fix: CVE-2019-11135 (TAA) detect new 0x10F MSR for TSX-disabled CPUs (#414)

2026-04-09 10:13:18 +02:00 · 2026-04-06 03:23:56 +02:00
parent 3c61c7489b
commit 6332fc3405
4 changed files with 63 additions and 2 deletions
--- a/src/vulns/CVE-2019-11135.sh
+++ b/src/vulns/CVE-2019-11135.sh
@@ -70,7 +70,19 @@ check_CVE_2019_11135_linux() {
    else
        if [ "$opt_paranoid" = 1 ]; then
            # in paranoid mode, TSX or SMT enabled are not OK, even if TAA is mitigated
-            if ! echo "$ret_sys_interface_check_fullmsg" | grep -qF 'TSX disabled'; then
+            # first check sysfs, then fall back to MSR-based detection for older kernels
+            # that may not report TSX as disabled even when microcode has done so
+            tsx_disabled=0
+            if echo "$ret_sys_interface_check_fullmsg" | grep -qF 'TSX disabled'; then
+                tsx_disabled=1
+            elif [ "$cap_tsx_ctrl_rtm_disable" = 1 ] && [ "$cap_tsx_ctrl_cpuid_clear" = 1 ]; then
+                # TSX disabled via IA32_TSX_CTRL MSR (0x122)
+                tsx_disabled=1
+            elif [ "$cap_tsx_force_abort_rtm_disable" = 1 ] && [ "$cap_tsx_force_abort_cpuid_clear" = 1 ]; then
+                # TSX disabled via IA32_TSX_FORCE_ABORT MSR (0x10F), for older Skylake-era CPUs
+                tsx_disabled=1
+            fi
+            if [ "$tsx_disabled" = 0 ]; then
                pvulnstatus "$cve" VULN "TSX must be disabled for full mitigation"
            elif echo "$ret_sys_interface_check_fullmsg" | grep -qF 'SMT vulnerable'; then
                pvulnstatus "$cve" VULN "SMT (HyperThreading) must be disabled for full mitigation"