enh: CVE-2022-40982 (Downfall) overhaul & Spectre V2 enhancements

Downfall: - added `--kernel-config` support for all three Kconfig variants seen over all kernel versions up to now - added `--kernel-map` support for `gds_select_mitigation` in `System.map` - fixed the `--sysfs-only` mode - added verbose information about remediation when `--explain` is used - implemented `--paranoid mode`, requiring `GDS_MITIGATION_LOCKED` so that mitigation can't be disabled at runtime - fixed offline mode (was wrongly looking at the system `dmesg`) - better microcode status reporting (enabled, disabled, unsupported, unknown) - fixed unknown (EOL) AVX-capable Intel family 6 CPUs now defaulting to affected - fixed 2 missing known affected CPU models: INTEL_FAM6_SKYLAKE_L and INTEL_FAM6_SKYLAKE - fixed case when we're running in a VM and the hypervisor doesn't let us read the MSR Spectre V2: - fix: affected_cpu: added Centaur family 7 (CentaurHauls) and Zhaoxin family 7 (Shanghai) as immune - fix: added Centaur family 5 (CentaurHauls) and NSC family 5 (Geode by NSC) to is_cpu_specex_free() - enh: offline mode: added detection logic by probing System.map and Kconfig
2026-04-03 13:47:08 +02:00 · 2026-04-02 19:55:25 +02:00
parent 37204869f8
commit 5e3033e2f5
4 changed files with 256 additions and 46 deletions
--- a/src/vulns/CVE-2017-5715.sh
+++ b/src/vulns/CVE-2017-5715.sh
@@ -1,14 +1,12 @@
 # vim: set ts=4 sw=4 sts=4 et:
-###################
-# SPECTRE 2 SECTION
+###############################
+# CVE-2017-5715, Spectre V2, Branch Target Injection

-# CVE-2017-5715 Spectre Variant 2 (branch target injection) - entry point
 # Sets: vulnstatus
 check_CVE_2017_5715() {
    check_cve 'CVE-2017-5715'
 }

-# CVE-2017-5715 Spectre Variant 2 (branch target injection) - Linux mitigation check
 # Sets: g_ibrs_can_tell, g_ibrs_supported, g_ibrs_enabled, g_ibrs_fw_enabled,
 #   g_ibpb_can_tell, g_ibpb_supported, g_ibpb_enabled, g_specex_knob_dir
 check_CVE_2017_5715_linux() {
@@ -208,6 +206,43 @@ check_CVE_2017_5715_linux() {
        # rocky9 (RHEL 9, kernel 5.14): matches mainline. Semicolons, BHI, all fields.
        # rocky10 (RHEL 10, kernel 6.12): matches mainline.
        #
+        #
+        # --- Kconfig symbols ---
+        # 76b043848fd2 (v4.15-rc8): CONFIG_RETPOLINE
+        # f43b9876e857 (v5.19-rc7): CONFIG_CPU_IBRS_ENTRY (kernel IBRS on entry)
+        # aefb2f2e619b (v6.9-rc1): renamed CONFIG_RETPOLINE => CONFIG_MITIGATION_RETPOLINE
+        # 1da8d2172ce5 (v6.9-rc1): renamed CONFIG_CPU_IBRS_ENTRY => CONFIG_MITIGATION_IBRS_ENTRY
+        # ec9404e40e8f (v6.9-rc4): CONFIG_SPECTRE_BHI_ON / CONFIG_SPECTRE_BHI_OFF
+        # 4f511739c54b (v6.9-rc4): replaced by CONFIG_MITIGATION_SPECTRE_BHI
+        # 72c70f480a70 (v6.12-rc1): CONFIG_MITIGATION_SPECTRE_V2 (top-level on/off)
+        # 8754e67ad4ac (v6.15-rc7): CONFIG_MITIGATION_ITS (indirect target selection)
+        # stable 5.4.y-6.6.y: CONFIG_RETPOLINE (pre-rename)
+        # stable 6.12.y: CONFIG_MITIGATION_RETPOLINE, CONFIG_MITIGATION_SPECTRE_V2
+        #
+        # --- kernel functions (for $opt_map / System.map) ---
+        # da285121560e (v4.15-rc8): spectre_v2_select_mitigation(),
+        #   spectre_v2_parse_cmdline(), nospectre_v2_parse_cmdline()
+        # 20ffa1caecca (v4.16-rc1): spectre_v2_module_string(), retpoline_module_ok()
+        # a8f76ae41cd6 (v4.20-rc5): spectre_v2_user_select_mitigation(),
+        #   spectre_v2_user_parse_cmdline()
+        # 7c693f54c873 (v5.19-rc7): spectre_v2_in_ibrs_mode(), spectre_v2_in_eibrs_mode()
+        # 44a3918c8245 (v5.17-rc8): spectre_v2_show_state()
+        # 480e803dacf8 (v6.16-rc1): split into spectre_v2_select_mitigation() +
+        #   spectre_v2_apply_mitigation() + spectre_v2_update_mitigation() +
+        #   spectre_v2_user_apply_mitigation() + spectre_v2_user_update_mitigation()
+        #
+        # --- CPU affection logic (for is_cpu_affected) ---
+        # X86_BUG_SPECTRE_V2 is set for ALL x86 CPUs except:
+        #   - CPUs matching NO_SPECULATION: family 4 (all vendors), Centaur/Intel/NSC/Vortex
+        #     family 5, Intel Atom Bonnell/Saltwell
+        #   - CPUs matching NO_SPECTRE_V2: Centaur family 7, Zhaoxin family 7
+        # 99c6fa2511d8 (v4.15-rc8): unconditional for all x86 CPUs
+        # 1e41a766c98b (v5.6-rc1): added NO_SPECTRE_V2 exemption for Centaur/Zhaoxin
+        # 98c7a713db91 (v6.15-rc1): added X86_BUG_SPECTRE_V2_USER as separate bit
+        # No MSR/CPUID immunity bits — purely whitelist-based.
+        # vendor scope: all x86 vendors affected (Intel, AMD, Hygon, etc.)
+        #   except Centaur family 7 and Zhaoxin family 7.
+        #
        # all messages start with either "Not affected", "Mitigation", or "Vulnerable"
    fi
    if [ "$opt_sysfs_only" != 1 ]; then
@@ -332,6 +367,19 @@ check_CVE_2017_5715_linux() {
            if grep -q spec_ctrl "$opt_map"; then
                g_ibrs_supported="found spec_ctrl in symbols file"
                pr_debug "ibrs: found '*spec_ctrl*' symbol in $opt_map"
+            elif grep -q -e spectre_v2_select_mitigation -e spectre_v2_apply_mitigation "$opt_map"; then
+                # spectre_v2_select_mitigation exists since v4.15; split into
+                # spectre_v2_select_mitigation + spectre_v2_apply_mitigation in v6.16
+                g_ibrs_supported="found spectre_v2 mitigation function in symbols file"
+                pr_debug "ibrs: found spectre_v2_*_mitigation symbol in $opt_map"
+            fi
+        fi
+        # CONFIG_CPU_IBRS_ENTRY (v5.19) / CONFIG_MITIGATION_IBRS_ENTRY (v6.9): kernel IBRS on entry
+        if [ -z "$g_ibrs_supported" ] && [ -n "$opt_config" ] && [ -r "$opt_config" ]; then
+            g_ibrs_can_tell=1
+            if grep -q '^CONFIG_\(CPU_\|MITIGATION_\)IBRS_ENTRY=y' "$opt_config"; then
+                g_ibrs_supported="CONFIG_CPU_IBRS_ENTRY/CONFIG_MITIGATION_IBRS_ENTRY found in kernel config"
+                pr_debug "ibrs: found IBRS entry config option in $opt_config"
            fi
        fi
        # recent (4.15) vanilla kernels have IBPB but not IBRS, and without the debugfs tunables of Red Hat
@@ -579,7 +627,7 @@ check_CVE_2017_5715_linux() {
            rsb_filling=0
            if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then
                # if we're live and we aren't denied looking into /sys, let's do it
-                if echo "$msg" | grep -qw RSB; then
+                if echo "$ret_sys_interface_check_fullmsg" | grep -qw RSB; then
                    rsb_filling=1
                    pstatus green YES
                fi
@@ -679,6 +727,11 @@ check_CVE_2017_5715_linux() {
            *) pstatus yellow UNKNOWN ;;
        esac

+        # --- SMT state (used in STIBP inference and verdict) ---
+        is_cpu_smt_enabled
+        smt_enabled=$?
+        # smt_enabled: 0=enabled, 1=disabled, 2=unknown
+
        # --- v2_stibp_status ---
        pr_info_nol "  * STIBP status: "
        if [ -n "$ret_sys_interface_check_fullmsg" ]; then
@@ -821,11 +874,6 @@ check_CVE_2017_5715_linux() {
            fi
        fi

-        # --- SMT state (used in verdict) ---
-        is_cpu_smt_enabled
-        smt_enabled=$?
-        # smt_enabled: 0=enabled, 1=disabled, 2=unknown
-
    elif [ "$sys_interface_available" = 0 ]; then
        # we have no sysfs but were asked to use it only!
        msg="/sys vulnerability interface use forced, but it's not available!"
@@ -840,6 +888,8 @@ check_CVE_2017_5715_linux() {
            # --- own logic using Phase 2 variables ---
            # Helper: collect caveats for the verdict message
            _v2_caveats=''
+            # Append a caveat string to the _v2_caveats list
+            # Callers: check_CVE_2017_5715_linux (eIBRS, IBRS, retpoline verdict paths)
            _v2_add_caveat() { _v2_caveats="${_v2_caveats:+$_v2_caveats; }$1"; }

            # ARM branch predictor hardening (unchanged)
@@ -1107,6 +1157,9 @@ check_CVE_2017_5715_linux() {
                    pvulnstatus "$cve" OK "offline mode: kernel supports IBRS + IBPB to mitigate the vulnerability"
                elif [ "$cap_ibrs_all" = 1 ] || [ "$cap_autoibrs" = 1 ]; then
                    pvulnstatus "$cve" OK "offline mode: CPU supports Enhanced / Automatic IBRS"
+                # CONFIG_MITIGATION_SPECTRE_V2 (v6.12+): top-level on/off for all Spectre V2 mitigations
+                elif [ -n "$opt_config" ] && [ -r "$opt_config" ] && grep -q '^CONFIG_MITIGATION_SPECTRE_V2=y' "$opt_config"; then
+                    pvulnstatus "$cve" OK "offline mode: kernel has Spectre V2 mitigation framework enabled (CONFIG_MITIGATION_SPECTRE_V2)"
                elif [ "$g_ibrs_can_tell" != 1 ]; then
                    pvulnstatus "$cve" UNK "offline mode: not enough information"
                    explain "Re-run this script with root privileges, and give it the kernel image (--kernel), the kernel configuration (--config) and the System.map file (--map) corresponding to the kernel you would like to inspect."
@@ -1137,7 +1190,6 @@ check_CVE_2017_5715_linux() {
    fi
 }

-# CVE-2017-5715 Spectre Variant 2 (branch target injection) - BSD mitigation check
 # Sets: vulnstatus
 check_CVE_2017_5715_bsd() {
    local ibrs_disabled ibrs_active retpoline nb_thunks