUM_III_DESCHUTES=$((0x05)) + readonly INTEL_FAM6_PENTIUM_III_TUALATIN=$((0x0B)) + readonly INTEL_FAM6_PENTIUM_M_DOTHAN=$((0x0D)) + readonly INTEL_FAM6_CORE_YONAH=$((0x0E)) + readonly INTEL_FAM6_CORE2_MEROM=$((0x0F)) + readonly INTEL_FAM6_CORE2_MEROM_L=$((0x16)) + readonly INTEL_FAM6_CORE2_PENRYN=$((0x17)) + readonly INTEL_FAM6_CORE2_DUNNINGTON=$((0x1D)) + readonly INTEL_FAM6_NEHALEM=$((0x1E)) + readonly INTEL_FAM6_NEHALEM_G=$((0x1F)) # /* Auburndale / Havendale */ + readonly INTEL_FAM6_NEHALEM_EP=$((0x1A)) + readonly INTEL_FAM6_NEHALEM_EX=$((0x2E)) + readonly INTEL_FAM6_WESTMERE=$((0x25)) + readonly INTEL_FAM6_WESTMERE_EP=$((0x2C)) + readonly INTEL_FAM6_WESTMERE_EX=$((0x2F)) + readonly INTEL_FAM6_SANDYBRIDGE=$((0x2A)) + readonly INTEL_FAM6_SANDYBRIDGE_X=$((0x2D)) + readonly INTEL_FAM6_IVYBRIDGE=$((0x3A)) + readonly INTEL_FAM6_IVYBRIDGE_X=$((0x3E)) + readonly INTEL_FAM6_HASWELL=$((0x3C)) + readonly INTEL_FAM6_HASWELL_X=$((0x3F)) + readonly INTEL_FAM6_HASWELL_L=$((0x45)) + readonly INTEL_FAM6_HASWELL_G=$((0x46)) + readonly INTEL_FAM6_BROADWELL=$((0x3D)) + readonly INTEL_FAM6_BROADWELL_G=$((0x47)) + readonly INTEL_FAM6_BROADWELL_X=$((0x4F)) + readonly INTEL_FAM6_BROADWELL_D=$((0x56)) + readonly INTEL_FAM6_SKYLAKE_L=$((0x4E)) # /* Sky Lake */ + readonly INTEL_FAM6_SKYLAKE=$((0x5E)) # /* Sky Lake */ + readonly INTEL_FAM6_SKYLAKE_X=$((0x55)) # /* Sky Lake */ + readonly INTEL_FAM6_KABYLAKE_L=$((0x8E)) # /* Sky Lake */ + readonly INTEL_FAM6_KABYLAKE=$((0x9E)) # /* Sky Lake */ + readonly INTEL_FAM6_COMETLAKE=$((0xA5)) # /* Sky Lake */ + readonly INTEL_FAM6_COMETLAKE_L=$((0xA6)) # /* Sky Lake */ + readonly INTEL_FAM6_CANNONLAKE_L=$((0x66)) # /* Palm Cove */ + readonly INTEL_FAM6_ICELAKE_X=$((0x6A)) # /* Sunny Cove */ + readonly INTEL_FAM6_ICELAKE_D=$((0x6C)) # /* Sunny Cove */ + readonly INTEL_FAM6_ICELAKE=$((0x7D)) # /* Sunny Cove */ + readonly INTEL_FAM6_ICELAKE_L=$((0x7E)) # /* Sunny Cove */ + readonly INTEL_FAM6_ICELAKE_NNPI=$((0x9D)) # /* Sunny Cove */ + readonly INTEL_FAM6_ROCKETLAKE=$((0xA7)) # /* Cypress Cove */ + readonly INTEL_FAM6_TIGERLAKE_L=$((0x8C)) # /* Willow Cove */ + readonly INTEL_FAM6_TIGERLAKE=$((0x8D)) # /* Willow Cove */ + readonly INTEL_FAM6_SAPPHIRERAPIDS_X=$((0x8F)) # /* Golden Cove */ + readonly INTEL_FAM6_EMERALDRAPIDS_X=$((0xCF)) # /* Raptor Cove */ + readonly INTEL_FAM6_GRANITERAPIDS_X=$((0xAD)) # /* Redwood Cove */ + readonly INTEL_FAM6_GRANITERAPIDS_D=$((0xAE)) + readonly INTEL_FAM19_DIAMONDRAPIDS_X=$((0x01)) # /* Panther Cove */ + readonly INTEL_FAM6_BARTLETTLAKE=$((0xD7)) # /* Raptor Cove */ + readonly INTEL_FAM6_LAKEFIELD=$((0x8A)) # /* Sunny Cove / Tremont */ + readonly INTEL_FAM6_ALDERLAKE=$((0x97)) # /* Golden Cove / Gracemont */ + readonly INTEL_FAM6_ALDERLAKE_L=$((0x9A)) # /* Golden Cove / Gracemont */ + readonly INTEL_FAM6_RAPTORLAKE=$((0xB7)) # /* Raptor Cove / Enhanced Gracemont */ + readonly INTEL_FAM6_RAPTORLAKE_P=$((0xBA)) + readonly INTEL_FAM6_RAPTORLAKE_S=$((0xBF)) + readonly INTEL_FAM6_METEORLAKE=$((0xAC)) # /* Redwood Cove / Crestmont */ + readonly INTEL_FAM6_METEORLAKE_L=$((0xAA)) + readonly INTEL_FAM6_ARROWLAKE_H=$((0xC5)) # /* Lion Cove / Skymont */ + readonly INTEL_FAM6_ARROWLAKE=$((0xC6)) + readonly INTEL_FAM6_ARROWLAKE_U=$((0xB5)) + readonly INTEL_FAM6_LUNARLAKE_M=$((0xBD)) # /* Lion Cove / Skymont */ + readonly INTEL_FAM6_PANTHERLAKE_L=$((0xCC)) # /* Cougar Cove / Darkmont */ + readonly INTEL_FAM6_WILDCATLAKE_L=$((0xD5)) + readonly INTEL_FAM18_NOVALAKE=$((0x01)) # /* Coyote Cove / Arctic Wolf */ + readonly INTEL_FAM18_NOVALAKE_L=$((0x03)) # /* Coyote Cove / Arctic Wolf */ + readonly INTEL_FAM6_ATOM_BONNELL=$((0x1C)) # /* Diamondville, Pineview */ + readonly INTEL_FAM6_ATOM_BONNELL_MID=$((0x26)) # /* Silverthorne, Lincroft */ + readonly INTEL_FAM6_ATOM_SALTWELL=$((0x36)) # /* Cedarview */ + readonly INTEL_FAM6_ATOM_SALTWELL_MID=$((0x27)) # /* Penwell */ + readonly INTEL_FAM6_ATOM_SALTWELL_TABLET=$((0x35)) # /* Cloverview */ + readonly INTEL_FAM6_ATOM_SILVERMONT=$((0x37)) # /* Bay Trail, Valleyview */ + readonly INTEL_FAM6_ATOM_SILVERMONT_D=$((0x4D)) # /* Avaton, Rangely */ + readonly INTEL_FAM6_ATOM_SILVERMONT_MID=$((0x4A)) # /* Merriefield */ + readonly INTEL_FAM6_ATOM_SILVERMONT_MID2=$((0x5A)) # /* Anniedale */ + readonly INTEL_FAM6_ATOM_AIRMONT=$((0x4C)) # /* Cherry Trail, Braswell */ + readonly INTEL_FAM6_ATOM_AIRMONT_NP=$((0x75)) # /* Lightning Mountain */ + readonly INTEL_FAM6_ATOM_GOLDMONT=$((0x5C)) # /* Apollo Lake */ + readonly INTEL_FAM6_ATOM_GOLDMONT_D=$((0x5F)) # /* Denverton */ + readonly INTEL_FAM6_ATOM_GOLDMONT_PLUS=$((0x7A)) # /* Gemini Lake */ + readonly INTEL_FAM6_ATOM_TREMONT_D=$((0x86)) # /* Jacobsville */ + readonly INTEL_FAM6_ATOM_TREMONT=$((0x96)) # /* Elkhart Lake */ + readonly INTEL_FAM6_ATOM_TREMONT_L=$((0x9C)) # /* Jasper Lake */ + readonly INTEL_FAM6_ATOM_GRACEMONT=$((0xBE)) # /* Alderlake N */ + readonly INTEL_FAM6_ATOM_CRESTMONT_X=$((0xAF)) # /* Sierra Forest */ + readonly INTEL_FAM6_ATOM_CRESTMONT=$((0xB6)) # /* Grand Ridge */ + readonly INTEL_FAM6_ATOM_DARKMONT_X=$((0xDD)) # /* Clearwater Forest */ + readonly INTEL_FAM6_XEON_PHI_KNL=$((0x57)) # /* Knights Landing */ + readonly INTEL_FAM6_XEON_PHI_KNM=$((0x85)) # /* Knights Mill */ + readonly INTEL_FAM15_P4_WILLAMETTE=$((0x01)) # /* Also Xeon Foster */ + readonly INTEL_FAM15_P4_PRESCOTT=$((0x03)) + readonly INTEL_FAM15_P4_PRESCOTT_2M=$((0x04)) + readonly INTEL_FAM15_P4_CEDARMILL=$((0x06)) # /* Also Xeon Dempsey */ +} + # >>>>>> libs/100_output_print.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: @@ -470,6 +580,8 @@ is_cpu_affected() { _set_immune inception # TSA is AMD specific (Zen 3/4), look for "is_amd" below: _set_immune tsa + # Retbleed: AMD (CVE-2022-29900) and Intel (CVE-2022-29901) specific: + _set_immune retbleed # Downfall & Reptar are Intel specific, look for "is_intel" below: _set_immune downfall _set_immune reptar @@ -492,6 +604,14 @@ is_cpu_affected() { pr_debug "is_cpu_affected: cpu not affected by Special Register Buffer Data Sampling" fi + # NO_SPECTRE_V2: Centaur family 7 and Zhaoxin family 7 are immune to Spectre V2 + # kernel commit 1e41a766c98b (v5.6-rc1): added NO_SPECTRE_V2 exemption + # Zhaoxin vendor_id is " Shanghai " in cpuinfo (parsed as "Shanghai" by awk) + if { [ "$cpu_vendor" = "CentaurHauls" ] || [ "$cpu_vendor" = "Shanghai" ]; } && [ "$cpu_family" = 7 ]; then + _infer_immune variant2 + pr_debug "is_cpu_affected: Centaur/Zhaoxin family 7 immune to Spectre V2 (NO_SPECTRE_V2)" + fi + if is_cpu_specex_free; then _set_immune variant1 _set_immune variant2 @@ -561,7 +681,7 @@ is_cpu_affected() { [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_D" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT" ] || - [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT_MID" ] || + [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID2" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT_NP" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_D" ] || @@ -588,9 +708,12 @@ is_cpu_affected() { pr_debug "is_cpu_affected: downfall: not affected (GDS_NO)" _set_immune downfall elif [ "$cpu_family" = 6 ]; then - # list from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=64094e7e3118aff4b0be8ff713c242303e139834 + # model blacklist from the kernel (arch/x86/kernel/cpu/common.c cpu_vuln_blacklist): + # 8974eb588283 (initial list) + c9f4c45c8ec3 (added Skylake/Skylake_L client) set -u - if [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_X" ] || + if [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_X" ] || [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE_L" ] || [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE" ] || [ "$cpu_model" = "$INTEL_FAM6_ICELAKE_L" ] || @@ -605,10 +728,12 @@ is_cpu_affected() { _set_vuln downfall elif [ "$cap_avx2" = 0 ] && [ "$cap_avx512" = 0 ]; then pr_debug "is_cpu_affected: downfall: no avx; immune" + _infer_immune downfall else - # old Intel CPU (not in their DB), not listed as being affected by the Linux kernel, - # but with AVX2 or AVX512: unclear for now - pr_debug "is_cpu_affected: downfall: unclear, defaulting to non-affected for now" + # Intel family 6 CPU with AVX2 or AVX512, not in the known-affected list + # and GDS_NO not set: assume affected (whitelist principle) + pr_debug "is_cpu_affected: downfall: unknown AVX-capable CPU, defaulting to affected" + _infer_vuln downfall fi set +u fi @@ -667,6 +792,27 @@ is_cpu_affected() { fi done + # Retbleed (Intel, CVE-2022-29901): Skylake through Rocket Lake, or any CPU with RSBA + # kernel cpu_vuln_blacklist for RETBLEED (6b80b59b3555, 6ad0ad2bf8a6, f54d45372c6a) + # plus ARCH_CAP_RSBA catch-all (bit 2 of IA32_ARCH_CAPABILITIES) + if [ "$cap_rsba" = 1 ]; then + _set_vuln retbleed + elif [ "$cpu_family" = 6 ]; then + if [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_X" ] || + [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_CANNONLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_ICELAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_COMETLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_COMETLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_LAKEFIELD" ] || + [ "$cpu_model" = "$INTEL_FAM6_ROCKETLAKE" ]; then + _set_vuln retbleed + fi + fi + elif is_amd || is_hygon; then # AMD revised their statement about affected_variant2 => affected # https://www.amd.com/en/corporate/speculative-execution @@ -703,6 +849,11 @@ is_cpu_affected() { _set_vuln tsa fi + # Retbleed (AMD, CVE-2022-29900): families 0x15-0x17 (kernel X86_BUG_RETBLEED) + if [ "$cpu_family" = $((0x15)) ] || [ "$cpu_family" = $((0x16)) ] || [ "$cpu_family" = $((0x17)) ]; then + _set_vuln retbleed + fi + elif [ "$cpu_vendor" = CAVIUM ]; then _set_immune variant3 _set_immune variant3a @@ -826,7 +977,7 @@ is_cpu_affected() { [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT" ] || [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] || [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ] || - [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT_MID" ] || + [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID2" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_D" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_PLUS" ]; then @@ -845,12 +996,12 @@ is_cpu_affected() { _infer_immune itlbmh fi - # shellcheck disable=SC2154 # affected_zenbleed/inception/tsa/downfall/reptar set via eval (_set_immune) + # shellcheck disable=SC2154 # affected_zenbleed/inception/retbleed/tsa/downfall/reptar set via eval (_set_immune) { pr_debug "is_cpu_affected: final results: variant1=$affected_variant1 variant2=$affected_variant2 variant3=$affected_variant3 variant3a=$affected_variant3a" pr_debug "is_cpu_affected: final results: variant4=$affected_variant4 variantl1tf=$affected_variantl1tf msbds=$affected_msbds mfbds=$affected_mfbds" pr_debug "is_cpu_affected: final results: mlpds=$affected_mlpds mdsum=$affected_mdsum taa=$affected_taa itlbmh=$affected_itlbmh srbds=$affected_srbds" - pr_debug "is_cpu_affected: final results: zenbleed=$affected_zenbleed inception=$affected_inception tsa=$affected_tsa downfall=$affected_downfall reptar=$affected_reptar" + pr_debug "is_cpu_affected: final results: zenbleed=$affected_zenbleed inception=$affected_inception retbleed=$affected_retbleed tsa=$affected_tsa downfall=$affected_downfall reptar=$affected_reptar" } affected_variantl1tf_sgx="$affected_variantl1tf" # even if we are affected to L1TF, if there's no SGX, we're not affected to the original foreshadow @@ -892,6 +1043,13 @@ is_cpu_specex_free() { return 0 fi fi + # Centaur family 5 and NSC family 5 are also non-speculative + if [ "$cpu_vendor" = "CentaurHauls" ] && [ "$cpu_family" = 5 ]; then + return 0 + fi + if [ "$cpu_vendor" = "Geode by NSC" ] && [ "$cpu_family" = 5 ]; then + return 0 + fi [ "$cpu_family" = 4 ] && return 0 return 1 } @@ -1708,18 +1866,28 @@ pvulnstatus() { shift 2 pr_info_nol "> \033[46m\033[30mSTATUS:\033[0m " : "${g_final_summary:=}" + : "${g_final_summary_count:=0}" + g_final_summary_count=$((g_final_summary_count + 1)) + # wrap to a new line every 4 entries for readability + if [ "$g_final_summary_count" -gt 1 ] && [ $((g_final_summary_count % 4)) -eq 1 ]; then + g_final_summary="$g_final_summary\n " + fi + # pad entry to fixed width so columns align despite varying CVE ID lengths case "$vulnstatus" in UNK) pstatus yellow 'UNKNOWN' "$@" - g_final_summary="$g_final_summary \033[43m\033[30m$g_pvulnstatus_last_cve:??\033[0m" + _summary_label=$(printf "%-17s" "$g_pvulnstatus_last_cve:??") + g_final_summary="$g_final_summary \033[43m\033[30m$_summary_label\033[0m" ;; VULN) pstatus red 'VULNERABLE' "$@" - g_final_summary="$g_final_summary \033[41m\033[30m$g_pvulnstatus_last_cve:KO\033[0m" + _summary_label=$(printf "%-17s" "$g_pvulnstatus_last_cve:KO") + g_final_summary="$g_final_summary \033[41m\033[30m$_summary_label\033[0m" ;; OK) pstatus green 'NOT VULNERABLE' "$@" - g_final_summary="$g_final_summary \033[42m\033[30m$g_pvulnstatus_last_cve:OK\033[0m" + _summary_label=$(printf "%-17s" "$g_pvulnstatus_last_cve:OK") + g_final_summary="$g_final_summary \033[42m\033[30m$_summary_label\033[0m" ;; *) echo "$0: error: unknown status '$vulnstatus' passed to pvulnstatus()" >&2 @@ -2586,76 +2754,6 @@ parse_cpu_details() { g_ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x pfid 0x%x" \ "$cpu_family" "$cpu_model" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid" "$cpu_platformid") - # also define those that we will need in other funcs - # taken from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/include/asm/intel-family.h - # curl -s 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/arch/x86/include/asm/intel-family.h' | awk '/#define INTEL_FAM6/ {print $2"=$(( "$3" )) # "$4,$5,$6,$7,$8,$9}' | sed -Ee 's/ +$//' - # shellcheck disable=SC2034 - { - readonly INTEL_FAM6_CORE_YONAH=$((0x0E)) # - readonly INTEL_FAM6_CORE2_MEROM=$((0x0F)) # - readonly INTEL_FAM6_CORE2_MEROM_L=$((0x16)) # - readonly INTEL_FAM6_CORE2_PENRYN=$((0x17)) # - readonly INTEL_FAM6_CORE2_DUNNINGTON=$((0x1D)) # - readonly INTEL_FAM6_NEHALEM=$((0x1E)) # - readonly INTEL_FAM6_NEHALEM_G=$((0x1F)) # /* Auburndale / Havendale */ - readonly INTEL_FAM6_NEHALEM_EP=$((0x1A)) # - readonly INTEL_FAM6_NEHALEM_EX=$((0x2E)) # - readonly INTEL_FAM6_WESTMERE=$((0x25)) # - readonly INTEL_FAM6_WESTMERE_EP=$((0x2C)) # - readonly INTEL_FAM6_WESTMERE_EX=$((0x2F)) # - readonly INTEL_FAM6_SANDYBRIDGE=$((0x2A)) # - readonly INTEL_FAM6_SANDYBRIDGE_X=$((0x2D)) # - readonly INTEL_FAM6_IVYBRIDGE=$((0x3A)) # - readonly INTEL_FAM6_IVYBRIDGE_X=$((0x3E)) # - readonly INTEL_FAM6_HASWELL=$((0x3C)) # - readonly INTEL_FAM6_HASWELL_X=$((0x3F)) # - readonly INTEL_FAM6_HASWELL_L=$((0x45)) # - readonly INTEL_FAM6_HASWELL_G=$((0x46)) # - readonly INTEL_FAM6_BROADWELL=$((0x3D)) # - readonly INTEL_FAM6_BROADWELL_G=$((0x47)) # - readonly INTEL_FAM6_BROADWELL_X=$((0x4F)) # - readonly INTEL_FAM6_BROADWELL_D=$((0x56)) # - readonly INTEL_FAM6_SKYLAKE_L=$((0x4E)) # /* Sky Lake */ - readonly INTEL_FAM6_SKYLAKE=$((0x5E)) # /* Sky Lake */ - readonly INTEL_FAM6_SKYLAKE_X=$((0x55)) # /* Sky Lake */ - readonly INTEL_FAM6_KABYLAKE_L=$((0x8E)) # /* Sky Lake */ - readonly INTEL_FAM6_KABYLAKE=$((0x9E)) # /* Sky Lake */ - readonly INTEL_FAM6_COMETLAKE=$((0xA5)) # /* Sky Lake */ - readonly INTEL_FAM6_COMETLAKE_L=$((0xA6)) # /* Sky Lake */ - readonly INTEL_FAM6_CANNONLAKE_L=$((0x66)) # /* Palm Cove */ - readonly INTEL_FAM6_ICELAKE_X=$((0x6A)) # /* Sunny Cove */ - readonly INTEL_FAM6_ICELAKE_D=$((0x6C)) # /* Sunny Cove */ - readonly INTEL_FAM6_ICELAKE=$((0x7D)) # /* Sunny Cove */ - readonly INTEL_FAM6_ICELAKE_L=$((0x7E)) # /* Sunny Cove */ - readonly INTEL_FAM6_ICELAKE_NNPI=$((0x9D)) # /* Sunny Cove */ - readonly INTEL_FAM6_LAKEFIELD=$((0x8A)) # /* Sunny Cove / Tremont */ - readonly INTEL_FAM6_ROCKETLAKE=$((0xA7)) # /* Cypress Cove */ - readonly INTEL_FAM6_TIGERLAKE_L=$((0x8C)) # /* Willow Cove */ - readonly INTEL_FAM6_TIGERLAKE=$((0x8D)) # /* Willow Cove */ - readonly INTEL_FAM6_SAPPHIRERAPIDS_X=$((0x8F)) # /* Golden Cove */ - readonly INTEL_FAM6_ALDERLAKE=$((0x97)) # /* Golden Cove / Gracemont */ - readonly INTEL_FAM6_ALDERLAKE_L=$((0x9A)) # /* Golden Cove / Gracemont */ - readonly INTEL_FAM6_RAPTORLAKE=$((0xB7)) # - readonly INTEL_FAM6_ATOM_BONNELL=$((0x1C)) # /* Diamondville, Pineview */ - readonly INTEL_FAM6_ATOM_BONNELL_MID=$((0x26)) # /* Silverthorne, Lincroft */ - readonly INTEL_FAM6_ATOM_SALTWELL=$((0x36)) # /* Cedarview */ - readonly INTEL_FAM6_ATOM_SALTWELL_MID=$((0x27)) # /* Penwell */ - readonly INTEL_FAM6_ATOM_SALTWELL_TABLET=$((0x35)) # /* Cloverview */ - readonly INTEL_FAM6_ATOM_SILVERMONT=$((0x37)) # /* Bay Trail, Valleyview */ - readonly INTEL_FAM6_ATOM_SILVERMONT_D=$((0x4D)) # /* Avaton, Rangely */ - readonly INTEL_FAM6_ATOM_SILVERMONT_MID=$((0x4A)) # /* Merriefield */ - readonly INTEL_FAM6_ATOM_AIRMONT=$((0x4C)) # /* Cherry Trail, Braswell */ - readonly INTEL_FAM6_ATOM_AIRMONT_MID=$((0x5A)) # /* Moorefield */ - readonly INTEL_FAM6_ATOM_AIRMONT_NP=$((0x75)) # /* Lightning Mountain */ - readonly INTEL_FAM6_ATOM_GOLDMONT=$((0x5C)) # /* Apollo Lake */ - readonly INTEL_FAM6_ATOM_GOLDMONT_D=$((0x5F)) # /* Denverton */ - readonly INTEL_FAM6_ATOM_GOLDMONT_PLUS=$((0x7A)) # /* Gemini Lake */ - readonly INTEL_FAM6_ATOM_TREMONT_D=$((0x86)) # /* Jacobsville */ - readonly INTEL_FAM6_ATOM_TREMONT=$((0x96)) # /* Elkhart Lake */ - readonly INTEL_FAM6_ATOM_TREMONT_L=$((0x9C)) # /* Jasper Lake */ - readonly INTEL_FAM6_XEON_PHI_KNL=$((0x57)) # /* Knights Landing */ - readonly INTEL_FAM6_XEON_PHI_KNM=$((0x85)) # /* Knights Mill */ - } g_parse_cpu_details_done=1 } # Check whether the CPU vendor is Hygon @@ -4562,16 +4660,14 @@ check_mds_linux() { # >>>>>> vulns/CVE-2017-5715.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -################### -# SPECTRE 2 SECTION +############################### +# CVE-2017-5715, Spectre V2, Branch Target Injection -# CVE-2017-5715 Spectre Variant 2 (branch target injection) - entry point # Sets: vulnstatus check_CVE_2017_5715() { check_cve 'CVE-2017-5715' } -# CVE-2017-5715 Spectre Variant 2 (branch target injection) - Linux mitigation check # Sets: g_ibrs_can_tell, g_ibrs_supported, g_ibrs_enabled, g_ibrs_fw_enabled, # g_ibpb_can_tell, g_ibpb_supported, g_ibpb_enabled, g_specex_knob_dir check_CVE_2017_5715_linux() { @@ -4771,6 +4867,43 @@ check_CVE_2017_5715_linux() { # rocky9 (RHEL 9, kernel 5.14): matches mainline. Semicolons, BHI, all fields. # rocky10 (RHEL 10, kernel 6.12): matches mainline. # + # + # --- Kconfig symbols --- + # 76b043848fd2 (v4.15-rc8): CONFIG_RETPOLINE + # f43b9876e857 (v5.19-rc7): CONFIG_CPU_IBRS_ENTRY (kernel IBRS on entry) + # aefb2f2e619b (v6.9-rc1): renamed CONFIG_RETPOLINE => CONFIG_MITIGATION_RETPOLINE + # 1da8d2172ce5 (v6.9-rc1): renamed CONFIG_CPU_IBRS_ENTRY => CONFIG_MITIGATION_IBRS_ENTRY + # ec9404e40e8f (v6.9-rc4): CONFIG_SPECTRE_BHI_ON / CONFIG_SPECTRE_BHI_OFF + # 4f511739c54b (v6.9-rc4): replaced by CONFIG_MITIGATION_SPECTRE_BHI + # 72c70f480a70 (v6.12-rc1): CONFIG_MITIGATION_SPECTRE_V2 (top-level on/off) + # 8754e67ad4ac (v6.15-rc7): CONFIG_MITIGATION_ITS (indirect target selection) + # stable 5.4.y-6.6.y: CONFIG_RETPOLINE (pre-rename) + # stable 6.12.y: CONFIG_MITIGATION_RETPOLINE, CONFIG_MITIGATION_SPECTRE_V2 + # + # --- kernel functions (for $opt_map / System.map) --- + # da285121560e (v4.15-rc8): spectre_v2_select_mitigation(), + # spectre_v2_parse_cmdline(), nospectre_v2_parse_cmdline() + # 20ffa1caecca (v4.16-rc1): spectre_v2_module_string(), retpoline_module_ok() + # a8f76ae41cd6 (v4.20-rc5): spectre_v2_user_select_mitigation(), + # spectre_v2_user_parse_cmdline() + # 7c693f54c873 (v5.19-rc7): spectre_v2_in_ibrs_mode(), spectre_v2_in_eibrs_mode() + # 44a3918c8245 (v5.17-rc8): spectre_v2_show_state() + # 480e803dacf8 (v6.16-rc1): split into spectre_v2_select_mitigation() + + # spectre_v2_apply_mitigation() + spectre_v2_update_mitigation() + + # spectre_v2_user_apply_mitigation() + spectre_v2_user_update_mitigation() + # + # --- CPU affection logic (for is_cpu_affected) --- + # X86_BUG_SPECTRE_V2 is set for ALL x86 CPUs except: + # - CPUs matching NO_SPECULATION: family 4 (all vendors), Centaur/Intel/NSC/Vortex + # family 5, Intel Atom Bonnell/Saltwell + # - CPUs matching NO_SPECTRE_V2: Centaur family 7, Zhaoxin family 7 + # 99c6fa2511d8 (v4.15-rc8): unconditional for all x86 CPUs + # 1e41a766c98b (v5.6-rc1): added NO_SPECTRE_V2 exemption for Centaur/Zhaoxin + # 98c7a713db91 (v6.15-rc1): added X86_BUG_SPECTRE_V2_USER as separate bit + # No MSR/CPUID immunity bits — purely whitelist-based. + # vendor scope: all x86 vendors affected (Intel, AMD, Hygon, etc.) + # except Centaur family 7 and Zhaoxin family 7. + # # all messages start with either "Not affected", "Mitigation", or "Vulnerable" fi if [ "$opt_sysfs_only" != 1 ]; then @@ -4895,6 +5028,19 @@ check_CVE_2017_5715_linux() { if grep -q spec_ctrl "$opt_map"; then g_ibrs_supported="found spec_ctrl in symbols file" pr_debug "ibrs: found '*spec_ctrl*' symbol in $opt_map" + elif grep -q -e spectre_v2_select_mitigation -e spectre_v2_apply_mitigation "$opt_map"; then + # spectre_v2_select_mitigation exists since v4.15; split into + # spectre_v2_select_mitigation + spectre_v2_apply_mitigation in v6.16 + g_ibrs_supported="found spectre_v2 mitigation function in symbols file" + pr_debug "ibrs: found spectre_v2_*_mitigation symbol in $opt_map" + fi + fi + # CONFIG_CPU_IBRS_ENTRY (v5.19) / CONFIG_MITIGATION_IBRS_ENTRY (v6.9): kernel IBRS on entry + if [ -z "$g_ibrs_supported" ] && [ -n "$opt_config" ] && [ -r "$opt_config" ]; then + g_ibrs_can_tell=1 + if grep -q '^CONFIG_\(CPU_\|MITIGATION_\)IBRS_ENTRY=y' "$opt_config"; then + g_ibrs_supported="CONFIG_CPU_IBRS_ENTRY/CONFIG_MITIGATION_IBRS_ENTRY found in kernel config" + pr_debug "ibrs: found IBRS entry config option in $opt_config" fi fi # recent (4.15) vanilla kernels have IBPB but not IBRS, and without the debugfs tunables of Red Hat @@ -5142,7 +5288,7 @@ check_CVE_2017_5715_linux() { rsb_filling=0 if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then # if we're live and we aren't denied looking into /sys, let's do it - if echo "$msg" | grep -qw RSB; then + if echo "$ret_sys_interface_check_fullmsg" | grep -qw RSB; then rsb_filling=1 pstatus green YES fi @@ -5242,6 +5388,11 @@ check_CVE_2017_5715_linux() { *) pstatus yellow UNKNOWN ;; esac + # --- SMT state (used in STIBP inference and verdict) --- + is_cpu_smt_enabled + smt_enabled=$? + # smt_enabled: 0=enabled, 1=disabled, 2=unknown + # --- v2_stibp_status --- pr_info_nol " * STIBP status: " if [ -n "$ret_sys_interface_check_fullmsg" ]; then @@ -5384,11 +5535,6 @@ check_CVE_2017_5715_linux() { fi fi - # --- SMT state (used in verdict) --- - is_cpu_smt_enabled - smt_enabled=$? - # smt_enabled: 0=enabled, 1=disabled, 2=unknown - elif [ "$sys_interface_available" = 0 ]; then # we have no sysfs but were asked to use it only! msg="/sys vulnerability interface use forced, but it's not available!" @@ -5403,6 +5549,8 @@ check_CVE_2017_5715_linux() { # --- own logic using Phase 2 variables --- # Helper: collect caveats for the verdict message _v2_caveats='' + # Append a caveat string to the _v2_caveats list + # Callers: check_CVE_2017_5715_linux (eIBRS, IBRS, retpoline verdict paths) _v2_add_caveat() { _v2_caveats="${_v2_caveats:+$_v2_caveats; }$1"; } # ARM branch predictor hardening (unchanged) @@ -5670,6 +5818,9 @@ check_CVE_2017_5715_linux() { pvulnstatus "$cve" OK "offline mode: kernel supports IBRS + IBPB to mitigate the vulnerability" elif [ "$cap_ibrs_all" = 1 ] || [ "$cap_autoibrs" = 1 ]; then pvulnstatus "$cve" OK "offline mode: CPU supports Enhanced / Automatic IBRS" + # CONFIG_MITIGATION_SPECTRE_V2 (v6.12+): top-level on/off for all Spectre V2 mitigations + elif [ -n "$opt_config" ] && [ -r "$opt_config" ] && grep -q '^CONFIG_MITIGATION_SPECTRE_V2=y' "$opt_config"; then + pvulnstatus "$cve" OK "offline mode: kernel has Spectre V2 mitigation framework enabled (CONFIG_MITIGATION_SPECTRE_V2)" elif [ "$g_ibrs_can_tell" != 1 ]; then pvulnstatus "$cve" UNK "offline mode: not enough information" explain "Re-run this script with root privileges, and give it the kernel image (--kernel), the kernel configuration (--config) and the System.map file (--map) corresponding to the kernel you would like to inspect." @@ -5700,7 +5851,6 @@ check_CVE_2017_5715_linux() { fi } -# CVE-2017-5715 Spectre Variant 2 (branch target injection) - BSD mitigation check # Sets: vulnstatus check_CVE_2017_5715_bsd() { local ibrs_disabled ibrs_active retpoline nb_thunks @@ -5762,16 +5912,14 @@ check_CVE_2017_5715_bsd() { # >>>>>> vulns/CVE-2017-5753.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -################### -# SPECTRE 1 SECTION +############################### +# CVE-2017-5753, Spectre V1, Bounds Check Bypass -# CVE-2017-5753 Spectre Variant 1 (bounds check bypass) - entry point # Sets: (none directly, delegates to check_cve) check_CVE_2017_5753() { check_cve 'CVE-2017-5753' } -# CVE-2017-5753 Spectre Variant 1 (bounds check bypass) - Linux mitigation check # Sets: g_redhat_canonical_spectre (via check_redhat_canonical_spectre) check_CVE_2017_5753_linux() { local status sys_interface_available msg v1_kernel_mitigated v1_kernel_mitigated_err v1_mask_nospec ret explain_text @@ -6042,7 +6190,6 @@ check_CVE_2017_5753_linux() { fi } -# CVE-2017-5753 Spectre Variant 1 (bounds check bypass) - BSD mitigation check check_CVE_2017_5753_bsd() { if ! is_cpu_affected "$cve"; then pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" @@ -6054,8 +6201,8 @@ check_CVE_2017_5753_bsd() { # >>>>>> vulns/CVE-2017-5754.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -################## -# MELTDOWN SECTION +############################### +# CVE-2017-5754, Meltdown, Rogue Data Cache Load # no security impact but give a hint to the user in verbose mode # about PCID/INVPCID cpuid features that must be present to avoid @@ -6095,12 +6242,10 @@ pti_performance_check() { fi } -# CVE-2017-5754 Meltdown (rogue data cache load) - entry point check_CVE_2017_5754() { check_cve 'CVE-2017-5754' } -# CVE-2017-5754 Meltdown (rogue data cache load) - Linux mitigation check check_CVE_2017_5754_linux() { local status sys_interface_available msg kpti_support kpti_can_tell kpti_enabled dmesg_grep pti_xen_pv_domU xen_pv_domo xen_pv_domu explain_text status=UNK @@ -6303,7 +6448,6 @@ check_CVE_2017_5754_linux() { fi } -# CVE-2017-5754 Meltdown (rogue data cache load) - BSD mitigation check check_CVE_2017_5754_bsd() { local kpti_enabled pr_info_nol "* Kernel supports Page Table Isolation (PTI): " @@ -6338,10 +6482,9 @@ check_CVE_2017_5754_bsd() { # >>>>>> vulns/CVE-2018-12126.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -################### -# MSBDS SECTION +############################### +# CVE-2018-12126, MSBDS, Fallout, Microarchitectural Store Buffer Data Sampling -# CVE-2018-12126 MSBDS (microarchitectural store buffer data sampling) - entry point check_CVE_2018_12126() { check_cve 'CVE-2018-12126' check_mds } @@ -6349,10 +6492,9 @@ check_CVE_2018_12126() { # >>>>>> vulns/CVE-2018-12127.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -################### -# MLPDS SECTION +############################### +# CVE-2018-12127, MLPDS, RIDL, Microarchitectural Load Port Data Sampling -# CVE-2018-12127 MLPDS (microarchitectural load port data sampling) - entry point check_CVE_2018_12127() { check_cve 'CVE-2018-12127' check_mds } @@ -6360,10 +6502,9 @@ check_CVE_2018_12127() { # >>>>>> vulns/CVE-2018-12130.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -################### -# MFBDS SECTION +############################### +# CVE-2018-12130, MFBDS, ZombieLoad, Microarchitectural Fill Buffer Data Sampling -# CVE-2018-12130 MFBDS (microarchitectural fill buffer data sampling) - entry point check_CVE_2018_12130() { check_cve 'CVE-2018-12130' check_mds } @@ -6371,15 +6512,13 @@ check_CVE_2018_12130() { # >>>>>> vulns/CVE-2018-12207.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -####################### -# iTLB Multihit section +############################### +# CVE-2018-12207, iTLB Multihit, No eXcuses, Machine Check Exception on Page Size Changes -# CVE-2018-12207 iTLB multihit (machine check exception on page size changes) - entry point check_CVE_2018_12207() { check_cve 'CVE-2018-12207' } -# CVE-2018-12207 iTLB multihit (machine check exception on page size changes) - Linux mitigation check check_CVE_2018_12207_linux() { local status sys_interface_available msg kernel_itlbmh kernel_itlbmh_err status=UNK @@ -6457,7 +6596,6 @@ check_CVE_2018_12207_linux() { fi } -# CVE-2018-12207 iTLB multihit (machine check exception on page size changes) - BSD mitigation check check_CVE_2018_12207_bsd() { local kernel_2m_x_ept pr_info_nol "* Kernel supports disabling superpages for executable mappings under EPT: " @@ -6491,10 +6629,9 @@ check_CVE_2018_12207_bsd() { # >>>>>> vulns/CVE-2018-3615.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -########################### -# L1TF / FORESHADOW SECTION +############################### +# CVE-2018-3615, Foreshadow (SGX), L1 Terminal Fault -# CVE-2018-3615 Foreshadow (L1 terminal fault SGX) - entry point check_CVE_2018_3615() { local cve cve='CVE-2018-3615' @@ -6530,12 +6667,13 @@ check_CVE_2018_3615() { # >>>>>> vulns/CVE-2018-3620.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -# CVE-2018-3620 Foreshadow-NG OS (L1 terminal fault OS) - entry point +############################### +# CVE-2018-3620, Foreshadow-NG (OS/SMM), L1 Terminal Fault + check_CVE_2018_3620() { check_cve 'CVE-2018-3620' } -# CVE-2018-3620 Foreshadow-NG OS (L1 terminal fault OS) - Linux mitigation check check_CVE_2018_3620_linux() { local status sys_interface_available msg pteinv_supported pteinv_active status=UNK @@ -6614,7 +6752,6 @@ check_CVE_2018_3620_linux() { fi } -# CVE-2018-3620 Foreshadow-NG OS (L1 terminal fault OS) - BSD mitigation check check_CVE_2018_3620_bsd() { local bsd_zero_reserved pr_info_nol "* Kernel reserved the memory page at physical address 0x0: " @@ -6650,15 +6787,13 @@ check_CVE_2018_3620_bsd() { # >>>>>> vulns/CVE-2018-3639.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -################### -# VARIANT 4 SECTION +############################### +# CVE-2018-3639, Variant 4, SSB, Speculative Store Bypass -# CVE-2018-3639 Variant 4 (speculative store bypass) - entry point check_CVE_2018_3639() { check_cve 'CVE-2018-3639' } -# CVE-2018-3639 Variant 4 (speculative store bypass) - Linux mitigation check check_CVE_2018_3639_linux() { local status sys_interface_available msg kernel_ssb kernel_ssbd_enabled mitigated_processes status=UNK @@ -6786,7 +6921,6 @@ check_CVE_2018_3639_linux() { fi } -# CVE-2018-3639 Variant 4 (speculative store bypass) - BSD mitigation check check_CVE_2018_3639_bsd() { local kernel_ssb ssb_enabled ssb_active pr_info_nol "* Kernel supports speculation store bypass: " @@ -6841,10 +6975,9 @@ check_CVE_2018_3639_bsd() { # >>>>>> vulns/CVE-2018-3640.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -#################### -# VARIANT 3A SECTION +############################### +# CVE-2018-3640, Variant 3a, Rogue System Register Read -# CVE-2018-3640 Variant 3a (rogue system register read) - entry point check_CVE_2018_3640() { local status sys_interface_available msg cve cve='CVE-2018-3640' @@ -6877,12 +7010,13 @@ check_CVE_2018_3640() { # >>>>>> vulns/CVE-2018-3646.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -# CVE-2018-3646 Foreshadow-NG VMM (L1 terminal fault VMM) - entry point +############################### +# CVE-2018-3646, Foreshadow-NG (VMM), L1 Terminal Fault + check_CVE_2018_3646() { check_cve 'CVE-2018-3646' } -# CVE-2018-3646 Foreshadow-NG VMM (L1 terminal fault VMM) - Linux mitigation check check_CVE_2018_3646_linux() { local status sys_interface_available msg l1d_mode ept_disabled l1d_kernel l1d_kernel_err l1d_xen_hardware l1d_xen_hypervisor l1d_xen_pv_domU smt_enabled status=UNK @@ -7112,7 +7246,6 @@ check_CVE_2018_3646_linux() { fi } -# CVE-2018-3646 Foreshadow-NG VMM (L1 terminal fault VMM) - BSD mitigation check check_CVE_2018_3646_bsd() { local kernel_l1d_supported kernel_l1d_enabled pr_info_nol "* Kernel supports L1D flushing: " @@ -7149,10 +7282,9 @@ check_CVE_2018_3646_bsd() { # >>>>>> vulns/CVE-2019-11091.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -################### -# MDSUM SECTION +############################### +# CVE-2019-11091, MDSUM, RIDL, Microarchitectural Data Sampling Uncacheable Memory -# CVE-2019-11091 MDSUM (microarchitectural data sampling uncacheable memory) - entry point check_CVE_2019_11091() { check_cve 'CVE-2019-11091' check_mds } @@ -7160,15 +7292,13 @@ check_CVE_2019_11091() { # >>>>>> vulns/CVE-2019-11135.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -################### -# TAA SECTION +############################### +# CVE-2019-11135, TAA, ZombieLoad V2, TSX Asynchronous Abort -# CVE-2019-11135 TAA (TSX asynchronous abort) - entry point check_CVE_2019_11135() { check_cve 'CVE-2019-11135' } -# CVE-2019-11135 TAA (TSX asynchronous abort) - Linux mitigation check check_CVE_2019_11135_linux() { local status sys_interface_available msg kernel_taa kernel_taa_err status=UNK @@ -7246,7 +7376,6 @@ check_CVE_2019_11135_linux() { fi } -# CVE-2019-11135 TAA (TSX asynchronous abort) - BSD mitigation check check_CVE_2019_11135_bsd() { local taa_enable taa_state mds_disable kernel_taa kernel_mds pr_info_nol "* Kernel supports TAA mitigation (machdep.mitigations.taa.enable): " @@ -7306,15 +7435,13 @@ check_CVE_2019_11135_bsd() { # >>>>>> vulns/CVE-2020-0543.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -################### -# SRBDS SECTION +############################### +# CVE-2020-0543, SRBDS, CROSSTalk, Special Register Buffer Data Sampling -# CVE-2020-0543 SRBDS (special register buffer data sampling) - entry point check_CVE_2020_0543() { check_cve 'CVE-2020-0543' } -# CVE-2020-0543 SRBDS (special register buffer data sampling) - Linux mitigation check check_CVE_2020_0543_linux() { local status sys_interface_available msg kernel_srbds kernel_srbds_err status=UNK @@ -7411,7 +7538,6 @@ check_CVE_2020_0543_linux() { fi } -# CVE-2020-0543 SRBDS (special register buffer data sampling) - BSD mitigation check # FreeBSD uses the name "rngds" (Random Number Generator Data Sampling) for SRBDS check_CVE_2020_0543_bsd() { local rngds_enable rngds_state kernel_rngds @@ -7454,78 +7580,201 @@ check_CVE_2020_0543_bsd() { fi } -# >>>>>> vulns/CVE-2022-40982.sh <<<<<< +# >>>>>> vulns/CVE-2022-29900.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -######################### -# Downfall section +############################### +# CVE-2022-29900, Retbleed (AMD), Arbitrary Speculative Code Execution with Return Instructions -# CVE-2022-40982 Downfall (gather data sampling) - entry point -check_CVE_2022_40982() { - check_cve 'CVE-2022-40982' +check_CVE_2022_29900() { + check_cve 'CVE-2022-29900' } -# CVE-2022-40982 Downfall (gather data sampling) - Linux mitigation check -check_CVE_2022_40982_linux() { - local status sys_interface_available msg kernel_gds kernel_gds_err kernel_avx_disabled dmesgret ret +check_CVE_2022_29900_linux() { + local status sys_interface_available msg kernel_retbleed kernel_retbleed_err kernel_unret kernel_ibpb_entry smt_enabled status=UNK sys_interface_available=0 msg='' - if sys_interface_check "$VULN_SYSFS_BASE/gather_data_sampling"; then + # + # Kernel source inventory for retbleed (CVE-2022-29900 / CVE-2022-29901) + # + # --- sysfs messages --- + # all versions: + # "Not affected" (cpu_show_common, pre-existing) + # + # --- mainline --- + # 6b80b59b3555 (v5.19-rc7, initial retbleed sysfs): + # "Vulnerable\n" (hardcoded, no enum yet) + # 7fbf47c7ce50 (v5.19-rc7, retbleed= boot parameter): + # "Vulnerable" (RETBLEED_MITIGATION_NONE) + # "Mitigation: untrained return thunk" (RETBLEED_MITIGATION_UNRET) + # "Vulnerable: untrained return thunk on non-Zen uarch" (UNRET on non-AMD/Hygon) + # 6ad0ad2bf8a6 (v5.19-rc7, Intel mitigations): + # "Mitigation: IBRS" (RETBLEED_MITIGATION_IBRS) + # "Mitigation: Enhanced IBRS" (RETBLEED_MITIGATION_EIBRS) + # 3ebc17006888 (v5.19-rc7, retbleed=ibpb): + # "Mitigation: IBPB" (RETBLEED_MITIGATION_IBPB) + # e8ec1b6e08a2 (v5.19-rc7, STIBP for JMP2RET): + # UNRET now appends SMT status: + # "Mitigation: untrained return thunk; SMT disabled" + # "Mitigation: untrained return thunk; SMT enabled with STIBP protection" + # "Mitigation: untrained return thunk; SMT vulnerable" + # e6cfcdda8cbe (v6.0-rc1, STIBP for IBPB): + # IBPB now appends SMT status, non-AMD message changed: + # "Vulnerable: untrained return thunk / IBPB on non-AMD based uarch" + # "Mitigation: IBPB; SMT disabled" + # "Mitigation: IBPB; SMT enabled with STIBP protection" + # "Mitigation: IBPB; SMT vulnerable" + # d82a0345cf21 (v6.2-rc1, call depth tracking): + # "Mitigation: Stuffing" (RETBLEED_MITIGATION_STUFF) + # e3b78a7ad5ea (v6.16-rc1, restructure): + # added RETBLEED_MITIGATION_AUTO (internal, resolved before display) + # no new sysfs strings + # + # all messages start with either "Not affected", "Vulnerable", or "Mitigation" + # + # --- stable backports --- + # 4.14.y, 4.19.y, 5.4.y: Intel-only mitigations (IBRS, eIBRS); no UNRET, IBPB, STUFF; + # no SMT status display; simplified retbleed_show_state(). + # 5.10.y, 5.15.y, 6.1.y: full mitigations (NONE, UNRET, IBPB, IBRS, EIBRS); + # SMT status appended for UNRET/IBPB; no STUFF. + # 6.6.y, 6.12.y: adds STUFF (call depth tracking). 6.12.y uses INTEL_ model prefix. + # all stable: single retbleed_select_mitigation() (no update/apply split). + # + # --- RHEL/CentOS --- + # centos7 (~4.18): NONE, UNRET, IBPB, IBRS, EIBRS; no STUFF; SMT status for UNRET; + # no Hygon check; no UNRET_ENTRY/IBPB_ENTRY/IBRS_ENTRY Kconfig symbols; + # unique cpu_in_retbleed_whitelist() function for Intel. + # rocky8 (~4.18/5.14): NONE, UNRET, IBPB, IBRS, EIBRS; no STUFF; + # CONFIG_CPU_UNRET_ENTRY, CONFIG_CPU_IBPB_ENTRY, CONFIG_CPU_IBRS_ENTRY (old names). + # rocky9 (~6.x): same as mainline; CONFIG_MITIGATION_* names; has STUFF. + # rocky10 (~6.12+): same as mainline; has select/update/apply split. + # + # --- Kconfig symbols --- + # f43b9876e857 (v5.19-rc7): CONFIG_CPU_UNRET_ENTRY, CONFIG_CPU_IBPB_ENTRY, + # CONFIG_CPU_IBRS_ENTRY + # 80e4c1cd42ff (v6.2-rc1): CONFIG_CALL_DEPTH_TRACKING + # ac61d43983a4 (v6.9-rc1): renamed to CONFIG_MITIGATION_UNRET_ENTRY, + # CONFIG_MITIGATION_IBPB_ENTRY, CONFIG_MITIGATION_IBRS_ENTRY, + # CONFIG_MITIGATION_CALL_DEPTH_TRACKING + # 894e28857c11 (v6.12-rc1): CONFIG_MITIGATION_RETBLEED (master switch) + # + # --- kernel functions (for $opt_map / System.map) --- + # 7fbf47c7ce50 (v5.19-rc7): retbleed_select_mitigation() + # e3b78a7ad5ea (v6.16-rc1): split into retbleed_select_mitigation() + + # retbleed_update_mitigation() + retbleed_apply_mitigation() + # vendor kernels: centos7/rocky8/rocky9 have retbleed_select_mitigation() only; + # rocky10 has the full split. + # + # --- CPU affection logic (for is_cpu_affected) --- + # X86_BUG_RETBLEED is set when X86_FEATURE_BTC_NO is NOT set AND either: + # (a) CPU matches cpu_vuln_blacklist[] RETBLEED entries, OR + # (b) ARCH_CAP_RSBA is set in IA32_ARCH_CAPABILITIES MSR + # 6b80b59b3555 (v5.19-rc7, initial AMD): + # AMD: family 0x15, 0x16, 0x17; Hygon: family 0x18 + # 6ad0ad2bf8a6 (v5.19-rc7, Intel): + # Intel: SKYLAKE_L, SKYLAKE, SKYLAKE_X, KABYLAKE_L, KABYLAKE, + # ICELAKE_L, COMETLAKE, COMETLAKE_L, LAKEFIELD, ROCKETLAKE + # + any Intel with ARCH_CAP_RSBA set + # 26aae8ccbc19 (v5.19-rc7, BTC_NO): + # AMD Zen 3+ with BTC_NO are excluded + # f54d45372c6a (post-v5.19, Cannon Lake): + # Intel: + CANNONLAKE_L + # immunity: X86_FEATURE_BTC_NO (AMD) — Zen 3+ declare not affected + # vendor scope: AMD (0x15-0x17), Hygon (0x18), Intel (Skylake through Rocket Lake + RSBA) + # + + if sys_interface_check "$VULN_SYSFS_BASE/retbleed"; then # this kernel has the /sys interface, trust it over everything sys_interface_available=1 status=$ret_sys_interface_check_status fi if [ "$opt_sysfs_only" != 1 ]; then - pr_info_nol "* GDS is mitigated by microcode: " - if [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 0 ]; then - pstatus green OK "microcode mitigation is supported and enabled" - else - pstatus yellow NO - fi - pr_info_nol "* Kernel supports software mitigation by disabling AVX: " + pr_info_nol "* Kernel supports mitigation: " if [ -n "$g_kernel_err" ]; then - kernel_gds_err="$g_kernel_err" - elif grep -q 'gather_data_sampling' "$g_kernel"; then - kernel_gds="found gather_data_sampling in kernel image" + kernel_retbleed_err="$g_kernel_err" + elif grep -q 'retbleed' "$g_kernel"; then + kernel_retbleed="found retbleed mitigation logic in kernel image" fi - if [ -n "$kernel_gds" ]; then - pstatus green YES "$kernel_gds" - elif [ -n "$kernel_gds_err" ]; then - pstatus yellow UNKNOWN "$kernel_gds_err" + if [ -z "$kernel_retbleed" ] && [ -n "$opt_map" ]; then + if grep -q 'retbleed_select_mitigation' "$opt_map"; then + kernel_retbleed="found retbleed_select_mitigation in System.map" + fi + fi + if [ -n "$kernel_retbleed" ]; then + pstatus green YES "$kernel_retbleed" + elif [ -n "$kernel_retbleed_err" ]; then + pstatus yellow UNKNOWN "$kernel_retbleed_err" else pstatus yellow NO fi - if [ -n "$kernel_gds" ]; then - pr_info_nol "* Kernel has disabled AVX as a mitigation: " + pr_info_nol "* Kernel compiled with UNRET_ENTRY support (untrained return thunk): " + if [ -r "$opt_config" ]; then + # CONFIG_CPU_UNRET_ENTRY: Linux < 6.9 + # CONFIG_MITIGATION_UNRET_ENTRY: Linux >= 6.9 + if grep -Eq '^CONFIG_(CPU|MITIGATION)_UNRET_ENTRY=y' "$opt_config"; then + pstatus green YES + kernel_unret="CONFIG_(CPU|MITIGATION)_UNRET_ENTRY=y found in kernel config" + else + pstatus yellow NO + fi + else + if [ -n "$g_kernel_err" ]; then + pstatus yellow UNKNOWN "$g_kernel_err" + elif [ -n "$kernel_retbleed" ]; then + # if the kernel has retbleed logic, assume UNRET_ENTRY is likely compiled in + # (we can't tell for certain without the config) + kernel_unret="retbleed mitigation logic present in kernel (UNRET_ENTRY status unknown)" + pstatus yellow UNKNOWN "kernel has retbleed mitigation but config not available to verify" + else + pstatus yellow NO "your kernel is too old and doesn't have the retbleed mitigation logic" + fi + fi - # Check dmesg message to see whether AVX has been disabled - dmesg_grep 'Microcode update needed! Disabling AVX as mitigation' - dmesgret=$? - if [ "$dmesgret" -eq 0 ]; then - kernel_avx_disabled="AVX disabled by the kernel (dmesg)" - pstatus green YES "$kernel_avx_disabled" - elif [ "$cap_avx2" = 0 ]; then - # Find out by ourselves - # cpuinfo says we don't have AVX2, query - # the CPU directly about AVX2 support - read_cpuid 0x7 0x0 "$EBX" 5 1 1 - ret=$? - if [ "$ret" -eq "$READ_CPUID_RET_OK" ]; then - kernel_avx_disabled="AVX disabled by the kernel (cpuid)" - pstatus green YES "$kernel_avx_disabled" - elif [ "$ret" -eq "$READ_CPUID_RET_KO" ]; then - pstatus yellow NO "CPU doesn't support AVX" - elif [ "$dmesgret" -eq 2 ]; then - pstatus yellow UNKNOWN "dmesg truncated, can't tell whether mitigation is active, please reboot and relaunch this script" + pr_info_nol "* Kernel compiled with IBPB_ENTRY support: " + if [ -r "$opt_config" ]; then + # CONFIG_CPU_IBPB_ENTRY: Linux < 6.9 + # CONFIG_MITIGATION_IBPB_ENTRY: Linux >= 6.9 + if grep -Eq '^CONFIG_(CPU|MITIGATION)_IBPB_ENTRY=y' "$opt_config"; then + pstatus green YES + kernel_ibpb_entry="CONFIG_(CPU|MITIGATION)_IBPB_ENTRY=y found in kernel config" + else + pstatus yellow NO + fi + else + if [ -n "$g_kernel_err" ]; then + pstatus yellow UNKNOWN "$g_kernel_err" + elif [ -n "$kernel_retbleed" ]; then + kernel_ibpb_entry="retbleed mitigation logic present in kernel (IBPB_ENTRY status unknown)" + pstatus yellow UNKNOWN "kernel has retbleed mitigation but config not available to verify" + else + pstatus yellow NO "your kernel is too old and doesn't have the retbleed mitigation logic" + fi + fi + + # Zen/Zen+/Zen2: check IBPB microcode support and SMT + if [ "$cpu_family" = $((0x17)) ]; then + pr_info_nol "* CPU supports IBPB: " + if [ "$opt_live" = 1 ]; then + if [ -n "$cap_ibpb" ]; then + pstatus green YES "$cap_ibpb" else - pstatus yellow UNKNOWN "No sign of mitigation in dmesg and couldn't read cpuid info" + pstatus yellow NO fi else - pstatus yellow NO "AVX support is enabled" + pstatus blue N/A "not testable in offline mode" + fi + + pr_info_nol "* Hyper-Threading (SMT) is enabled: " + is_cpu_smt_enabled + smt_enabled=$? + if [ "$smt_enabled" = 0 ]; then + pstatus yellow YES + else + pstatus green NO fi fi @@ -7540,23 +7789,438 @@ check_CVE_2022_40982_linux() { pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" elif [ -z "$msg" ]; then # if msg is empty, sysfs check didn't fill it, rely on our own test - if [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 0 ]; then - pvulnstatus "$cve" OK "Your microcode is up to date and mitigation is enabled" - elif [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 1 ]; then - pvulnstatus "$cve" VULN "Your microcode is up to date but mitigation is disabled" - elif [ -z "$kernel_gds" ]; then - pvulnstatus "$cve" VULN "Your microcode doesn't mitigate the vulnerability, and your kernel doesn't support mitigation" - elif [ -z "$kernel_avx_disabled" ]; then - pvulnstatus "$cve" VULN "Your microcode doesn't mitigate the vulnerability, your kernel support the mitigation but the script did not detect AVX as disabled by the kernel" + if [ "$opt_sysfs_only" != 1 ]; then + if [ "$cpu_family" = $((0x17)) ]; then + # Zen/Zen+/Zen2 + if [ -z "$kernel_retbleed" ]; then + pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the retbleed mitigation logic" + elif [ "$opt_paranoid" = 1 ] && [ "$smt_enabled" = 0 ]; then + pvulnstatus "$cve" VULN "SMT is enabled, which weakens the IBPB-based mitigation" + explain "For Zen/Zen+/Zen2 CPUs in paranoid mode, proper mitigation needs SMT to be disabled\n" \ + "(this can be done by adding \`nosmt\` to your kernel command line), because IBPB alone\n" \ + "doesn't fully protect cross-thread speculation." + elif [ -z "$kernel_unret" ] && [ -z "$kernel_ibpb_entry" ]; then + pvulnstatus "$cve" VULN "Your kernel doesn't have either UNRET_ENTRY or IBPB_ENTRY compiled-in" + elif [ "$smt_enabled" = 0 ] && [ -z "$cap_ibpb" ] && [ "$opt_live" = 1 ]; then + pvulnstatus "$cve" VULN "SMT is enabled and your microcode doesn't support IBPB" + explain "Update your CPU microcode to get IBPB support, or disable SMT by adding\n" \ + "\`nosmt\` to your kernel command line." + else + pvulnstatus "$cve" OK "Your kernel and CPU support mitigation" + fi + elif [ "$cpu_family" = $((0x15)) ] || [ "$cpu_family" = $((0x16)) ]; then + # older AMD families: basic mitigation check + if [ -z "$kernel_retbleed" ]; then + pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the retbleed mitigation logic" + elif [ -n "$kernel_unret" ] || [ -n "$kernel_ibpb_entry" ]; then + pvulnstatus "$cve" OK "Your kernel supports mitigation" + else + pvulnstatus "$cve" VULN "Your kernel doesn't have UNRET_ENTRY or IBPB_ENTRY compiled-in" + fi + else + # not supposed to happen + pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" + fi else - pvulnstatus "$cve" OK "Your microcode doesn't mitigate the vulnerability, but your kernel has disabled AVX support" + pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg" + fi + else + pvulnstatus "$cve" "$status" "$msg" + fi +} + +check_CVE_2022_29900_bsd() { + if ! is_cpu_affected "$cve"; then + pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" + else + pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script" + fi +} + +# >>>>>> vulns/CVE-2022-29901.sh <<<<<< + +# vim: set ts=4 sw=4 sts=4 et: +############################### +# CVE-2022-29901, Retbleed (Intel), RSB Alternate Behavior (RSBA) + +check_CVE_2022_29901() { + check_cve 'CVE-2022-29901' +} + +check_CVE_2022_29901_linux() { + local status sys_interface_available msg kernel_retbleed kernel_retbleed_err kernel_ibrs_entry + status=UNK + sys_interface_available=0 + msg='' + + # + # Kernel source inventory for retbleed (CVE-2022-29900 / CVE-2022-29901) + # + # See CVE-2022-29900.sh for the full sysfs/Kconfig/function/stable/vendor inventory. + # + # Intel-specific notes: + # - eIBRS (IBRS_ALL) mitigates the vulnerability on Intel + # - plain retpoline does NOT mitigate on RSBA-capable CPUs (Retbleed bypasses retpoline) + # - IBRS entry also mitigates + # - call depth tracking / stuffing mitigates (v6.2+) + # + # --- Kconfig symbols (Intel-relevant) --- + # CONFIG_CPU_IBRS_ENTRY (< 6.9) / CONFIG_MITIGATION_IBRS_ENTRY (>= 6.9): Intel IBRS + # CONFIG_CALL_DEPTH_TRACKING (< 6.9) / CONFIG_MITIGATION_CALL_DEPTH_TRACKING (>= 6.9): stuffing + # + # --- CPU affection logic (Intel) --- + # 6ad0ad2bf8a6 (v5.19-rc7, initial Intel list): + # SKYLAKE_L, SKYLAKE, SKYLAKE_X, KABYLAKE_L, KABYLAKE, + # ICELAKE_L, COMETLAKE, COMETLAKE_L, LAKEFIELD, ROCKETLAKE + # f54d45372c6a (post-v5.19): + CANNONLAKE_L + # + any Intel with ARCH_CAP_RSBA set in IA32_ARCH_CAPABILITIES MSR (bit 2) + # immunity: none (no _NO bit for RETBLEED on Intel; eIBRS is a mitigation, not immunity) + # + + if sys_interface_check "$VULN_SYSFS_BASE/retbleed"; then + # this kernel has the /sys interface, trust it over everything + sys_interface_available=1 + status=$ret_sys_interface_check_status + fi + + if [ "$opt_sysfs_only" != 1 ]; then + pr_info_nol "* Kernel supports mitigation: " + if [ -n "$g_kernel_err" ]; then + kernel_retbleed_err="$g_kernel_err" + elif grep -q 'retbleed' "$g_kernel"; then + kernel_retbleed="found retbleed mitigation logic in kernel image" + fi + if [ -z "$kernel_retbleed" ] && [ -n "$opt_map" ]; then + if grep -q 'retbleed_select_mitigation' "$opt_map"; then + kernel_retbleed="found retbleed_select_mitigation in System.map" + fi + fi + if [ -n "$kernel_retbleed" ]; then + pstatus green YES "$kernel_retbleed" + elif [ -n "$kernel_retbleed_err" ]; then + pstatus yellow UNKNOWN "$kernel_retbleed_err" + else + pstatus yellow NO + fi + + pr_info_nol "* Kernel compiled with IBRS_ENTRY support: " + if [ -r "$opt_config" ]; then + # CONFIG_CPU_IBRS_ENTRY: Linux < 6.9 + # CONFIG_MITIGATION_IBRS_ENTRY: Linux >= 6.9 + if grep -Eq '^CONFIG_(CPU|MITIGATION)_IBRS_ENTRY=y' "$opt_config"; then + pstatus green YES + kernel_ibrs_entry="CONFIG_(CPU|MITIGATION)_IBRS_ENTRY=y found in kernel config" + else + pstatus yellow NO + fi + else + if [ -n "$g_kernel_err" ]; then + pstatus yellow UNKNOWN "$g_kernel_err" + elif [ -n "$kernel_retbleed" ]; then + kernel_ibrs_entry="retbleed mitigation logic present in kernel (IBRS_ENTRY status unknown)" + pstatus yellow UNKNOWN "kernel has retbleed mitigation but config not available to verify" + else + pstatus yellow NO "your kernel is too old and doesn't have the retbleed mitigation logic" + fi + fi + + pr_info_nol "* CPU supports Enhanced IBRS (IBRS_ALL): " + if [ "$opt_live" = 1 ] || [ "$cap_ibrs_all" != -1 ]; then + if [ "$cap_ibrs_all" = 1 ]; then + pstatus green YES + elif [ "$cap_ibrs_all" = 0 ]; then + pstatus yellow NO + else + pstatus yellow UNKNOWN + fi + else + pstatus blue N/A "not testable in offline mode" + fi + + pr_info_nol "* CPU has RSB Alternate Behavior (RSBA): " + if [ "$opt_live" = 1 ] || [ "$cap_rsba" != -1 ]; then + if [ "$cap_rsba" = 1 ]; then + pstatus yellow YES "this CPU is affected by RSB underflow" + elif [ "$cap_rsba" = 0 ]; then + pstatus green NO + else + pstatus yellow UNKNOWN + fi + else + pstatus blue N/A "not testable in offline mode" + fi + + elif [ "$sys_interface_available" = 0 ]; then + # we have no sysfs but were asked to use it only! + msg="/sys vulnerability interface use forced, but it's not available!" + status=UNK + fi + + if ! is_cpu_affected "$cve"; then + # override status & msg in case CPU is not vulnerable after all + pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" + elif [ -z "$msg" ]; then + # if msg is empty, sysfs check didn't fill it, rely on our own test + if [ "$opt_sysfs_only" != 1 ]; then + if [ -z "$kernel_retbleed" ]; then + pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the retbleed mitigation logic" + elif [ "$cap_ibrs_all" = 1 ]; then + if [ "$opt_paranoid" = 1 ] && [ "$cap_rrsba" = 1 ]; then + pvulnstatus "$cve" VULN "eIBRS is enabled but RRSBA is present, which may weaken the mitigation" + explain "In paranoid mode, the combination of eIBRS and RRSBA (Restricted RSB Alternate Behavior)\n" \ + "is flagged because RRSBA means the RSB can still be influenced in some scenarios.\n" \ + "Check if your firmware/kernel supports disabling RRSBA via RRSBA_CTRL." + else + pvulnstatus "$cve" OK "Enhanced IBRS (IBRS_ALL) mitigates the vulnerability" + fi + elif [ -n "$kernel_ibrs_entry" ]; then + pvulnstatus "$cve" OK "Your kernel has IBRS_ENTRY mitigation compiled-in" + else + pvulnstatus "$cve" VULN "Your kernel has retbleed mitigation but IBRS_ENTRY is not compiled-in and eIBRS is not available" + explain "Retpoline alone does NOT mitigate Retbleed on RSBA-capable Intel CPUs.\n" \ + "You need either Enhanced IBRS (eIBRS, via firmware/microcode update) or a kernel\n" \ + "compiled with IBRS_ENTRY support (Linux 5.19+, CONFIG_(CPU|MITIGATION)_IBRS_ENTRY)." + fi + else + pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg" + fi + else + pvulnstatus "$cve" "$status" "$msg" + fi +} + +check_CVE_2022_29901_bsd() { + if ! is_cpu_affected "$cve"; then + pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" + else + pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script" + fi +} + +# >>>>>> vulns/CVE-2022-40982.sh <<<<<< + +# vim: set ts=4 sw=4 sts=4 et: +############################### +# CVE-2022-40982, Downfall, GDS, Gather Data Sampling + +check_CVE_2022_40982() { + check_cve 'CVE-2022-40982' +} + +check_CVE_2022_40982_linux() { + local status sys_interface_available msg kernel_gds kernel_gds_err kernel_avx_disabled dmesgret ret + status=UNK + sys_interface_available=0 + msg='' + + if sys_interface_check "$VULN_SYSFS_BASE/gather_data_sampling"; then + # this kernel has the /sys interface, trust it over everything + sys_interface_available=1 + # + # Kernel source inventory for gather_data_sampling (GDS/Downfall) + # + # --- sysfs messages --- + # all versions: + # "Not affected" (cpu_show_common, pre-existing) + # + # --- mainline --- + # 8974eb588283 (v6.5-rc6, initial GDS sysfs): + # "Vulnerable" (GDS_MITIGATION_OFF) + # "Vulnerable: No microcode" (GDS_MITIGATION_UCODE_NEEDED) + # "Mitigation: Microcode" (GDS_MITIGATION_FULL) + # "Mitigation: Microcode (locked)" (GDS_MITIGATION_FULL_LOCKED) + # "Unknown: Dependent on hypervisor status" (GDS_MITIGATION_HYPERVISOR) + # 553a5c03e90a (v6.5-rc6, added force option): + # "Mitigation: AVX disabled, no microcode" (GDS_MITIGATION_FORCE) + # 53cf5797f114 (v6.5-rc6, added CONFIG_GDS_FORCE_MITIGATION): + # no string changes; default becomes FORCE when Kconfig enabled + # 81ac7e5d7417 (v6.5-rc6, KVM GDS_NO plumbing): + # no string changes + # be83e809ca67 (v6.9-rc1, Kconfig rename): + # no string changes; CONFIG_GDS_FORCE_MITIGATION => CONFIG_MITIGATION_GDS_FORCE + # 03267a534bb3 (v6.12-rc1, removed force Kconfig): + # no string changes; CONFIG_MITIGATION_GDS_FORCE removed + # 225f2bd064c3 (v6.12-rc1, added on/off Kconfig): + # no string changes; added CONFIG_MITIGATION_GDS (default y) + # 9dcad2fb31bd (v6.16-rc1, restructured select/apply): + # no string changes; added GDS_MITIGATION_AUTO (internal, resolved before display) + # split gds_select_mitigation() + gds_apply_mitigation() + # d4932a1b148b (v6.17-rc3, bug fix): + # no string changes; CPUs without ARCH_CAP_GDS_CTRL were incorrectly classified + # as OFF ("Vulnerable") instead of UCODE_NEEDED ("Vulnerable: No microcode"), + # and locked-mitigation detection was skipped. + # NOT backported to any stable or RHEL branch as of 2026-04. + # + # --- stable backports --- + # 5.4.y, 5.10.y, 5.15.y, 6.1.y, 6.6.y: same 7 strings as mainline. + # use CONFIG_GDS_FORCE_MITIGATION; no GDS_MITIGATION_AUTO enum; + # missing d4932a1b148b bug fix (UCODE_NEEDED vs OFF misclassification). + # 6.12.y: same 7 strings as mainline. + # uses CONFIG_MITIGATION_GDS; no GDS_MITIGATION_AUTO enum; + # missing d4932a1b148b bug fix. + # + # --- RHEL/CentOS --- + # centos7 (3.10), rocky8 (4.18): same 7 strings; CONFIG_GDS_FORCE_MITIGATION. + # centos7 uses sprintf (not sysfs_emit) and __read_mostly. + # rocky9 (5.14): same 7 strings; CONFIG_MITIGATION_GDS (skipped FORCE rename). + # rocky10 (6.12): same 7 strings; CONFIG_MITIGATION_GDS; has gds_apply_mitigation(). + # + # --- Kconfig symbols --- + # 53cf5797f114 (v6.5-rc6): CONFIG_GDS_FORCE_MITIGATION (default n) + # be83e809ca67 (v6.9-rc1): renamed to CONFIG_MITIGATION_GDS_FORCE + # 03267a534bb3 (v6.12-rc1): CONFIG_MITIGATION_GDS_FORCE removed + # 225f2bd064c3 (v6.12-rc1): CONFIG_MITIGATION_GDS (default y) + # vendor kernels: rocky9 uses CONFIG_MITIGATION_GDS on 5.14-based kernel + # + # --- kernel functions (for $opt_map / System.map) --- + # 8974eb588283 (v6.5-rc6): gds_select_mitigation(), update_gds_msr(), + # gds_parse_cmdline(), gds_show_state() + # 81ac7e5d7417 (v6.5-rc6): gds_ucode_mitigated() (exported for KVM) + # 9dcad2fb31bd (v6.16-rc1): split into gds_select_mitigation() + gds_apply_mitigation() + # stable 5.4.y-6.12.y: same 5 functions (no gds_apply_mitigation) + # rocky10 (6.12): has gds_apply_mitigation() + # + # --- CPU affection logic (for is_cpu_affected) --- + # X86_BUG_GDS is set when ALL three conditions are true: + # 1. CPU matches model blacklist (cpu_vuln_blacklist[] in common.c) + # 2. ARCH_CAP_GDS_NO (bit 26 of IA32_ARCH_CAPABILITIES) is NOT set + # 3. X86_FEATURE_AVX is present (GATHER instructions require AVX) + # 8974eb588283 (v6.5-rc6, initial model list): + # Intel: SKYLAKE_X, KABYLAKE_L, KABYLAKE, ICELAKE_L, ICELAKE_D, + # ICELAKE_X, COMETLAKE, COMETLAKE_L, TIGERLAKE_L, TIGERLAKE, + # ROCKETLAKE (all steppings) + # c9f4c45c8ec3 (v6.5-rc6, added missing client Skylake): + # Intel: + SKYLAKE_L, SKYLAKE + # 159013a7ca18 (v6.10-rc1, ITS stepping splits): + # no GDS model changes; some entries split by stepping for ITS but + # GDS flag remains on all stepping ranges for these models + # immunity: ARCH_CAP_GDS_NO (bit 26 of IA32_ARCH_CAPABILITIES) + # feature dependency: requires AVX (if AVX absent, CPU is immune) + # vendor scope: Intel only + # + # all messages start with either "Not affected", "Vulnerable", "Mitigation", + # or "Unknown" + status=$ret_sys_interface_check_status + fi + + if [ "$opt_sysfs_only" != 1 ]; then + pr_info_nol "* GDS is mitigated by microcode: " + if [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 0 ]; then + pstatus green OK "microcode mitigation is supported and enabled" + elif [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 1 ]; then + pstatus yellow NO "microcode mitigation is supported but disabled" + elif [ "$cap_gds_ctrl" = 0 ]; then + pstatus yellow NO "microcode doesn't support GDS mitigation" + else + pstatus yellow UNKNOWN "couldn't read MSR for GDS capability" + fi + + pr_info_nol "* Kernel supports software mitigation by disabling AVX: " + kernel_gds='' + kernel_gds_err='' + if [ -n "$g_kernel_err" ]; then + kernel_gds_err="$g_kernel_err" + elif grep -q 'gather_data_sampling' "$g_kernel"; then + kernel_gds="found gather_data_sampling in kernel image" + fi + if [ -z "$kernel_gds" ] && [ -r "$opt_config" ]; then + if grep -q '^CONFIG_GDS_FORCE_MITIGATION=y' "$opt_config" || + grep -q '^CONFIG_MITIGATION_GDS_FORCE=y' "$opt_config" || + grep -q '^CONFIG_MITIGATION_GDS=y' "$opt_config"; then + kernel_gds="GDS mitigation config option found enabled in kernel config" + fi + fi + if [ -z "$kernel_gds" ] && [ -n "$opt_map" ]; then + if grep -q 'gds_select_mitigation' "$opt_map"; then + kernel_gds="found gds_select_mitigation in System.map" + fi + fi + if [ -n "$kernel_gds" ]; then + pstatus green YES "$kernel_gds" + elif [ -n "$kernel_gds_err" ]; then + pstatus yellow UNKNOWN "$kernel_gds_err" + else + pstatus yellow NO + fi + + if [ -n "$kernel_gds" ]; then + pr_info_nol "* Kernel has disabled AVX as a mitigation: " + + if [ "$opt_live" = 1 ]; then + # Check dmesg message to see whether AVX has been disabled + dmesg_grep 'Microcode update needed! Disabling AVX as mitigation' + dmesgret=$? + if [ "$dmesgret" -eq 0 ]; then + kernel_avx_disabled="AVX disabled by the kernel (dmesg)" + pstatus green YES "$kernel_avx_disabled" + elif [ "$cap_avx2" = 0 ]; then + # Find out by ourselves + # cpuinfo says we don't have AVX2, query + # the CPU directly about AVX2 support + read_cpuid 0x7 0x0 "$EBX" 5 1 1 + ret=$? + if [ "$ret" -eq "$READ_CPUID_RET_OK" ]; then + kernel_avx_disabled="AVX disabled by the kernel (cpuid)" + pstatus green YES "$kernel_avx_disabled" + elif [ "$ret" -eq "$READ_CPUID_RET_KO" ]; then + pstatus yellow NO "CPU doesn't support AVX" + elif [ "$dmesgret" -eq 2 ]; then + pstatus yellow UNKNOWN "dmesg truncated, can't tell whether mitigation is active, please reboot and relaunch this script" + else + pstatus yellow UNKNOWN "No sign of mitigation in dmesg and couldn't read cpuid info" + fi + else + pstatus yellow NO "AVX support is enabled" + fi + else + pstatus blue N/A "not testable in offline mode" + fi + fi + + elif [ "$sys_interface_available" = 0 ]; then + # we have no sysfs but were asked to use it only! + msg="/sys vulnerability interface use forced, but it's not available!" + status=UNK + fi + + if ! is_cpu_affected "$cve"; then + # override status & msg in case CPU is not vulnerable after all + pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" + elif [ -z "$msg" ]; then + # if msg is empty, sysfs check didn't fill it, rely on our own test + if [ "$opt_sysfs_only" != 1 ]; then + if [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 0 ]; then + if [ "$opt_paranoid" = 1 ] && [ "$cap_gds_mitg_lock" != 1 ]; then + pvulnstatus "$cve" VULN "Microcode mitigation is enabled but not locked" + explain "In paranoid mode, the GDS mitigation must be locked to prevent a privileged attacker\n " \ + "(e.g. in a guest VM) from disabling it. Check your firmware/BIOS for an option to lock the\n " \ + "GDS mitigation, or update your microcode." + else + pvulnstatus "$cve" OK "Your microcode is up to date and mitigation is enabled" + fi + elif [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 1 ]; then + pvulnstatus "$cve" VULN "Your microcode is up to date but mitigation is disabled" + explain "The GDS mitigation has been explicitly disabled (gather_data_sampling=off or mitigations=off).\n " \ + "Remove the kernel parameter to re-enable it." + elif [ -z "$kernel_gds" ]; then + pvulnstatus "$cve" VULN "Your microcode doesn't mitigate the vulnerability, and your kernel doesn't support mitigation" + explain "Update both your CPU microcode (via BIOS/firmware update from your OEM) and your kernel\n " \ + "to a version that supports GDS mitigation (Linux 6.5+, or check if your distro has a backport)." + elif [ -z "$kernel_avx_disabled" ]; then + pvulnstatus "$cve" VULN "Your microcode doesn't mitigate the vulnerability, your kernel supports the mitigation but AVX was not disabled" + explain "Update your CPU microcode (via BIOS/firmware update from your OEM). If no microcode update\n " \ + "is available, use gather_data_sampling=force on the kernel command line to disable AVX as a workaround." + else + pvulnstatus "$cve" OK "Your microcode doesn't mitigate the vulnerability, but your kernel has disabled AVX support" + fi + else + pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg" fi else pvulnstatus "$cve" "$status" "$msg" fi } -# CVE-2022-40982 Downfall (gather data sampling) - BSD mitigation check check_CVE_2022_40982_bsd() { if ! is_cpu_affected "$cve"; then pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" @@ -7568,15 +8232,13 @@ check_CVE_2022_40982_bsd() { # >>>>>> vulns/CVE-2023-20569.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -####################### -# Inception section +############################### +# CVE-2023-20569, Inception, SRSO, Return Address Security -# CVE-2023-20569 Inception (SRSO, speculative return stack overflow) - entry point check_CVE_2023_20569() { check_cve 'CVE-2023-20569' } -# CVE-2023-20569 Inception (SRSO, speculative return stack overflow) - Linux mitigation check check_CVE_2023_20569_linux() { local status sys_interface_available msg kernel_sro kernel_sro_err kernel_srso kernel_ibpb_entry smt_enabled status=UNK @@ -7775,7 +8437,6 @@ check_CVE_2023_20569_linux() { fi } -# CVE-2023-20569 Inception (SRSO, speculative return stack overflow) - BSD mitigation check check_CVE_2023_20569_bsd() { if ! is_cpu_affected "$cve"; then pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" @@ -7787,15 +8448,13 @@ check_CVE_2023_20569_bsd() { # >>>>>> vulns/CVE-2023-20593.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -#################### -# Zenbleed section +############################### +# CVE-2023-20593, Zenbleed, Cross-Process Information Leak -# CVE-2023-20593 Zenbleed (cross-process information leak via AVX2) - entry point check_CVE_2023_20593() { check_cve 'CVE-2023-20593' } -# CVE-2023-20593 Zenbleed (cross-process information leak via AVX2) - Linux mitigation check check_CVE_2023_20593_linux() { local status sys_interface_available msg kernel_zenbleed kernel_zenbleed_err fp_backup_fix ucode_zenbleed zenbleed_print_vuln ret status=UNK @@ -7907,7 +8566,6 @@ check_CVE_2023_20593_linux() { fi } -# CVE-2023-20593 Zenbleed (cross-process information leak via AVX2) - BSD mitigation check check_CVE_2023_20593_bsd() { local zenbleed_enable zenbleed_state kernel_zenbleed pr_info_nol "* Kernel supports Zenbleed mitigation (machdep.mitigations.zenbleed.enable): " @@ -7964,15 +8622,13 @@ check_CVE_2023_20593_bsd() { # >>>>>> vulns/CVE-2023-23583.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -####################### -# Reptar section +############################### +# CVE-2023-23583, Reptar, Redundant Prefix Issue -# CVE-2023-23583 Reptar (redundant prefix issue) - entry point check_CVE_2023_23583() { check_cve 'CVE-2023-23583' } -# CVE-2023-23583 Reptar (redundant prefix issue) - Linux mitigation check check_CVE_2023_23583_linux() { local status sys_interface_available msg status=UNK @@ -7996,7 +8652,6 @@ check_CVE_2023_23583_linux() { fi } -# CVE-2023-23583 Reptar (redundant prefix issue) - BSD mitigation check check_CVE_2023_23583_bsd() { if ! is_cpu_affected "$cve"; then pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" @@ -8008,15 +8663,13 @@ check_CVE_2023_23583_bsd() { # >>>>>> vulns/CVE-2024-36350.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -#################### -# TSA-SQ section +############################### +# CVE-2024-36350, TSA-SQ, Transient Scheduler Attack Store Queue -# CVE-2024-36350 TSA-SQ (transient scheduler attack - store queue) - entry point check_CVE_2024_36350() { check_cve 'CVE-2024-36350' } -# CVE-2024-36350 TSA-SQ (transient scheduler attack - store queue) - Linux mitigation check check_CVE_2024_36350_linux() { local status sys_interface_available msg kernel_tsa kernel_tsa_err smt_enabled status=UNK @@ -8176,7 +8829,6 @@ check_CVE_2024_36350_linux() { fi } -# CVE-2024-36350 TSA-SQ (transient scheduler attack - store queue) - BSD mitigation check check_CVE_2024_36350_bsd() { if ! is_cpu_affected "$cve"; then pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" @@ -8188,15 +8840,13 @@ check_CVE_2024_36350_bsd() { # >>>>>> vulns/CVE-2024-36357.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -#################### -# TSA-L1 section +############################### +# CVE-2024-36357, TSA-L1, Transient Scheduler Attack L1 -# CVE-2024-36357 TSA-L1 (transient scheduler attack - L1 cache) - entry point check_CVE_2024_36357() { check_cve 'CVE-2024-36357' } -# CVE-2024-36357 TSA-L1 (transient scheduler attack - L1 cache) - Linux mitigation check check_CVE_2024_36357_linux() { local status sys_interface_available msg kernel_tsa kernel_tsa_err status=UNK @@ -8349,7 +8999,6 @@ check_CVE_2024_36357_linux() { fi } -# CVE-2024-36357 TSA-L1 (transient scheduler attack - L1 cache) - BSD mitigation check check_CVE_2024_36357_bsd() { if ! is_cpu_affected "$cve"; then pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" diff --git a/src/libs/003_intel_models.sh b/src/libs/003_intel_models.sh new file mode 100644 index 0000000..45560d5 --- /dev/null +++ b/src/libs/003_intel_models.sh @@ -0,0 +1,105 @@ +# vim: set ts=4 sw=4 sts=4 et: +# AUTO-GENERATED FILE — DO NOT EDIT MANUALLY. +# Generated by scripts/update_intel_models.sh from: +# https://raw.githubusercontent.com/torvalds/linux/refs/heads/master/arch/x86/include/asm/intel-family.h +# Run scripts/update_intel_models.sh to refresh when new Intel CPU families are added to the kernel. +# shellcheck disable=SC2034 +{ + readonly INTEL_FAM5_PENTIUM_75=$((0x02)) # /* P54C */ + readonly INTEL_FAM5_PENTIUM_MMX=$((0x04)) # /* P55C */ + readonly INTEL_FAM5_QUARK_X1000=$((0x09)) # /* Quark X1000 SoC */ + readonly INTEL_FAM6_PENTIUM_PRO=$((0x01)) + readonly INTEL_FAM6_PENTIUM_II_KLAMATH=$((0x03)) + readonly INTEL_FAM6_PENTIUM_III_DESCHUTES=$((0x05)) + readonly INTEL_FAM6_PENTIUM_III_TUALATIN=$((0x0B)) + readonly INTEL_FAM6_PENTIUM_M_DOTHAN=$((0x0D)) + readonly INTEL_FAM6_CORE_YONAH=$((0x0E)) + readonly INTEL_FAM6_CORE2_MEROM=$((0x0F)) + readonly INTEL_FAM6_CORE2_MEROM_L=$((0x16)) + readonly INTEL_FAM6_CORE2_PENRYN=$((0x17)) + readonly INTEL_FAM6_CORE2_DUNNINGTON=$((0x1D)) + readonly INTEL_FAM6_NEHALEM=$((0x1E)) + readonly INTEL_FAM6_NEHALEM_G=$((0x1F)) # /* Auburndale / Havendale */ + readonly INTEL_FAM6_NEHALEM_EP=$((0x1A)) + readonly INTEL_FAM6_NEHALEM_EX=$((0x2E)) + readonly INTEL_FAM6_WESTMERE=$((0x25)) + readonly INTEL_FAM6_WESTMERE_EP=$((0x2C)) + readonly INTEL_FAM6_WESTMERE_EX=$((0x2F)) + readonly INTEL_FAM6_SANDYBRIDGE=$((0x2A)) + readonly INTEL_FAM6_SANDYBRIDGE_X=$((0x2D)) + readonly INTEL_FAM6_IVYBRIDGE=$((0x3A)) + readonly INTEL_FAM6_IVYBRIDGE_X=$((0x3E)) + readonly INTEL_FAM6_HASWELL=$((0x3C)) + readonly INTEL_FAM6_HASWELL_X=$((0x3F)) + readonly INTEL_FAM6_HASWELL_L=$((0x45)) + readonly INTEL_FAM6_HASWELL_G=$((0x46)) + readonly INTEL_FAM6_BROADWELL=$((0x3D)) + readonly INTEL_FAM6_BROADWELL_G=$((0x47)) + readonly INTEL_FAM6_BROADWELL_X=$((0x4F)) + readonly INTEL_FAM6_BROADWELL_D=$((0x56)) + readonly INTEL_FAM6_SKYLAKE_L=$((0x4E)) # /* Sky Lake */ + readonly INTEL_FAM6_SKYLAKE=$((0x5E)) # /* Sky Lake */ + readonly INTEL_FAM6_SKYLAKE_X=$((0x55)) # /* Sky Lake */ + readonly INTEL_FAM6_KABYLAKE_L=$((0x8E)) # /* Sky Lake */ + readonly INTEL_FAM6_KABYLAKE=$((0x9E)) # /* Sky Lake */ + readonly INTEL_FAM6_COMETLAKE=$((0xA5)) # /* Sky Lake */ + readonly INTEL_FAM6_COMETLAKE_L=$((0xA6)) # /* Sky Lake */ + readonly INTEL_FAM6_CANNONLAKE_L=$((0x66)) # /* Palm Cove */ + readonly INTEL_FAM6_ICELAKE_X=$((0x6A)) # /* Sunny Cove */ + readonly INTEL_FAM6_ICELAKE_D=$((0x6C)) # /* Sunny Cove */ + readonly INTEL_FAM6_ICELAKE=$((0x7D)) # /* Sunny Cove */ + readonly INTEL_FAM6_ICELAKE_L=$((0x7E)) # /* Sunny Cove */ + readonly INTEL_FAM6_ICELAKE_NNPI=$((0x9D)) # /* Sunny Cove */ + readonly INTEL_FAM6_ROCKETLAKE=$((0xA7)) # /* Cypress Cove */ + readonly INTEL_FAM6_TIGERLAKE_L=$((0x8C)) # /* Willow Cove */ + readonly INTEL_FAM6_TIGERLAKE=$((0x8D)) # /* Willow Cove */ + readonly INTEL_FAM6_SAPPHIRERAPIDS_X=$((0x8F)) # /* Golden Cove */ + readonly INTEL_FAM6_EMERALDRAPIDS_X=$((0xCF)) # /* Raptor Cove */ + readonly INTEL_FAM6_GRANITERAPIDS_X=$((0xAD)) # /* Redwood Cove */ + readonly INTEL_FAM6_GRANITERAPIDS_D=$((0xAE)) + readonly INTEL_FAM19_DIAMONDRAPIDS_X=$((0x01)) # /* Panther Cove */ + readonly INTEL_FAM6_BARTLETTLAKE=$((0xD7)) # /* Raptor Cove */ + readonly INTEL_FAM6_LAKEFIELD=$((0x8A)) # /* Sunny Cove / Tremont */ + readonly INTEL_FAM6_ALDERLAKE=$((0x97)) # /* Golden Cove / Gracemont */ + readonly INTEL_FAM6_ALDERLAKE_L=$((0x9A)) # /* Golden Cove / Gracemont */ + readonly INTEL_FAM6_RAPTORLAKE=$((0xB7)) # /* Raptor Cove / Enhanced Gracemont */ + readonly INTEL_FAM6_RAPTORLAKE_P=$((0xBA)) + readonly INTEL_FAM6_RAPTORLAKE_S=$((0xBF)) + readonly INTEL_FAM6_METEORLAKE=$((0xAC)) # /* Redwood Cove / Crestmont */ + readonly INTEL_FAM6_METEORLAKE_L=$((0xAA)) + readonly INTEL_FAM6_ARROWLAKE_H=$((0xC5)) # /* Lion Cove / Skymont */ + readonly INTEL_FAM6_ARROWLAKE=$((0xC6)) + readonly INTEL_FAM6_ARROWLAKE_U=$((0xB5)) + readonly INTEL_FAM6_LUNARLAKE_M=$((0xBD)) # /* Lion Cove / Skymont */ + readonly INTEL_FAM6_PANTHERLAKE_L=$((0xCC)) # /* Cougar Cove / Darkmont */ + readonly INTEL_FAM6_WILDCATLAKE_L=$((0xD5)) + readonly INTEL_FAM18_NOVALAKE=$((0x01)) # /* Coyote Cove / Arctic Wolf */ + readonly INTEL_FAM18_NOVALAKE_L=$((0x03)) # /* Coyote Cove / Arctic Wolf */ + readonly INTEL_FAM6_ATOM_BONNELL=$((0x1C)) # /* Diamondville, Pineview */ + readonly INTEL_FAM6_ATOM_BONNELL_MID=$((0x26)) # /* Silverthorne, Lincroft */ + readonly INTEL_FAM6_ATOM_SALTWELL=$((0x36)) # /* Cedarview */ + readonly INTEL_FAM6_ATOM_SALTWELL_MID=$((0x27)) # /* Penwell */ + readonly INTEL_FAM6_ATOM_SALTWELL_TABLET=$((0x35)) # /* Cloverview */ + readonly INTEL_FAM6_ATOM_SILVERMONT=$((0x37)) # /* Bay Trail, Valleyview */ + readonly INTEL_FAM6_ATOM_SILVERMONT_D=$((0x4D)) # /* Avaton, Rangely */ + readonly INTEL_FAM6_ATOM_SILVERMONT_MID=$((0x4A)) # /* Merriefield */ + readonly INTEL_FAM6_ATOM_SILVERMONT_MID2=$((0x5A)) # /* Anniedale */ + readonly INTEL_FAM6_ATOM_AIRMONT=$((0x4C)) # /* Cherry Trail, Braswell */ + readonly INTEL_FAM6_ATOM_AIRMONT_NP=$((0x75)) # /* Lightning Mountain */ + readonly INTEL_FAM6_ATOM_GOLDMONT=$((0x5C)) # /* Apollo Lake */ + readonly INTEL_FAM6_ATOM_GOLDMONT_D=$((0x5F)) # /* Denverton */ + readonly INTEL_FAM6_ATOM_GOLDMONT_PLUS=$((0x7A)) # /* Gemini Lake */ + readonly INTEL_FAM6_ATOM_TREMONT_D=$((0x86)) # /* Jacobsville */ + readonly INTEL_FAM6_ATOM_TREMONT=$((0x96)) # /* Elkhart Lake */ + readonly INTEL_FAM6_ATOM_TREMONT_L=$((0x9C)) # /* Jasper Lake */ + readonly INTEL_FAM6_ATOM_GRACEMONT=$((0xBE)) # /* Alderlake N */ + readonly INTEL_FAM6_ATOM_CRESTMONT_X=$((0xAF)) # /* Sierra Forest */ + readonly INTEL_FAM6_ATOM_CRESTMONT=$((0xB6)) # /* Grand Ridge */ + readonly INTEL_FAM6_ATOM_DARKMONT_X=$((0xDD)) # /* Clearwater Forest */ + readonly INTEL_FAM6_XEON_PHI_KNL=$((0x57)) # /* Knights Landing */ + readonly INTEL_FAM6_XEON_PHI_KNM=$((0x85)) # /* Knights Mill */ + readonly INTEL_FAM15_P4_WILLAMETTE=$((0x01)) # /* Also Xeon Foster */ + readonly INTEL_FAM15_P4_PRESCOTT=$((0x03)) + readonly INTEL_FAM15_P4_PRESCOTT_2M=$((0x04)) + readonly INTEL_FAM15_P4_CEDARMILL=$((0x06)) # /* Also Xeon Dempsey */ +}