From 5c571bacc6d04607f03355618f043c1326583d4d Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Thu, 2 Apr 2026 18:11:41 +0000
Subject: [PATCH] enh: CVE-2022-40982 (Downfall) overhaul
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

 built from commit e7fa2f30cc44f0a0ba78a9d47463e281e3d46083
 dated 2026-04-02 19:55:25 +0200
 by Stéphane Lesimple (speed47_github@speed47.net)

 - added `--kernel-config` support for all three Kconfig variants seen over all kernel versions up to now
- added `--kernel-map` support for `gds_select_mitigation` in `System.map`
- fixed the `--sysfs-only` mode
- added verbose information about remediation when `--explain` is used
- implemented `--paranoid mode`, requiring `GDS_MITIGATION_LOCKED` so that mitigation can't be disabled at runtime
- fixed offline mode (was wrongly looking at the system `dmesg`)
- better microcode status reporting (enabled, disabled, unsupported, unknown)
- fixed unknown (EOL) AVX-capable Intel family 6 CPUs now defaulting to affected
- fixed 2 missing known affected CPU models: INTEL_FAM6_SKYLAKE_L and INTEL_FAM6_SKYLAKE
- fixed case when we're running in a VM and the hypervisor doesn't let us read the MSR
---
 spectre-meltdown-checker.sh | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
index 26646ea..c6b7d01 100755
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@@ -13,7 +13,7 @@
 #
 # Stephane Lesimple
 #
-VERSION='26.21.0402751'
+VERSION='26.21.0402757'
 
 # --- Common paths and basedirs ---
 readonly VULN_SYSFS_BASE="/sys/devices/system/cpu/vulnerabilities"
@@ -7565,6 +7565,13 @@ check_CVE_2022_40982_linux() {
         # all messages start with either "Not affected", "Vulnerable", "Mitigation",
         # or "Unknown"
         status=$ret_sys_interface_check_status
+        # Override: when the kernel says "Unknown: Dependent on hypervisor status", it
+        # gave up because it's running as a VM guest and can't read MCU_OPT_CTRL.
+        # We can often do better: the hypervisor may have exposed GDS_NO or GDS_CTRL
+        # to us via ARCH_CAPABILITIES, so let our own Phase 2 checks take over.
+        if echo "$ret_sys_interface_check_fullmsg" | grep -qi 'Dependent on hypervisor'; then
+            status=UNK
+        fi
     fi
 
     if [ "$opt_sysfs_only" != 1 ]; then
@@ -7666,6 +7673,13 @@ check_CVE_2022_40982_linux() {
                 pvulnstatus "$cve" VULN "Your microcode is up to date but mitigation is disabled"
                 explain "The GDS mitigation has been explicitly disabled (gather_data_sampling=off or mitigations=off).\n " \
                     "Remove the kernel parameter to re-enable it."
+            elif [ "$sys_interface_available" = 1 ] &&
+                echo "$ret_sys_interface_check_fullmsg" | grep -qi 'Dependent on hypervisor'; then
+                # We're in a VM guest, the kernel gave up, and we couldn't read the
+                # GDS MSR bits either (cap_gds_ctrl != 1). We genuinely can't tell.
+                pvulnstatus "$cve" UNK "Running in a VM, mitigation depends on the hypervisor"
+                explain "This system is running as a virtual machine guest. GDS mitigation must be handled by\n " \
+                    "the host hypervisor. Contact your VM/cloud provider to verify that GDS is mitigated on the host."
             elif [ -z "$kernel_gds" ]; then
                 pvulnstatus "$cve" VULN "Your microcode doesn't mitigate the vulnerability, and your kernel doesn't support mitigation"
                 explain "Update both your CPU microcode (via BIOS/firmware update from your OEM) and your kernel\n " \