diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 522b7f2..efd33cd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -17,6 +17,8 @@ jobs: persist-credentials: true - name: install prerequisites run: sudo apt-get update && sudo apt-get install -y shellcheck shfmt jq sqlite3 iucode-tool make + - name: update Intel model list + run: ./scripts/update_intel_models.sh - name: build and check run: | make build fmt-check shellcheck @@ -96,6 +98,7 @@ jobs: git fetch origin ${{ github.ref_name }}-build git checkout -f ${{ github.ref_name }}-build mv $tmpdir/* . + rm -rf src/ mkdir -p .github rsync -vaP --delete $tmpdir/.github/ .github/ git add --all diff --git a/.github/workflows/expected_cve_count b/.github/workflows/expected_cve_count index aabe6ec..6f4247a 100644 --- a/.github/workflows/expected_cve_count +++ b/.github/workflows/expected_cve_count @@ -1 +1 @@ -21 +26 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 610d2fd..8444230 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -30,4 +30,4 @@ jobs: days-before-close: 7 stale-issue-label: stale remove-stale-when-updated: true - debug-only: ${{ case(inputs.action == 'apply', false, true) }} + debug-only: ${{ case(inputs.action == 'dryrun', true, false) }} diff --git a/README.md b/README.md index 9198503..6623175 100644 --- a/README.md +++ b/README.md @@ -16,18 +16,23 @@ CVE | Name | Aliases [CVE-2018-3620](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3620) | L1 Terminal Fault | Foreshadow-NG (OS/SMM) [CVE-2018-3646](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646) | L1 Terminal Fault | Foreshadow-NG (VMM) [CVE-2018-12126](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126) | Microarchitectural Store Buffer Data Sampling | MSBDS, Fallout -[CVE-2018-12130](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130) | Microarchitectural Fill Buffer Data Sampling | MFBDS, ZombieLoad [CVE-2018-12127](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127) | Microarchitectural Load Port Data Sampling | MLPDS, RIDL +[CVE-2018-12130](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130) | Microarchitectural Fill Buffer Data Sampling | MFBDS, ZombieLoad +[CVE-2018-12207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207) | Machine Check Exception on Page Size Changes | iTLB Multihit, No eXcuses [CVE-2019-11091](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11091) | Microarchitectural Data Sampling Uncacheable Memory | MDSUM, RIDL [CVE-2019-11135](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135) | TSX Asynchronous Abort | TAA, ZombieLoad V2 -[CVE-2018-12207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207) | Machine Check Exception on Page Size Changes | iTLB Multihit, No eXcuses [CVE-2020-0543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543) | Special Register Buffer Data Sampling | SRBDS, CROSSTalk +[CVE-2022-29900](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29900) | Arbitrary Speculative Code Execution with Return Instructions | Retbleed (AMD) +[CVE-2022-29901](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29901) | Arbitrary Speculative Code Execution with Return Instructions | Retbleed (Intel), RSBA [CVE-2022-40982](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982) | Gather Data Sampling | Downfall, GDS [CVE-2023-20569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569) | Return Address Security | Inception, SRSO [CVE-2023-20593](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593) | Cross-Process Information Leak | Zenbleed [CVE-2023-23583](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23583) | Redundant Prefix Issue | Reptar +[CVE-2024-28956](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28956) | Indirect Target Selection | ITS [CVE-2024-36350](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36350) | Transient Scheduler Attack, Store Queue | TSA-SQ [CVE-2024-36357](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36357) | Transient Scheduler Attack, L1 | TSA-L1 +[CVE-2025-40300](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-40300) | VM-Exit Stale Branch Prediction | VMScape +[CVE-2024-45332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45332) | Branch Privilege Injection | BPI ## Am I at risk? @@ -45,18 +50,23 @@ CVE-2018-3615 (Foreshadow, SGX) | βœ… (3) | βœ… (3) | βœ… (3) | βœ… (3) | Microc CVE-2018-3620 (Foreshadow-NG, OS/SMM) | πŸ’₯ | βœ… | βœ… | βœ… | Kernel update CVE-2018-3646 (Foreshadow-NG, VMM) | βœ… | βœ… | πŸ’₯ | πŸ’₯ | Kernel update (or disable EPT/SMT) CVE-2018-12126 (MSBDS, Fallout) | πŸ’₯ | πŸ’₯ (1) | πŸ’₯ | πŸ’₯ (1) | Microcode + kernel update -CVE-2018-12130 (MFBDS, ZombieLoad) | πŸ’₯ | πŸ’₯ (1) | πŸ’₯ | πŸ’₯ (1) | Microcode + kernel update CVE-2018-12127 (MLPDS, RIDL) | πŸ’₯ | πŸ’₯ (1) | πŸ’₯ | πŸ’₯ (1) | Microcode + kernel update +CVE-2018-12130 (MFBDS, ZombieLoad) | πŸ’₯ | πŸ’₯ (1) | πŸ’₯ | πŸ’₯ (1) | Microcode + kernel update +CVE-2018-12207 (iTLB Multihit, No eXcuses) | βœ… | βœ… | ☠️ | βœ… | Hypervisor update (or disable hugepages) CVE-2019-11091 (MDSUM, RIDL) | πŸ’₯ | πŸ’₯ (1) | πŸ’₯ | πŸ’₯ (1) | Microcode + kernel update CVE-2019-11135 (TAA, ZombieLoad V2) | πŸ’₯ | πŸ’₯ (1) | πŸ’₯ | πŸ’₯ (1) | Microcode + kernel update -CVE-2018-12207 (iTLB Multihit, No eXcuses) | βœ… | βœ… | ☠️ | βœ… | Hypervisor update (or disable hugepages) CVE-2020-0543 (SRBDS, CROSSTalk) | πŸ’₯ (2) | πŸ’₯ (2) | πŸ’₯ (2) | πŸ’₯ (2) | Microcode + kernel update +CVE-2022-29900 (Retbleed AMD) | πŸ’₯ | βœ… | πŸ’₯ | βœ… | Kernel update (+ microcode for IBPB) +CVE-2022-29901 (Retbleed Intel, RSBA) | πŸ’₯ | βœ… | πŸ’₯ | βœ… | Microcode + kernel update (eIBRS or IBRS) CVE-2022-40982 (Downfall, GDS) | πŸ’₯ | πŸ’₯ | πŸ’₯ | πŸ’₯ | Microcode update (or disable AVX) CVE-2023-20569 (Inception, SRSO) | πŸ’₯ | βœ… | πŸ’₯ | βœ… | Microcode + kernel update CVE-2023-20593 (Zenbleed) | πŸ’₯ | πŸ’₯ | πŸ’₯ | πŸ’₯ | Microcode update (or kernel workaround) CVE-2023-23583 (Reptar) | ☠️ | ☠️ | ☠️ | ☠️ | Microcode update +CVE-2024-28956 (ITS) | πŸ’₯ | βœ… | πŸ’₯ (4) | βœ… | Microcode + kernel update CVE-2024-36350 (TSA-SQ) | πŸ’₯ | πŸ’₯ (1) | πŸ’₯ | πŸ’₯ (1) | Microcode + kernel update CVE-2024-36357 (TSA-L1) | πŸ’₯ | πŸ’₯ (1) | πŸ’₯ | πŸ’₯ (1) | Microcode + kernel update +CVE-2025-40300 (VMScape) | βœ… | βœ… | πŸ’₯ | βœ… | Kernel update (IBPB on VM-exit) +CVE-2024-45332 (BPI) | πŸ’₯ | βœ… | πŸ’₯ | βœ… | Microcode update > πŸ’₯ Data can be leaked across this boundary. @@ -70,6 +80,8 @@ CVE-2024-36357 (TSA-L1) | πŸ’₯ | πŸ’₯ (1) | πŸ’₯ | πŸ’₯ (1) | Microcode + kernel > (3) CVE-2018-3615 (Foreshadow SGX) inverts the normal trust model: the OS reads SGX enclave data. It is irrelevant unless the system runs SGX enclaves, and the attacker must already have OS-level access. +> (4) VMβ†’Host leakage applies only to certain affected CPU models (Skylake-X, Kaby Lake, Comet Lake). Ice Lake, Tiger Lake, and Rocket Lake are only affected for native (user-to-kernel) attacks, not guest-to-host. + ## Detailed CVE descriptions
@@ -109,26 +121,34 @@ A guest VM can exploit L1TF to read memory belonging to the host or other guests **CVE-2018-12126 β€” Microarchitectural Store Buffer Data Sampling (MSBDS, Fallout)** -**CVE-2018-12130 β€” Microarchitectural Fill Buffer Data Sampling (MFBDS, ZombieLoad)** - **CVE-2018-12127 β€” Microarchitectural Load Port Data Sampling (MLPDS, RIDL)** +**CVE-2018-12130 β€” Microarchitectural Fill Buffer Data Sampling (MFBDS, ZombieLoad)** + **CVE-2019-11091 β€” Microarchitectural Data Sampling Uncacheable Memory (MDSUM, RIDL)** These four CVEs are collectively known as "MDS" (Microarchitectural Data Sampling) vulnerabilities. They exploit different CPU internal buffers β€” store buffer, fill buffer, load ports, and uncacheable memory paths β€” that can leak recently accessed data across privilege boundaries during speculative execution. An unprivileged attacker can observe data recently processed by the kernel or other processes. Mitigation requires a microcode update (providing the MD_CLEAR mechanism) plus a kernel update that uses VERW to clear affected buffers on privilege transitions. Disabling Hyper-Threading (SMT) provides additional protection because sibling threads share these buffers. The performance impact is low to significant, depending on the frequency of kernel transitions and whether SMT is disabled. -**CVE-2019-11135 β€” TSX Asynchronous Abort (TAA, ZombieLoad V2)** - -On CPUs with Intel TSX, a transactional abort can leave data from the line fill buffers in a state observable through side channels, similar to the MDS vulnerabilities but triggered through TSX. Mitigation requires a microcode update plus kernel support to either clear affected buffers or disable TSX entirely (via the TSX_CTRL MSR). The performance impact is low to significant, similar to MDS, with the option to eliminate the attack surface entirely by disabling TSX at the cost of losing transactional memory support. - **CVE-2018-12207 β€” Machine Check Exception on Page Size Changes (iTLB Multihit, No eXcuses)** A malicious guest VM can trigger a machine check exception (MCE) β€” crashing the entire host β€” by creating specific conditions in the instruction TLB involving page size changes. This is a denial-of-service vulnerability affecting hypervisors running untrusted guests. Mitigation requires either disabling hugepage use in the hypervisor or updating the hypervisor to avoid the problematic iTLB configurations. The performance impact ranges from low to significant depending on the approach: disabling hugepages can substantially impact memory-intensive workloads. +**CVE-2019-11135 β€” TSX Asynchronous Abort (TAA, ZombieLoad V2)** + +On CPUs with Intel TSX, a transactional abort can leave data from the line fill buffers in a state observable through side channels, similar to the MDS vulnerabilities but triggered through TSX. Mitigation requires a microcode update plus kernel support to either clear affected buffers or disable TSX entirely (via the TSX_CTRL MSR). The performance impact is low to significant, similar to MDS, with the option to eliminate the attack surface entirely by disabling TSX at the cost of losing transactional memory support. + **CVE-2020-0543 β€” Special Register Buffer Data Sampling (SRBDS, CROSSTalk)** Certain special CPU instructions (RDRAND, RDSEED, EGETKEY) read data through a shared staging buffer that is accessible across all cores via speculative execution. An attacker running code on any core can observe the output of these instructions from a victim on a different core, including extracting cryptographic keys from SGX enclaves (a complete ECDSA key was demonstrated). This is notable as one of the first cross-core speculative execution attacks. Mitigation requires a microcode update that serializes access to the staging buffer, plus a kernel update to manage the mitigation. Performance impact is low, mainly affecting workloads that heavily use RDRAND/RDSEED. +**CVE-2022-29900 β€” Arbitrary Speculative Code Execution with Return Instructions (Retbleed AMD)** + +On AMD processors from families 0x15 through 0x17 (Bulldozer through Zen 2) and Hygon family 0x18, an attacker can exploit return instructions to redirect speculative execution and leak kernel memory, bypassing retpoline mitigations that were effective against Spectre V2. Unlike Spectre V2 which targets indirect jumps and calls, Retbleed specifically targets return instructions, which were previously considered safe. Mitigation requires a kernel update providing either the untrained return thunk (safe RET) or IBPB-on-entry mechanism, plus a microcode update providing IBPB support on Zen 1/2. On Zen 1/2, SMT should be disabled for full protection when using IBPB-based mitigation. Performance impact is medium. + +**CVE-2022-29901 β€” Arbitrary Speculative Code Execution with Return Instructions (Retbleed Intel, RSBA)** + +On Intel Skylake through Rocket Lake processors with RSB Alternate Behavior (RSBA), return instructions can be speculatively redirected via the Branch Target Buffer when the Return Stack Buffer underflows, bypassing retpoline mitigations. Mitigation requires either Enhanced IBRS (eIBRS, via microcode update) or a kernel compiled with IBRS-on-entry support (Linux 5.19+). Call depth tracking (stuffing) is an alternative mitigation available from Linux 6.2+. Plain retpoline does NOT mitigate this vulnerability on RSBA-capable CPUs. Performance impact is medium to high. + **CVE-2022-40982 β€” Gather Data Sampling (GDS, Downfall)** The AVX GATHER instructions can leak data from previously used vector registers across privilege boundaries through the shared gather data buffer. This affects any software using AVX2 or AVX-512 on vulnerable Intel processors. Mitigation is provided by a microcode update that clears the gather buffer, or alternatively by disabling the AVX feature entirely. Performance impact is negligible for most workloads but can be significant (up to 50%) for AVX-heavy applications such as HPC and AI inference. @@ -145,6 +165,10 @@ A bug in AMD Zen 2 processors causes the VZEROUPPER instruction to incorrectly z A bug in Intel processors causes unexpected behavior when executing instructions with specific redundant REX prefixes. Depending on the circumstances, this can result in a system crash (MCE), unpredictable behavior, or potentially privilege escalation. Any software running on an affected CPU can trigger the bug. Mitigation requires a microcode update. Performance impact is low. +**CVE-2024-28956 β€” Indirect Target Selection (ITS)** + +On certain Intel processors (Skylake-X stepping 6+, Kaby Lake, Comet Lake, Ice Lake, Tiger Lake, Rocket Lake), an attacker can train the indirect branch predictor to speculatively execute a targeted gadget in the kernel, bypassing eIBRS protections. The Branch Target Buffer (BTB) uses only partial address bits to index indirect branch targets, allowing user-space code to influence kernel-space speculative execution. Some affected CPUs (Ice Lake, Tiger Lake, Rocket Lake) are only vulnerable to native user-to-kernel attacks, not guest-to-host (VMX) attacks. Mitigation requires both a microcode update (IPU 2025.1 / microcode-20250512+, which fixes IBPB to fully flush indirect branch predictions) and a kernel update (CONFIG_MITIGATION_ITS, Linux 6.15+) that aligns branch/return thunks or uses RSB stuffing. Performance impact is low. + **CVE-2024-36350 β€” Transient Scheduler Attack, Store Queue (TSA-SQ)** On AMD Zen 3 and Zen 4 processors, the CPU's transient scheduler may speculatively retrieve stale data from the store queue during certain timing windows, allowing an attacker to infer data from previous store operations across privilege boundaries. The attack can also leak data between SMT sibling threads. Mitigation requires both a microcode update (exposing the VERW_CLEAR capability) and a kernel update (CONFIG_MITIGATION_TSA, Linux 6.16+) that uses the VERW instruction to clear CPU buffers on user/kernel transitions and before VMRUN. The kernel also clears buffers on idle when SMT is active. Performance impact is low to medium. @@ -153,8 +177,23 @@ On AMD Zen 3 and Zen 4 processors, the CPU's transient scheduler may speculative On AMD Zen 3 and Zen 4 processors, the CPU's transient scheduler may speculatively retrieve stale data from the L1 data cache during certain timing windows, allowing an attacker to infer data in the L1D cache across privilege boundaries. Mitigation requires the same microcode and kernel updates as TSA-SQ: a microcode update exposing VERW_CLEAR and a kernel update (CONFIG_MITIGATION_TSA, Linux 6.16+) that clears CPU buffers via VERW on privilege transitions. Performance impact is low to medium. +**CVE-2025-40300 β€” VM-Exit Stale Branch Prediction (VMScape)** + +After a guest VM exits to the host, stale branch predictions from the guest can influence host-side speculative execution before the kernel returns to userspace, allowing a local attacker to leak host kernel memory. This affects Intel processors from Sandy Bridge through Arrow Lake/Lunar Lake, AMD Zen 1 through Zen 5 families, and Hygon family 0x18. Only systems running a hypervisor with untrusted guests are at risk. Mitigation requires a kernel update (CONFIG_MITIGATION_VMSCAPE, Linux 6.18+) that issues IBPB before returning to userspace after a VM exit. No specific microcode update is required beyond existing IBPB support. Performance impact is low. + +**CVE-2024-45332 β€” Branch Privilege Injection (BPI)** + +A race condition in the branch predictor update mechanism of Intel processors (Coffee Lake through Raptor Lake, plus some server and Atom parts) allows user-space branch predictions to briefly influence kernel-space speculative execution, undermining eIBRS and IBPB protections. This means systems relying solely on eIBRS for Spectre V2 mitigation may not be fully protected without the microcode fix. Mitigation requires a microcode update (intel-microcode 20250512+) that fixes the asynchronous branch predictor update timing so that eIBRS and IBPB work as originally intended. No kernel changes are required. Performance impact is negligible. +
+## Unsupported CVEs + +Several transient execution CVEs are not covered by this tool, for various reasons (duplicates, only +affecting non-supported hardware or OS, theoretical with no known exploitation, etc.). +The complete list along with the reason for each exclusion is available in the +[UNSUPPORTED_CVE_LIST.md](https://github.com/speed47/spectre-meltdown-checker/blob/source/UNSUPPORTED_CVE_LIST.md) file. + ## Scope Supported operating systems: diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index 9d2bd8a..b98cac1 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -13,7 +13,7 @@ # # Stephane Lesimple # -VERSION='26.21.0402701' +VERSION='26.26.0404682' # --- Common paths and basedirs --- readonly VULN_SYSFS_BASE="/sys/devices/system/cpu/vulnerabilities" @@ -46,8 +46,8 @@ exit_cleanup() { # if we were git clone'd, adjust VERSION if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1; then - g_describe=$(git -C "$(dirname "$0")" describe --tags --dirty 2>/dev/null) - [ -n "$g_describe" ] && VERSION=$(echo "$g_describe" | sed -e s/^v//) + g_commit=$(git -C "$(dirname "$0")" describe --always --dirty --abbrev=7 --match=- 2>/dev/null) + [ -n "$g_commit" ] && VERSION="$VERSION-git$g_commit" fi # >>>>>> libs/002_core_globals.sh <<<<<< @@ -209,10 +209,15 @@ CVE-2018-12207|ITLBMH|itlbmh|No eXcuses, iTLB Multihit, machine check exception CVE-2020-0543|SRBDS|srbds|Special Register Buffer Data Sampling (SRBDS) CVE-2023-20593|ZENBLEED|zenbleed|Zenbleed, cross-process information leak CVE-2022-40982|DOWNFALL|downfall|Downfall, gather data sampling (GDS) +CVE-2022-29900|RETBLEED AMD|retbleed|Retbleed, arbitrary speculative code execution with return instructions (AMD) +CVE-2022-29901|RETBLEED INTEL|retbleed|Retbleed, arbitrary speculative code execution with return instructions (Intel) CVE-2023-20569|INCEPTION|inception|Inception, return address security (RAS) CVE-2023-23583|REPTAR|reptar|Reptar, redundant prefix issue CVE-2024-36350|TSA_SQ|tsa|Transient Scheduler Attack - Store Queue (TSA-SQ) CVE-2024-36357|TSA_L1|tsa|Transient Scheduler Attack - L1 (TSA-L1) +CVE-2024-28956|ITS|its|Indirect Target Selection (ITS) +CVE-2025-40300|VMSCAPE|vmscape|VMScape, VM-exit stale branch prediction +CVE-2024-45332|BPI|bpi|Branch Privilege Injection (BPI) ' # Derive the supported CVE list from the registry @@ -253,6 +258,114 @@ fi # still empty? fallback to builtin [ -z "$g_echo_cmd" ] && g_echo_cmd='echo' +# >>>>>> libs/003_intel_models.sh <<<<<< + +# vim: set ts=4 sw=4 sts=4 et: +# AUTO-GENERATED FILE β€” DO NOT EDIT MANUALLY. +# Generated by scripts/update_intel_models.sh from: +# https://raw.githubusercontent.com/torvalds/linux/refs/heads/master/arch/x86/include/asm/intel-family.h +# Run scripts/update_intel_models.sh to refresh when new Intel CPU families are added to the kernel. +# shellcheck disable=SC2034 +{ + readonly INTEL_FAM5_PENTIUM_75=$((0x02)) # /* P54C */ + readonly INTEL_FAM5_PENTIUM_MMX=$((0x04)) # /* P55C */ + readonly INTEL_FAM5_QUARK_X1000=$((0x09)) # /* Quark X1000 SoC */ + readonly INTEL_FAM6_PENTIUM_PRO=$((0x01)) + readonly INTEL_FAM6_PENTIUM_II_KLAMATH=$((0x03)) + readonly INTEL_FAM6_PENTIUM_III_DESCHUTES=$((0x05)) + readonly INTEL_FAM6_PENTIUM_III_TUALATIN=$((0x0B)) + readonly INTEL_FAM6_PENTIUM_M_DOTHAN=$((0x0D)) + readonly INTEL_FAM6_CORE_YONAH=$((0x0E)) + readonly INTEL_FAM6_CORE2_MEROM=$((0x0F)) + readonly INTEL_FAM6_CORE2_MEROM_L=$((0x16)) + readonly INTEL_FAM6_CORE2_PENRYN=$((0x17)) + readonly INTEL_FAM6_CORE2_DUNNINGTON=$((0x1D)) + readonly INTEL_FAM6_NEHALEM=$((0x1E)) + readonly INTEL_FAM6_NEHALEM_G=$((0x1F)) # /* Auburndale / Havendale */ + readonly INTEL_FAM6_NEHALEM_EP=$((0x1A)) + readonly INTEL_FAM6_NEHALEM_EX=$((0x2E)) + readonly INTEL_FAM6_WESTMERE=$((0x25)) + readonly INTEL_FAM6_WESTMERE_EP=$((0x2C)) + readonly INTEL_FAM6_WESTMERE_EX=$((0x2F)) + readonly INTEL_FAM6_SANDYBRIDGE=$((0x2A)) + readonly INTEL_FAM6_SANDYBRIDGE_X=$((0x2D)) + readonly INTEL_FAM6_IVYBRIDGE=$((0x3A)) + readonly INTEL_FAM6_IVYBRIDGE_X=$((0x3E)) + readonly INTEL_FAM6_HASWELL=$((0x3C)) + readonly INTEL_FAM6_HASWELL_X=$((0x3F)) + readonly INTEL_FAM6_HASWELL_L=$((0x45)) + readonly INTEL_FAM6_HASWELL_G=$((0x46)) + readonly INTEL_FAM6_BROADWELL=$((0x3D)) + readonly INTEL_FAM6_BROADWELL_G=$((0x47)) + readonly INTEL_FAM6_BROADWELL_X=$((0x4F)) + readonly INTEL_FAM6_BROADWELL_D=$((0x56)) + readonly INTEL_FAM6_SKYLAKE_L=$((0x4E)) # /* Sky Lake */ + readonly INTEL_FAM6_SKYLAKE=$((0x5E)) # /* Sky Lake */ + readonly INTEL_FAM6_SKYLAKE_X=$((0x55)) # /* Sky Lake */ + readonly INTEL_FAM6_KABYLAKE_L=$((0x8E)) # /* Sky Lake */ + readonly INTEL_FAM6_KABYLAKE=$((0x9E)) # /* Sky Lake */ + readonly INTEL_FAM6_COMETLAKE=$((0xA5)) # /* Sky Lake */ + readonly INTEL_FAM6_COMETLAKE_L=$((0xA6)) # /* Sky Lake */ + readonly INTEL_FAM6_CANNONLAKE_L=$((0x66)) # /* Palm Cove */ + readonly INTEL_FAM6_ICELAKE_X=$((0x6A)) # /* Sunny Cove */ + readonly INTEL_FAM6_ICELAKE_D=$((0x6C)) # /* Sunny Cove */ + readonly INTEL_FAM6_ICELAKE=$((0x7D)) # /* Sunny Cove */ + readonly INTEL_FAM6_ICELAKE_L=$((0x7E)) # /* Sunny Cove */ + readonly INTEL_FAM6_ICELAKE_NNPI=$((0x9D)) # /* Sunny Cove */ + readonly INTEL_FAM6_ROCKETLAKE=$((0xA7)) # /* Cypress Cove */ + readonly INTEL_FAM6_TIGERLAKE_L=$((0x8C)) # /* Willow Cove */ + readonly INTEL_FAM6_TIGERLAKE=$((0x8D)) # /* Willow Cove */ + readonly INTEL_FAM6_SAPPHIRERAPIDS_X=$((0x8F)) # /* Golden Cove */ + readonly INTEL_FAM6_EMERALDRAPIDS_X=$((0xCF)) # /* Raptor Cove */ + readonly INTEL_FAM6_GRANITERAPIDS_X=$((0xAD)) # /* Redwood Cove */ + readonly INTEL_FAM6_GRANITERAPIDS_D=$((0xAE)) + readonly INTEL_FAM19_DIAMONDRAPIDS_X=$((0x01)) # /* Panther Cove */ + readonly INTEL_FAM6_BARTLETTLAKE=$((0xD7)) # /* Raptor Cove */ + readonly INTEL_FAM6_LAKEFIELD=$((0x8A)) # /* Sunny Cove / Tremont */ + readonly INTEL_FAM6_ALDERLAKE=$((0x97)) # /* Golden Cove / Gracemont */ + readonly INTEL_FAM6_ALDERLAKE_L=$((0x9A)) # /* Golden Cove / Gracemont */ + readonly INTEL_FAM6_RAPTORLAKE=$((0xB7)) # /* Raptor Cove / Enhanced Gracemont */ + readonly INTEL_FAM6_RAPTORLAKE_P=$((0xBA)) + readonly INTEL_FAM6_RAPTORLAKE_S=$((0xBF)) + readonly INTEL_FAM6_METEORLAKE=$((0xAC)) # /* Redwood Cove / Crestmont */ + readonly INTEL_FAM6_METEORLAKE_L=$((0xAA)) + readonly INTEL_FAM6_ARROWLAKE_H=$((0xC5)) # /* Lion Cove / Skymont */ + readonly INTEL_FAM6_ARROWLAKE=$((0xC6)) + readonly INTEL_FAM6_ARROWLAKE_U=$((0xB5)) + readonly INTEL_FAM6_LUNARLAKE_M=$((0xBD)) # /* Lion Cove / Skymont */ + readonly INTEL_FAM6_PANTHERLAKE_L=$((0xCC)) # /* Cougar Cove / Darkmont */ + readonly INTEL_FAM6_WILDCATLAKE_L=$((0xD5)) + readonly INTEL_FAM18_NOVALAKE=$((0x01)) # /* Coyote Cove / Arctic Wolf */ + readonly INTEL_FAM18_NOVALAKE_L=$((0x03)) # /* Coyote Cove / Arctic Wolf */ + readonly INTEL_FAM6_ATOM_BONNELL=$((0x1C)) # /* Diamondville, Pineview */ + readonly INTEL_FAM6_ATOM_BONNELL_MID=$((0x26)) # /* Silverthorne, Lincroft */ + readonly INTEL_FAM6_ATOM_SALTWELL=$((0x36)) # /* Cedarview */ + readonly INTEL_FAM6_ATOM_SALTWELL_MID=$((0x27)) # /* Penwell */ + readonly INTEL_FAM6_ATOM_SALTWELL_TABLET=$((0x35)) # /* Cloverview */ + readonly INTEL_FAM6_ATOM_SILVERMONT=$((0x37)) # /* Bay Trail, Valleyview */ + readonly INTEL_FAM6_ATOM_SILVERMONT_D=$((0x4D)) # /* Avaton, Rangely */ + readonly INTEL_FAM6_ATOM_SILVERMONT_MID=$((0x4A)) # /* Merriefield */ + readonly INTEL_FAM6_ATOM_SILVERMONT_MID2=$((0x5A)) # /* Anniedale */ + readonly INTEL_FAM6_ATOM_AIRMONT=$((0x4C)) # /* Cherry Trail, Braswell */ + readonly INTEL_FAM6_ATOM_AIRMONT_NP=$((0x75)) # /* Lightning Mountain */ + readonly INTEL_FAM6_ATOM_GOLDMONT=$((0x5C)) # /* Apollo Lake */ + readonly INTEL_FAM6_ATOM_GOLDMONT_D=$((0x5F)) # /* Denverton */ + readonly INTEL_FAM6_ATOM_GOLDMONT_PLUS=$((0x7A)) # /* Gemini Lake */ + readonly INTEL_FAM6_ATOM_TREMONT_D=$((0x86)) # /* Jacobsville */ + readonly INTEL_FAM6_ATOM_TREMONT=$((0x96)) # /* Elkhart Lake */ + readonly INTEL_FAM6_ATOM_TREMONT_L=$((0x9C)) # /* Jasper Lake */ + readonly INTEL_FAM6_ATOM_GRACEMONT=$((0xBE)) # /* Alderlake N */ + readonly INTEL_FAM6_ATOM_CRESTMONT_X=$((0xAF)) # /* Sierra Forest */ + readonly INTEL_FAM6_ATOM_CRESTMONT=$((0xB6)) # /* Grand Ridge */ + readonly INTEL_FAM6_ATOM_DARKMONT_X=$((0xDD)) # /* Clearwater Forest */ + readonly INTEL_FAM6_XEON_PHI_KNL=$((0x57)) # /* Knights Landing */ + readonly INTEL_FAM6_XEON_PHI_KNM=$((0x85)) # /* Knights Mill */ + readonly INTEL_FAM15_P4_WILLAMETTE=$((0x01)) # /* Also Xeon Foster */ + readonly INTEL_FAM15_P4_PRESCOTT=$((0x03)) + readonly INTEL_FAM15_P4_PRESCOTT_2M=$((0x04)) + readonly INTEL_FAM15_P4_CEDARMILL=$((0x06)) # /* Also Xeon Dempsey */ +} + # >>>>>> libs/100_output_print.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: @@ -408,7 +521,7 @@ _is_cpu_affected_cached() { # Args: $1=cve_id (one of the $g_supported_cve_list items) # Returns: 0 if affected, 1 if not affected is_cpu_affected() { - local result cpuid_hex reptar_ucode_list tuple fixed_ucode_ver affected_fmspi affected_fms ucode_platformid_mask affected_cpuid i cpupart cpuarch + local result cpuid_hex reptar_ucode_list bpi_ucode_list tuple fixed_ucode_ver affected_fmspi affected_fms ucode_platformid_mask affected_cpuid i cpupart cpuarch # if CPU is Intel and is in our dump of the Intel official affected CPUs page, use it: if is_intel; then @@ -470,9 +583,15 @@ is_cpu_affected() { _set_immune inception # TSA is AMD specific (Zen 3/4), look for "is_amd" below: _set_immune tsa - # Downfall & Reptar are Intel specific, look for "is_intel" below: + # Retbleed: AMD (CVE-2022-29900) and Intel (CVE-2022-29901) specific: + _set_immune retbleed + # Downfall, Reptar, ITS & BPI are Intel specific, look for "is_intel" below: _set_immune downfall _set_immune reptar + _set_immune its + _set_immune bpi + # VMScape affects Intel, AMD and Hygon β€” set immune, overridden below: + _set_immune vmscape if is_cpu_mds_free; then _infer_immune msbds @@ -492,6 +611,14 @@ is_cpu_affected() { pr_debug "is_cpu_affected: cpu not affected by Special Register Buffer Data Sampling" fi + # NO_SPECTRE_V2: Centaur family 7 and Zhaoxin family 7 are immune to Spectre V2 + # kernel commit 1e41a766c98b (v5.6-rc1): added NO_SPECTRE_V2 exemption + # Zhaoxin vendor_id is " Shanghai " in cpuinfo (parsed as "Shanghai" by awk) + if { [ "$cpu_vendor" = "CentaurHauls" ] || [ "$cpu_vendor" = "Shanghai" ]; } && [ "$cpu_family" = 7 ]; then + _infer_immune variant2 + pr_debug "is_cpu_affected: Centaur/Zhaoxin family 7 immune to Spectre V2 (NO_SPECTRE_V2)" + fi + if is_cpu_specex_free; then _set_immune variant1 _set_immune variant2 @@ -561,7 +688,7 @@ is_cpu_affected() { [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_D" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT" ] || - [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT_MID" ] || + [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID2" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT_NP" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_D" ] || @@ -588,9 +715,12 @@ is_cpu_affected() { pr_debug "is_cpu_affected: downfall: not affected (GDS_NO)" _set_immune downfall elif [ "$cpu_family" = 6 ]; then - # list from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=64094e7e3118aff4b0be8ff713c242303e139834 + # model blacklist from the kernel (arch/x86/kernel/cpu/common.c cpu_vuln_blacklist): + # 8974eb588283 (initial list) + c9f4c45c8ec3 (added Skylake/Skylake_L client) set -u - if [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_X" ] || + if [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_X" ] || [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE_L" ] || [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE" ] || [ "$cpu_model" = "$INTEL_FAM6_ICELAKE_L" ] || @@ -605,10 +735,38 @@ is_cpu_affected() { _set_vuln downfall elif [ "$cap_avx2" = 0 ] && [ "$cap_avx512" = 0 ]; then pr_debug "is_cpu_affected: downfall: no avx; immune" + _infer_immune downfall else - # old Intel CPU (not in their DB), not listed as being affected by the Linux kernel, - # but with AVX2 or AVX512: unclear for now - pr_debug "is_cpu_affected: downfall: unclear, defaulting to non-affected for now" + # Intel family 6 CPU with AVX2 or AVX512, not in the known-affected list + # and GDS_NO not set: assume affected (whitelist principle) + pr_debug "is_cpu_affected: downfall: unknown AVX-capable CPU, defaulting to affected" + _infer_vuln downfall + fi + set +u + fi + # ITS (Indirect Target Selection, CVE-2024-28956) + # kernel vulnerable_to_its() + cpu_vuln_blacklist (159013a7ca18) + # immunity: ARCH_CAP_ITS_NO (bit 62 of IA32_ARCH_CAPABILITIES) + # immunity: X86_FEATURE_BHI_CTRL (none of the affected CPUs have this) + # vendor scope: Intel only (family 6), with stepping constraints on some models + if [ "$cap_its_no" = 1 ]; then + pr_debug "is_cpu_affected: its: not affected (ITS_NO)" + _set_immune its + elif [ "$cpu_family" = 6 ]; then + set -u + if { [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_X" ] && [ "$cpu_stepping" -gt 5 ]; } || + { [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE_L" ] && [ "$cpu_stepping" -gt 11 ]; } || + { [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE" ] && [ "$cpu_stepping" -gt 12 ]; } || + [ "$cpu_model" = "$INTEL_FAM6_ICELAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_ICELAKE_D" ] || + [ "$cpu_model" = "$INTEL_FAM6_ICELAKE_X" ] || + [ "$cpu_model" = "$INTEL_FAM6_COMETLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_COMETLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_TIGERLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_TIGERLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_ROCKETLAKE" ]; then + pr_debug "is_cpu_affected: its: affected" + _set_vuln its fi set +u fi @@ -617,16 +775,17 @@ is_cpu_affected() { # as the mitigation is only ucode-based and there's no flag exposed by the kernel or by an updated ucode. # we have to hardcode the truthtable of affected CPUs vs updated ucodes... # https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/redundant-prefix-issue.html - # list taken from: + # list initially taken from: # https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/commit/ece0d294a29a1375397941a4e6f2f7217910bc89#diff-e6fad0f2abbac6c9603b2e8f88fe1d151a83de708aeca1c1d93d881c958ecba4R26 - # both pages have a lot of inconsistencies, I've tried to fix the errors the best I could, the logic being: if it's not in the - # blog page, then the microcode update in the commit is not related to reptar, if microcode versions differ, then the one in github is correct, - # if a stepping exists in the blog page but not in the commit, then the blog page is right + # updated 2026-04 with Intel affected processor list + releasenote.md: + # added 06-9a-04/40 (AZB), 06-bd-01/80 (Lunar Lake, post-dates Reptar: first ucode already includes fix) + g_reptar_fixed_ucode_version='' reptar_ucode_list=' 06-97-02/07,00000032 06-97-05/07,00000032 06-9a-03/80,00000430 06-9a-04/80,00000430 +06-9a-04/40,00000005 06-6c-01/10,01000268 06-6a-06/87,0d0003b9 06-7e-05/80,000000c2 @@ -647,6 +806,7 @@ is_cpu_affected() { 06-8d-01/c2,0000004e 06-8d-00/c2,0000004e 06-8c-02/c2,00000034 +06-bd-01/80,0000011f ' for tuple in $reptar_ucode_list; do fixed_ucode_ver=$((0x$(echo "$tuple" | cut -d, -f2))) @@ -660,12 +820,208 @@ is_cpu_affected() { 0x"$(echo "$affected_fms" | cut -d- -f3)" ) if [ "$cpu_cpuid" = "$affected_cpuid" ] && [ $((cpu_platformid & ucode_platformid_mask)) -gt 0 ]; then - # this is not perfect as Intel never tells about their EOL CPUs, so more CPUs might be affected but there's no way to tell _set_vuln reptar g_reptar_fixed_ucode_version=$fixed_ucode_ver break fi done + # if we didn't match the ucode list above, also check the model blacklist: + # Intel never tells about their EOL CPUs, so more CPUs might be affected + # than the ones that received a microcode update (e.g. steppings with + # different platform IDs that were dropped before the Reptar fix). + if [ -z "$g_reptar_fixed_ucode_version" ] && [ "$cpu_family" = 6 ]; then + set -u + if [ "$cpu_model" = "$INTEL_FAM6_ALDERLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_ALDERLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_ICELAKE_X" ] || + [ "$cpu_model" = "$INTEL_FAM6_ICELAKE_D" ] || + [ "$cpu_model" = "$INTEL_FAM6_ICELAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_ROCKETLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_TIGERLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_TIGERLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_SAPPHIRERAPIDS_X" ] || + [ "$cpu_model" = "$INTEL_FAM6_RAPTORLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_RAPTORLAKE_P" ] || + [ "$cpu_model" = "$INTEL_FAM6_RAPTORLAKE_S" ] || + [ "$cpu_model" = "$INTEL_FAM6_LUNARLAKE_M" ]; then + pr_debug "is_cpu_affected: reptar: affected (model match, no known fixing ucode)" + _set_vuln reptar + fi + set +u + fi + + # Retbleed (Intel, CVE-2022-29901): Skylake through Rocket Lake, or any CPU with RSBA + # kernel cpu_vuln_blacklist for RETBLEED (6b80b59b3555, 6ad0ad2bf8a6, f54d45372c6a) + # plus ARCH_CAP_RSBA catch-all (bit 2 of IA32_ARCH_CAPABILITIES) + if [ "$cap_rsba" = 1 ]; then + _set_vuln retbleed + elif [ "$cpu_family" = 6 ]; then + if [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_X" ] || + [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_CANNONLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_ICELAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_COMETLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_COMETLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_LAKEFIELD" ] || + [ "$cpu_model" = "$INTEL_FAM6_ROCKETLAKE" ]; then + _set_vuln retbleed + fi + fi + + # VMScape (CVE-2025-40300): Intel model blacklist + # kernel cpu_vuln_blacklist VMSCAPE (a508cec6e521 + 8a68d64bb103) + # immunity: no ARCH_CAP bits (purely blacklist-based) + # note: kernel only sets bug on bare metal (!X86_FEATURE_HYPERVISOR) + # vendor scope: Intel + AMD + Hygon (AMD/Hygon handled below) + if [ "$cpu_family" = 6 ]; then + set -u + if [ "$cpu_model" = "$INTEL_FAM6_SANDYBRIDGE_X" ] || + [ "$cpu_model" = "$INTEL_FAM6_SANDYBRIDGE" ] || + [ "$cpu_model" = "$INTEL_FAM6_IVYBRIDGE_X" ] || + [ "$cpu_model" = "$INTEL_FAM6_IVYBRIDGE" ] || + [ "$cpu_model" = "$INTEL_FAM6_HASWELL" ] || + [ "$cpu_model" = "$INTEL_FAM6_HASWELL_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_HASWELL_G" ] || + [ "$cpu_model" = "$INTEL_FAM6_HASWELL_X" ] || + [ "$cpu_model" = "$INTEL_FAM6_BROADWELL_D" ] || + [ "$cpu_model" = "$INTEL_FAM6_BROADWELL_X" ] || + [ "$cpu_model" = "$INTEL_FAM6_BROADWELL_G" ] || + [ "$cpu_model" = "$INTEL_FAM6_BROADWELL" ] || + [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_X" ] || + [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_CANNONLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_COMETLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_COMETLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_ALDERLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_ALDERLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_RAPTORLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_RAPTORLAKE_P" ] || + [ "$cpu_model" = "$INTEL_FAM6_RAPTORLAKE_S" ] || + [ "$cpu_model" = "$INTEL_FAM6_METEORLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_ARROWLAKE_H" ] || + [ "$cpu_model" = "$INTEL_FAM6_ARROWLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_ARROWLAKE_U" ] || + [ "$cpu_model" = "$INTEL_FAM6_LUNARLAKE_M" ] || + [ "$cpu_model" = "$INTEL_FAM6_SAPPHIRERAPIDS_X" ] || + [ "$cpu_model" = "$INTEL_FAM6_GRANITERAPIDS_X" ] || + [ "$cpu_model" = "$INTEL_FAM6_EMERALDRAPIDS_X" ] || + [ "$cpu_model" = "$INTEL_FAM6_ATOM_GRACEMONT" ] || + [ "$cpu_model" = "$INTEL_FAM6_ATOM_CRESTMONT_X" ]; then + pr_debug "is_cpu_affected: vmscape: affected" + _set_vuln vmscape + fi + set +u + fi + + # BPI (Branch Privilege Injection, CVE-2024-45332) + # microcode-only fix, no kernel X86_BUG flag, no CPUID/MSR indicator for the fix. + # We have to hardcode the truthtable of affected CPUs vs fixing ucodes, + # same approach as Reptar (see above). + # https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/indirect-branch-predictor-delayed-updates.html + # list taken from Intel affected processor list + Intel-Linux-Processor-Microcode-Data-Files releasenote.md + # format: FF-MM-SS/platformid_mask,fixed_ucode_version + g_bpi_fixed_ucode_version='' + bpi_ucode_list=' +06-9e-0d/22,00000104 +06-8e-0a/c0,000000f6 +06-8e-0b/d0,000000f6 +06-8e-0c/94,00000100 +06-a5-02/20,00000100 +06-a5-03/22,00000100 +06-a5-05/22,00000100 +06-a6-00/80,00000102 +06-a6-01/80,00000100 +06-a7-01/02,00000065 +06-7e-05/80,000000cc +06-6a-06/87,0d000421 +06-6c-01/10,010002f1 +06-8c-01/80,000000be +06-8c-02/c2,0000003e +06-8d-01/c2,00000058 +06-97-02/07,0000003e +06-97-05/07,0000003e +06-9a-03/80,0000043b +06-9a-04/80,0000043b +06-9a-04/40,0000000c +06-be-00/19,00000021 +06-b7-01/32,00000133 +06-ba-02/e0,00006134 +06-ba-03/e0,00006134 +06-bf-02/07,0000003e +06-bf-05/07,0000003e +06-aa-04/e6,00000028 +06-b5-00/80,0000000d +06-c5-02/82,0000011b +06-c6-02/82,0000011b +06-bd-01/80,00000125 +06-55-0b/bf,07002b01 +06-8f-07/87,2b000661 +06-8f-08/87,2b000661 +06-8f-08/10,2c000421 +06-cf-02/87,210002d3 +06-7a-08/01,00000026 +' + for tuple in $bpi_ucode_list; do + fixed_ucode_ver=$((0x$(echo "$tuple" | cut -d, -f2))) + affected_fmspi=$(echo "$tuple" | cut -d, -f1) + affected_fms=$(echo "$affected_fmspi" | cut -d/ -f1) + ucode_platformid_mask=0x$(echo "$affected_fmspi" | cut -d/ -f2) + affected_cpuid=$( + fms2cpuid \ + 0x"$(echo "$affected_fms" | cut -d- -f1)" \ + 0x"$(echo "$affected_fms" | cut -d- -f2)" \ + 0x"$(echo "$affected_fms" | cut -d- -f3)" + ) + if [ "$cpu_cpuid" = "$affected_cpuid" ] && [ $((cpu_platformid & ucode_platformid_mask)) -gt 0 ]; then + _set_vuln bpi + g_bpi_fixed_ucode_version=$fixed_ucode_ver + break + fi + done + # if we didn't match the ucode list above, also check the model blacklist: + # Intel never tells about their EOL CPUs, so more CPUs might be affected + # than the ones that received a microcode update. In that case, we flag + # the CPU as affected but g_bpi_fixed_ucode_version stays empty (the CVE + # check will handle this by reporting VULN with no known fix). + if [ -z "$g_bpi_fixed_ucode_version" ] && [ "$cpu_family" = 6 ]; then + set -u + if [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_COMETLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_COMETLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_ROCKETLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_ICELAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_ICELAKE_X" ] || + [ "$cpu_model" = "$INTEL_FAM6_ICELAKE_D" ] || + [ "$cpu_model" = "$INTEL_FAM6_TIGERLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_TIGERLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_ALDERLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_ALDERLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_ATOM_GRACEMONT" ] || + [ "$cpu_model" = "$INTEL_FAM6_RAPTORLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_RAPTORLAKE_P" ] || + [ "$cpu_model" = "$INTEL_FAM6_RAPTORLAKE_S" ] || + [ "$cpu_model" = "$INTEL_FAM6_METEORLAKE_L" ] || + [ "$cpu_model" = "$INTEL_FAM6_ARROWLAKE_H" ] || + [ "$cpu_model" = "$INTEL_FAM6_ARROWLAKE" ] || + [ "$cpu_model" = "$INTEL_FAM6_ARROWLAKE_U" ] || + [ "$cpu_model" = "$INTEL_FAM6_LUNARLAKE_M" ] || + [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_X" ] || + [ "$cpu_model" = "$INTEL_FAM6_SAPPHIRERAPIDS_X" ] || + [ "$cpu_model" = "$INTEL_FAM6_EMERALDRAPIDS_X" ] || + [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_PLUS" ] || + [ "$cpu_model" = "$INTEL_FAM6_ATOM_CRESTMONT" ]; then + pr_debug "is_cpu_affected: bpi: affected (model match, no known fixing ucode)" + _set_vuln bpi + fi + set +u + fi elif is_amd || is_hygon; then # AMD revised their statement about affected_variant2 => affected @@ -703,6 +1059,25 @@ is_cpu_affected() { _set_vuln tsa fi + # Retbleed (AMD, CVE-2022-29900): families 0x15-0x17 (kernel X86_BUG_RETBLEED) + if [ "$cpu_family" = $((0x15)) ] || [ "$cpu_family" = $((0x16)) ] || [ "$cpu_family" = $((0x17)) ]; then + _set_vuln retbleed + fi + + # VMScape (CVE-2025-40300): AMD families 0x17/0x19/0x1a, Hygon family 0x18 + # kernel cpu_vuln_blacklist VMSCAPE (a508cec6e521) + if is_amd; then + if [ "$cpu_family" = $((0x17)) ] || [ "$cpu_family" = $((0x19)) ] || [ "$cpu_family" = $((0x1a)) ]; then + pr_debug "is_cpu_affected: vmscape: AMD family $cpu_family affected" + _set_vuln vmscape + fi + elif is_hygon; then + if [ "$cpu_family" = $((0x18)) ]; then + pr_debug "is_cpu_affected: vmscape: Hygon family $cpu_family affected" + _set_vuln vmscape + fi + fi + elif [ "$cpu_vendor" = CAVIUM ]; then _set_immune variant3 _set_immune variant3a @@ -826,7 +1201,7 @@ is_cpu_affected() { [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT" ] || [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] || [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ] || - [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT_MID" ] || + [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID2" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_D" ] || [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_PLUS" ]; then @@ -845,12 +1220,13 @@ is_cpu_affected() { _infer_immune itlbmh fi - # shellcheck disable=SC2154 # affected_zenbleed/inception/tsa/downfall/reptar set via eval (_set_immune) + # shellcheck disable=SC2154 # affected_zenbleed/inception/retbleed/tsa/downfall/reptar/its/vmscape/bpi set via eval (_set_immune) { pr_debug "is_cpu_affected: final results: variant1=$affected_variant1 variant2=$affected_variant2 variant3=$affected_variant3 variant3a=$affected_variant3a" pr_debug "is_cpu_affected: final results: variant4=$affected_variant4 variantl1tf=$affected_variantl1tf msbds=$affected_msbds mfbds=$affected_mfbds" pr_debug "is_cpu_affected: final results: mlpds=$affected_mlpds mdsum=$affected_mdsum taa=$affected_taa itlbmh=$affected_itlbmh srbds=$affected_srbds" - pr_debug "is_cpu_affected: final results: zenbleed=$affected_zenbleed inception=$affected_inception tsa=$affected_tsa downfall=$affected_downfall reptar=$affected_reptar" + pr_debug "is_cpu_affected: final results: zenbleed=$affected_zenbleed inception=$affected_inception retbleed=$affected_retbleed tsa=$affected_tsa downfall=$affected_downfall reptar=$affected_reptar its=$affected_its" + pr_debug "is_cpu_affected: final results: vmscape=$affected_vmscape bpi=$affected_bpi" } affected_variantl1tf_sgx="$affected_variantl1tf" # even if we are affected to L1TF, if there's no SGX, we're not affected to the original foreshadow @@ -892,6 +1268,13 @@ is_cpu_specex_free() { return 0 fi fi + # Centaur family 5 and NSC family 5 are also non-speculative + if [ "$cpu_vendor" = "CentaurHauls" ] && [ "$cpu_family" = 5 ]; then + return 0 + fi + if [ "$cpu_vendor" = "Geode by NSC" ] && [ "$cpu_family" = 5 ]; then + return 0 + fi [ "$cpu_family" = 4 ] && return 0 return 1 } @@ -1448,7 +1831,7 @@ while [ -n "${1:-}" ]; do case "$2" in help) echo "The following parameters are supported for --variant (can be used multiple times):" - echo "1, 2, 3, 3a, 4, msbds, mfbds, mlpds, mdsum, l1tf, taa, mcepsc, srbds, zenbleed, downfall, inception, reptar, tsa, tsa-sq, tsa-l1" + echo "1, 2, 3, 3a, 4, msbds, mfbds, mlpds, mdsum, l1tf, taa, mcepsc, srbds, zenbleed, downfall, retbleed, inception, reptar, tsa, tsa-sq, tsa-l1, its, vmscape, bpi" exit 0 ;; 1) @@ -1511,6 +1894,10 @@ while [ -n "${1:-}" ]; do opt_cve_list="$opt_cve_list CVE-2022-40982" opt_cve_all=0 ;; + retbleed) + opt_cve_list="$opt_cve_list CVE-2022-29900 CVE-2022-29901" + opt_cve_all=0 + ;; inception) opt_cve_list="$opt_cve_list CVE-2023-20569" opt_cve_all=0 @@ -1531,6 +1918,18 @@ while [ -n "${1:-}" ]; do opt_cve_list="$opt_cve_list CVE-2024-36357" opt_cve_all=0 ;; + its) + opt_cve_list="$opt_cve_list CVE-2024-28956" + opt_cve_all=0 + ;; + vmscape) + opt_cve_list="$opt_cve_list CVE-2025-40300" + opt_cve_all=0 + ;; + bpi) + opt_cve_list="$opt_cve_list CVE-2024-45332" + opt_cve_all=0 + ;; *) echo "$0: error: invalid parameter '$2' for --variant, see --variant help for a list" >&2 exit 255 @@ -1708,18 +2107,28 @@ pvulnstatus() { shift 2 pr_info_nol "> \033[46m\033[30mSTATUS:\033[0m " : "${g_final_summary:=}" + : "${g_final_summary_count:=0}" + g_final_summary_count=$((g_final_summary_count + 1)) + # wrap to a new line every 4 entries for readability + if [ "$g_final_summary_count" -gt 1 ] && [ $((g_final_summary_count % 4)) -eq 1 ]; then + g_final_summary="$g_final_summary\n " + fi + # pad entry to fixed width so columns align despite varying CVE ID lengths case "$vulnstatus" in UNK) pstatus yellow 'UNKNOWN' "$@" - g_final_summary="$g_final_summary \033[43m\033[30m$g_pvulnstatus_last_cve:??\033[0m" + _summary_label=$(printf "%-17s" "$g_pvulnstatus_last_cve:??") + g_final_summary="$g_final_summary \033[43m\033[30m$_summary_label\033[0m" ;; VULN) pstatus red 'VULNERABLE' "$@" - g_final_summary="$g_final_summary \033[41m\033[30m$g_pvulnstatus_last_cve:KO\033[0m" + _summary_label=$(printf "%-17s" "$g_pvulnstatus_last_cve:KO") + g_final_summary="$g_final_summary \033[41m\033[30m$_summary_label\033[0m" ;; OK) pstatus green 'NOT VULNERABLE' "$@" - g_final_summary="$g_final_summary \033[42m\033[30m$g_pvulnstatus_last_cve:OK\033[0m" + _summary_label=$(printf "%-17s" "$g_pvulnstatus_last_cve:OK") + g_final_summary="$g_final_summary \033[42m\033[30m$_summary_label\033[0m" ;; *) echo "$0: error: unknown status '$vulnstatus' passed to pvulnstatus()" >&2 @@ -2586,76 +2995,6 @@ parse_cpu_details() { g_ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x pfid 0x%x" \ "$cpu_family" "$cpu_model" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid" "$cpu_platformid") - # also define those that we will need in other funcs - # taken from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/include/asm/intel-family.h - # curl -s 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/arch/x86/include/asm/intel-family.h' | awk '/#define INTEL_FAM6/ {print $2"=$(( "$3" )) # "$4,$5,$6,$7,$8,$9}' | sed -Ee 's/ +$//' - # shellcheck disable=SC2034 - { - readonly INTEL_FAM6_CORE_YONAH=$((0x0E)) # - readonly INTEL_FAM6_CORE2_MEROM=$((0x0F)) # - readonly INTEL_FAM6_CORE2_MEROM_L=$((0x16)) # - readonly INTEL_FAM6_CORE2_PENRYN=$((0x17)) # - readonly INTEL_FAM6_CORE2_DUNNINGTON=$((0x1D)) # - readonly INTEL_FAM6_NEHALEM=$((0x1E)) # - readonly INTEL_FAM6_NEHALEM_G=$((0x1F)) # /* Auburndale / Havendale */ - readonly INTEL_FAM6_NEHALEM_EP=$((0x1A)) # - readonly INTEL_FAM6_NEHALEM_EX=$((0x2E)) # - readonly INTEL_FAM6_WESTMERE=$((0x25)) # - readonly INTEL_FAM6_WESTMERE_EP=$((0x2C)) # - readonly INTEL_FAM6_WESTMERE_EX=$((0x2F)) # - readonly INTEL_FAM6_SANDYBRIDGE=$((0x2A)) # - readonly INTEL_FAM6_SANDYBRIDGE_X=$((0x2D)) # - readonly INTEL_FAM6_IVYBRIDGE=$((0x3A)) # - readonly INTEL_FAM6_IVYBRIDGE_X=$((0x3E)) # - readonly INTEL_FAM6_HASWELL=$((0x3C)) # - readonly INTEL_FAM6_HASWELL_X=$((0x3F)) # - readonly INTEL_FAM6_HASWELL_L=$((0x45)) # - readonly INTEL_FAM6_HASWELL_G=$((0x46)) # - readonly INTEL_FAM6_BROADWELL=$((0x3D)) # - readonly INTEL_FAM6_BROADWELL_G=$((0x47)) # - readonly INTEL_FAM6_BROADWELL_X=$((0x4F)) # - readonly INTEL_FAM6_BROADWELL_D=$((0x56)) # - readonly INTEL_FAM6_SKYLAKE_L=$((0x4E)) # /* Sky Lake */ - readonly INTEL_FAM6_SKYLAKE=$((0x5E)) # /* Sky Lake */ - readonly INTEL_FAM6_SKYLAKE_X=$((0x55)) # /* Sky Lake */ - readonly INTEL_FAM6_KABYLAKE_L=$((0x8E)) # /* Sky Lake */ - readonly INTEL_FAM6_KABYLAKE=$((0x9E)) # /* Sky Lake */ - readonly INTEL_FAM6_COMETLAKE=$((0xA5)) # /* Sky Lake */ - readonly INTEL_FAM6_COMETLAKE_L=$((0xA6)) # /* Sky Lake */ - readonly INTEL_FAM6_CANNONLAKE_L=$((0x66)) # /* Palm Cove */ - readonly INTEL_FAM6_ICELAKE_X=$((0x6A)) # /* Sunny Cove */ - readonly INTEL_FAM6_ICELAKE_D=$((0x6C)) # /* Sunny Cove */ - readonly INTEL_FAM6_ICELAKE=$((0x7D)) # /* Sunny Cove */ - readonly INTEL_FAM6_ICELAKE_L=$((0x7E)) # /* Sunny Cove */ - readonly INTEL_FAM6_ICELAKE_NNPI=$((0x9D)) # /* Sunny Cove */ - readonly INTEL_FAM6_LAKEFIELD=$((0x8A)) # /* Sunny Cove / Tremont */ - readonly INTEL_FAM6_ROCKETLAKE=$((0xA7)) # /* Cypress Cove */ - readonly INTEL_FAM6_TIGERLAKE_L=$((0x8C)) # /* Willow Cove */ - readonly INTEL_FAM6_TIGERLAKE=$((0x8D)) # /* Willow Cove */ - readonly INTEL_FAM6_SAPPHIRERAPIDS_X=$((0x8F)) # /* Golden Cove */ - readonly INTEL_FAM6_ALDERLAKE=$((0x97)) # /* Golden Cove / Gracemont */ - readonly INTEL_FAM6_ALDERLAKE_L=$((0x9A)) # /* Golden Cove / Gracemont */ - readonly INTEL_FAM6_RAPTORLAKE=$((0xB7)) # - readonly INTEL_FAM6_ATOM_BONNELL=$((0x1C)) # /* Diamondville, Pineview */ - readonly INTEL_FAM6_ATOM_BONNELL_MID=$((0x26)) # /* Silverthorne, Lincroft */ - readonly INTEL_FAM6_ATOM_SALTWELL=$((0x36)) # /* Cedarview */ - readonly INTEL_FAM6_ATOM_SALTWELL_MID=$((0x27)) # /* Penwell */ - readonly INTEL_FAM6_ATOM_SALTWELL_TABLET=$((0x35)) # /* Cloverview */ - readonly INTEL_FAM6_ATOM_SILVERMONT=$((0x37)) # /* Bay Trail, Valleyview */ - readonly INTEL_FAM6_ATOM_SILVERMONT_D=$((0x4D)) # /* Avaton, Rangely */ - readonly INTEL_FAM6_ATOM_SILVERMONT_MID=$((0x4A)) # /* Merriefield */ - readonly INTEL_FAM6_ATOM_AIRMONT=$((0x4C)) # /* Cherry Trail, Braswell */ - readonly INTEL_FAM6_ATOM_AIRMONT_MID=$((0x5A)) # /* Moorefield */ - readonly INTEL_FAM6_ATOM_AIRMONT_NP=$((0x75)) # /* Lightning Mountain */ - readonly INTEL_FAM6_ATOM_GOLDMONT=$((0x5C)) # /* Apollo Lake */ - readonly INTEL_FAM6_ATOM_GOLDMONT_D=$((0x5F)) # /* Denverton */ - readonly INTEL_FAM6_ATOM_GOLDMONT_PLUS=$((0x7A)) # /* Gemini Lake */ - readonly INTEL_FAM6_ATOM_TREMONT_D=$((0x86)) # /* Jacobsville */ - readonly INTEL_FAM6_ATOM_TREMONT=$((0x96)) # /* Elkhart Lake */ - readonly INTEL_FAM6_ATOM_TREMONT_L=$((0x9C)) # /* Jasper Lake */ - readonly INTEL_FAM6_XEON_PHI_KNL=$((0x57)) # /* Knights Landing */ - readonly INTEL_FAM6_XEON_PHI_KNM=$((0x85)) # /* Knights Mill */ - } g_parse_cpu_details_done=1 } # Check whether the CPU vendor is Hygon @@ -3782,6 +4121,7 @@ check_cpu() { cap_tsx_ctrl_msr=-1 cap_gds_ctrl=-1 cap_gds_no=-1 + cap_its_no=-1 if [ "$cap_arch_capabilities" = -1 ]; then pstatus yellow UNKNOWN elif [ "$cap_arch_capabilities" != 1 ]; then @@ -3796,6 +4136,7 @@ check_cpu() { cap_tsx_ctrl_msr=0 cap_gds_ctrl=0 cap_gds_no=0 + cap_its_no=0 pstatus yellow NO else read_msr $MSR_IA32_ARCH_CAPABILITIES @@ -3811,6 +4152,7 @@ check_cpu() { cap_tsx_ctrl_msr=0 cap_gds_ctrl=0 cap_gds_no=0 + cap_its_no=0 if [ $ret = $READ_MSR_RET_OK ]; then capabilities=$ret_read_msr_value # https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/arch/x86/include/asm/msr-index.h#n82 @@ -3826,7 +4168,8 @@ check_cpu() { [ $((ret_read_msr_value_lo >> 8 & 1)) -eq 1 ] && cap_taa_no=1 [ $((ret_read_msr_value_lo >> 25 & 1)) -eq 1 ] && cap_gds_ctrl=1 [ $((ret_read_msr_value_lo >> 26 & 1)) -eq 1 ] && cap_gds_no=1 - pr_debug "capabilities says rdcl_no=$cap_rdcl_no ibrs_all=$cap_ibrs_all rsba=$cap_rsba l1dflush_no=$cap_l1dflush_no ssb_no=$cap_ssb_no mds_no=$cap_mds_no taa_no=$cap_taa_no pschange_msc_no=$cap_pschange_msc_no" + [ $((ret_read_msr_value_hi >> 30 & 1)) -eq 1 ] && cap_its_no=1 + pr_debug "capabilities says rdcl_no=$cap_rdcl_no ibrs_all=$cap_ibrs_all rsba=$cap_rsba l1dflush_no=$cap_l1dflush_no ssb_no=$cap_ssb_no mds_no=$cap_mds_no taa_no=$cap_taa_no pschange_msc_no=$cap_pschange_msc_no its_no=$cap_its_no" if [ "$cap_ibrs_all" = 1 ]; then pstatus green YES else @@ -4562,16 +4905,14 @@ check_mds_linux() { # >>>>>> vulns/CVE-2017-5715.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -################### -# SPECTRE 2 SECTION +############################### +# CVE-2017-5715, Spectre V2, Branch Target Injection -# CVE-2017-5715 Spectre Variant 2 (branch target injection) - entry point # Sets: vulnstatus check_CVE_2017_5715() { check_cve 'CVE-2017-5715' } -# CVE-2017-5715 Spectre Variant 2 (branch target injection) - Linux mitigation check # Sets: g_ibrs_can_tell, g_ibrs_supported, g_ibrs_enabled, g_ibrs_fw_enabled, # g_ibpb_can_tell, g_ibpb_supported, g_ibpb_enabled, g_specex_knob_dir check_CVE_2017_5715_linux() { @@ -4771,6 +5112,43 @@ check_CVE_2017_5715_linux() { # rocky9 (RHEL 9, kernel 5.14): matches mainline. Semicolons, BHI, all fields. # rocky10 (RHEL 10, kernel 6.12): matches mainline. # + # + # --- Kconfig symbols --- + # 76b043848fd2 (v4.15-rc8): CONFIG_RETPOLINE + # f43b9876e857 (v5.19-rc7): CONFIG_CPU_IBRS_ENTRY (kernel IBRS on entry) + # aefb2f2e619b (v6.9-rc1): renamed CONFIG_RETPOLINE => CONFIG_MITIGATION_RETPOLINE + # 1da8d2172ce5 (v6.9-rc1): renamed CONFIG_CPU_IBRS_ENTRY => CONFIG_MITIGATION_IBRS_ENTRY + # ec9404e40e8f (v6.9-rc4): CONFIG_SPECTRE_BHI_ON / CONFIG_SPECTRE_BHI_OFF + # 4f511739c54b (v6.9-rc4): replaced by CONFIG_MITIGATION_SPECTRE_BHI + # 72c70f480a70 (v6.12-rc1): CONFIG_MITIGATION_SPECTRE_V2 (top-level on/off) + # 8754e67ad4ac (v6.15-rc7): CONFIG_MITIGATION_ITS (indirect target selection) + # stable 5.4.y-6.6.y: CONFIG_RETPOLINE (pre-rename) + # stable 6.12.y: CONFIG_MITIGATION_RETPOLINE, CONFIG_MITIGATION_SPECTRE_V2 + # + # --- kernel functions (for $opt_map / System.map) --- + # da285121560e (v4.15-rc8): spectre_v2_select_mitigation(), + # spectre_v2_parse_cmdline(), nospectre_v2_parse_cmdline() + # 20ffa1caecca (v4.16-rc1): spectre_v2_module_string(), retpoline_module_ok() + # a8f76ae41cd6 (v4.20-rc5): spectre_v2_user_select_mitigation(), + # spectre_v2_user_parse_cmdline() + # 7c693f54c873 (v5.19-rc7): spectre_v2_in_ibrs_mode(), spectre_v2_in_eibrs_mode() + # 44a3918c8245 (v5.17-rc8): spectre_v2_show_state() + # 480e803dacf8 (v6.16-rc1): split into spectre_v2_select_mitigation() + + # spectre_v2_apply_mitigation() + spectre_v2_update_mitigation() + + # spectre_v2_user_apply_mitigation() + spectre_v2_user_update_mitigation() + # + # --- CPU affection logic (for is_cpu_affected) --- + # X86_BUG_SPECTRE_V2 is set for ALL x86 CPUs except: + # - CPUs matching NO_SPECULATION: family 4 (all vendors), Centaur/Intel/NSC/Vortex + # family 5, Intel Atom Bonnell/Saltwell + # - CPUs matching NO_SPECTRE_V2: Centaur family 7, Zhaoxin family 7 + # 99c6fa2511d8 (v4.15-rc8): unconditional for all x86 CPUs + # 1e41a766c98b (v5.6-rc1): added NO_SPECTRE_V2 exemption for Centaur/Zhaoxin + # 98c7a713db91 (v6.15-rc1): added X86_BUG_SPECTRE_V2_USER as separate bit + # No MSR/CPUID immunity bits β€” purely whitelist-based. + # vendor scope: all x86 vendors affected (Intel, AMD, Hygon, etc.) + # except Centaur family 7 and Zhaoxin family 7. + # # all messages start with either "Not affected", "Mitigation", or "Vulnerable" fi if [ "$opt_sysfs_only" != 1 ]; then @@ -4895,6 +5273,19 @@ check_CVE_2017_5715_linux() { if grep -q spec_ctrl "$opt_map"; then g_ibrs_supported="found spec_ctrl in symbols file" pr_debug "ibrs: found '*spec_ctrl*' symbol in $opt_map" + elif grep -q -e spectre_v2_select_mitigation -e spectre_v2_apply_mitigation "$opt_map"; then + # spectre_v2_select_mitigation exists since v4.15; split into + # spectre_v2_select_mitigation + spectre_v2_apply_mitigation in v6.16 + g_ibrs_supported="found spectre_v2 mitigation function in symbols file" + pr_debug "ibrs: found spectre_v2_*_mitigation symbol in $opt_map" + fi + fi + # CONFIG_CPU_IBRS_ENTRY (v5.19) / CONFIG_MITIGATION_IBRS_ENTRY (v6.9): kernel IBRS on entry + if [ -z "$g_ibrs_supported" ] && [ -n "$opt_config" ] && [ -r "$opt_config" ]; then + g_ibrs_can_tell=1 + if grep -q '^CONFIG_\(CPU_\|MITIGATION_\)IBRS_ENTRY=y' "$opt_config"; then + g_ibrs_supported="CONFIG_CPU_IBRS_ENTRY/CONFIG_MITIGATION_IBRS_ENTRY found in kernel config" + pr_debug "ibrs: found IBRS entry config option in $opt_config" fi fi # recent (4.15) vanilla kernels have IBPB but not IBRS, and without the debugfs tunables of Red Hat @@ -5142,7 +5533,7 @@ check_CVE_2017_5715_linux() { rsb_filling=0 if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then # if we're live and we aren't denied looking into /sys, let's do it - if echo "$msg" | grep -qw RSB; then + if echo "$ret_sys_interface_check_fullmsg" | grep -qw RSB; then rsb_filling=1 pstatus green YES fi @@ -5242,6 +5633,11 @@ check_CVE_2017_5715_linux() { *) pstatus yellow UNKNOWN ;; esac + # --- SMT state (used in STIBP inference and verdict) --- + is_cpu_smt_enabled + smt_enabled=$? + # smt_enabled: 0=enabled, 1=disabled, 2=unknown + # --- v2_stibp_status --- pr_info_nol " * STIBP status: " if [ -n "$ret_sys_interface_check_fullmsg" ]; then @@ -5384,11 +5780,6 @@ check_CVE_2017_5715_linux() { fi fi - # --- SMT state (used in verdict) --- - is_cpu_smt_enabled - smt_enabled=$? - # smt_enabled: 0=enabled, 1=disabled, 2=unknown - elif [ "$sys_interface_available" = 0 ]; then # we have no sysfs but were asked to use it only! msg="/sys vulnerability interface use forced, but it's not available!" @@ -5403,6 +5794,8 @@ check_CVE_2017_5715_linux() { # --- own logic using Phase 2 variables --- # Helper: collect caveats for the verdict message _v2_caveats='' + # Append a caveat string to the _v2_caveats list + # Callers: check_CVE_2017_5715_linux (eIBRS, IBRS, retpoline verdict paths) _v2_add_caveat() { _v2_caveats="${_v2_caveats:+$_v2_caveats; }$1"; } # ARM branch predictor hardening (unchanged) @@ -5670,6 +6063,9 @@ check_CVE_2017_5715_linux() { pvulnstatus "$cve" OK "offline mode: kernel supports IBRS + IBPB to mitigate the vulnerability" elif [ "$cap_ibrs_all" = 1 ] || [ "$cap_autoibrs" = 1 ]; then pvulnstatus "$cve" OK "offline mode: CPU supports Enhanced / Automatic IBRS" + # CONFIG_MITIGATION_SPECTRE_V2 (v6.12+): top-level on/off for all Spectre V2 mitigations + elif [ -n "$opt_config" ] && [ -r "$opt_config" ] && grep -q '^CONFIG_MITIGATION_SPECTRE_V2=y' "$opt_config"; then + pvulnstatus "$cve" OK "offline mode: kernel has Spectre V2 mitigation framework enabled (CONFIG_MITIGATION_SPECTRE_V2)" elif [ "$g_ibrs_can_tell" != 1 ]; then pvulnstatus "$cve" UNK "offline mode: not enough information" explain "Re-run this script with root privileges, and give it the kernel image (--kernel), the kernel configuration (--config) and the System.map file (--map) corresponding to the kernel you would like to inspect." @@ -5700,7 +6096,6 @@ check_CVE_2017_5715_linux() { fi } -# CVE-2017-5715 Spectre Variant 2 (branch target injection) - BSD mitigation check # Sets: vulnstatus check_CVE_2017_5715_bsd() { local ibrs_disabled ibrs_active retpoline nb_thunks @@ -5762,16 +6157,14 @@ check_CVE_2017_5715_bsd() { # >>>>>> vulns/CVE-2017-5753.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -################### -# SPECTRE 1 SECTION +############################### +# CVE-2017-5753, Spectre V1, Bounds Check Bypass -# CVE-2017-5753 Spectre Variant 1 (bounds check bypass) - entry point # Sets: (none directly, delegates to check_cve) check_CVE_2017_5753() { check_cve 'CVE-2017-5753' } -# CVE-2017-5753 Spectre Variant 1 (bounds check bypass) - Linux mitigation check # Sets: g_redhat_canonical_spectre (via check_redhat_canonical_spectre) check_CVE_2017_5753_linux() { local status sys_interface_available msg v1_kernel_mitigated v1_kernel_mitigated_err v1_mask_nospec ret explain_text @@ -6042,7 +6435,6 @@ check_CVE_2017_5753_linux() { fi } -# CVE-2017-5753 Spectre Variant 1 (bounds check bypass) - BSD mitigation check check_CVE_2017_5753_bsd() { if ! is_cpu_affected "$cve"; then pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" @@ -6054,8 +6446,8 @@ check_CVE_2017_5753_bsd() { # >>>>>> vulns/CVE-2017-5754.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -################## -# MELTDOWN SECTION +############################### +# CVE-2017-5754, Meltdown, Rogue Data Cache Load # no security impact but give a hint to the user in verbose mode # about PCID/INVPCID cpuid features that must be present to avoid @@ -6095,12 +6487,10 @@ pti_performance_check() { fi } -# CVE-2017-5754 Meltdown (rogue data cache load) - entry point check_CVE_2017_5754() { check_cve 'CVE-2017-5754' } -# CVE-2017-5754 Meltdown (rogue data cache load) - Linux mitigation check check_CVE_2017_5754_linux() { local status sys_interface_available msg kpti_support kpti_can_tell kpti_enabled dmesg_grep pti_xen_pv_domU xen_pv_domo xen_pv_domu explain_text status=UNK @@ -6303,7 +6693,6 @@ check_CVE_2017_5754_linux() { fi } -# CVE-2017-5754 Meltdown (rogue data cache load) - BSD mitigation check check_CVE_2017_5754_bsd() { local kpti_enabled pr_info_nol "* Kernel supports Page Table Isolation (PTI): " @@ -6338,10 +6727,9 @@ check_CVE_2017_5754_bsd() { # >>>>>> vulns/CVE-2018-12126.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -################### -# MSBDS SECTION +############################### +# CVE-2018-12126, MSBDS, Fallout, Microarchitectural Store Buffer Data Sampling -# CVE-2018-12126 MSBDS (microarchitectural store buffer data sampling) - entry point check_CVE_2018_12126() { check_cve 'CVE-2018-12126' check_mds } @@ -6349,10 +6737,9 @@ check_CVE_2018_12126() { # >>>>>> vulns/CVE-2018-12127.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -################### -# MLPDS SECTION +############################### +# CVE-2018-12127, MLPDS, RIDL, Microarchitectural Load Port Data Sampling -# CVE-2018-12127 MLPDS (microarchitectural load port data sampling) - entry point check_CVE_2018_12127() { check_cve 'CVE-2018-12127' check_mds } @@ -6360,10 +6747,9 @@ check_CVE_2018_12127() { # >>>>>> vulns/CVE-2018-12130.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -################### -# MFBDS SECTION +############################### +# CVE-2018-12130, MFBDS, ZombieLoad, Microarchitectural Fill Buffer Data Sampling -# CVE-2018-12130 MFBDS (microarchitectural fill buffer data sampling) - entry point check_CVE_2018_12130() { check_cve 'CVE-2018-12130' check_mds } @@ -6371,15 +6757,13 @@ check_CVE_2018_12130() { # >>>>>> vulns/CVE-2018-12207.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -####################### -# iTLB Multihit section +############################### +# CVE-2018-12207, iTLB Multihit, No eXcuses, Machine Check Exception on Page Size Changes -# CVE-2018-12207 iTLB multihit (machine check exception on page size changes) - entry point check_CVE_2018_12207() { check_cve 'CVE-2018-12207' } -# CVE-2018-12207 iTLB multihit (machine check exception on page size changes) - Linux mitigation check check_CVE_2018_12207_linux() { local status sys_interface_available msg kernel_itlbmh kernel_itlbmh_err status=UNK @@ -6457,7 +6841,6 @@ check_CVE_2018_12207_linux() { fi } -# CVE-2018-12207 iTLB multihit (machine check exception on page size changes) - BSD mitigation check check_CVE_2018_12207_bsd() { local kernel_2m_x_ept pr_info_nol "* Kernel supports disabling superpages for executable mappings under EPT: " @@ -6491,10 +6874,9 @@ check_CVE_2018_12207_bsd() { # >>>>>> vulns/CVE-2018-3615.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -########################### -# L1TF / FORESHADOW SECTION +############################### +# CVE-2018-3615, Foreshadow (SGX), L1 Terminal Fault -# CVE-2018-3615 Foreshadow (L1 terminal fault SGX) - entry point check_CVE_2018_3615() { local cve cve='CVE-2018-3615' @@ -6530,12 +6912,13 @@ check_CVE_2018_3615() { # >>>>>> vulns/CVE-2018-3620.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -# CVE-2018-3620 Foreshadow-NG OS (L1 terminal fault OS) - entry point +############################### +# CVE-2018-3620, Foreshadow-NG (OS/SMM), L1 Terminal Fault + check_CVE_2018_3620() { check_cve 'CVE-2018-3620' } -# CVE-2018-3620 Foreshadow-NG OS (L1 terminal fault OS) - Linux mitigation check check_CVE_2018_3620_linux() { local status sys_interface_available msg pteinv_supported pteinv_active status=UNK @@ -6614,7 +6997,6 @@ check_CVE_2018_3620_linux() { fi } -# CVE-2018-3620 Foreshadow-NG OS (L1 terminal fault OS) - BSD mitigation check check_CVE_2018_3620_bsd() { local bsd_zero_reserved pr_info_nol "* Kernel reserved the memory page at physical address 0x0: " @@ -6650,15 +7032,13 @@ check_CVE_2018_3620_bsd() { # >>>>>> vulns/CVE-2018-3639.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -################### -# VARIANT 4 SECTION +############################### +# CVE-2018-3639, Variant 4, SSB, Speculative Store Bypass -# CVE-2018-3639 Variant 4 (speculative store bypass) - entry point check_CVE_2018_3639() { check_cve 'CVE-2018-3639' } -# CVE-2018-3639 Variant 4 (speculative store bypass) - Linux mitigation check check_CVE_2018_3639_linux() { local status sys_interface_available msg kernel_ssb kernel_ssbd_enabled mitigated_processes status=UNK @@ -6786,7 +7166,6 @@ check_CVE_2018_3639_linux() { fi } -# CVE-2018-3639 Variant 4 (speculative store bypass) - BSD mitigation check check_CVE_2018_3639_bsd() { local kernel_ssb ssb_enabled ssb_active pr_info_nol "* Kernel supports speculation store bypass: " @@ -6841,10 +7220,9 @@ check_CVE_2018_3639_bsd() { # >>>>>> vulns/CVE-2018-3640.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -#################### -# VARIANT 3A SECTION +############################### +# CVE-2018-3640, Variant 3a, Rogue System Register Read -# CVE-2018-3640 Variant 3a (rogue system register read) - entry point check_CVE_2018_3640() { local status sys_interface_available msg cve cve='CVE-2018-3640' @@ -6877,12 +7255,13 @@ check_CVE_2018_3640() { # >>>>>> vulns/CVE-2018-3646.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -# CVE-2018-3646 Foreshadow-NG VMM (L1 terminal fault VMM) - entry point +############################### +# CVE-2018-3646, Foreshadow-NG (VMM), L1 Terminal Fault + check_CVE_2018_3646() { check_cve 'CVE-2018-3646' } -# CVE-2018-3646 Foreshadow-NG VMM (L1 terminal fault VMM) - Linux mitigation check check_CVE_2018_3646_linux() { local status sys_interface_available msg l1d_mode ept_disabled l1d_kernel l1d_kernel_err l1d_xen_hardware l1d_xen_hypervisor l1d_xen_pv_domU smt_enabled status=UNK @@ -7112,7 +7491,6 @@ check_CVE_2018_3646_linux() { fi } -# CVE-2018-3646 Foreshadow-NG VMM (L1 terminal fault VMM) - BSD mitigation check check_CVE_2018_3646_bsd() { local kernel_l1d_supported kernel_l1d_enabled pr_info_nol "* Kernel supports L1D flushing: " @@ -7149,10 +7527,9 @@ check_CVE_2018_3646_bsd() { # >>>>>> vulns/CVE-2019-11091.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -################### -# MDSUM SECTION +############################### +# CVE-2019-11091, MDSUM, RIDL, Microarchitectural Data Sampling Uncacheable Memory -# CVE-2019-11091 MDSUM (microarchitectural data sampling uncacheable memory) - entry point check_CVE_2019_11091() { check_cve 'CVE-2019-11091' check_mds } @@ -7160,15 +7537,13 @@ check_CVE_2019_11091() { # >>>>>> vulns/CVE-2019-11135.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -################### -# TAA SECTION +############################### +# CVE-2019-11135, TAA, ZombieLoad V2, TSX Asynchronous Abort -# CVE-2019-11135 TAA (TSX asynchronous abort) - entry point check_CVE_2019_11135() { check_cve 'CVE-2019-11135' } -# CVE-2019-11135 TAA (TSX asynchronous abort) - Linux mitigation check check_CVE_2019_11135_linux() { local status sys_interface_available msg kernel_taa kernel_taa_err status=UNK @@ -7246,7 +7621,6 @@ check_CVE_2019_11135_linux() { fi } -# CVE-2019-11135 TAA (TSX asynchronous abort) - BSD mitigation check check_CVE_2019_11135_bsd() { local taa_enable taa_state mds_disable kernel_taa kernel_mds pr_info_nol "* Kernel supports TAA mitigation (machdep.mitigations.taa.enable): " @@ -7306,15 +7680,13 @@ check_CVE_2019_11135_bsd() { # >>>>>> vulns/CVE-2020-0543.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -################### -# SRBDS SECTION +############################### +# CVE-2020-0543, SRBDS, CROSSTalk, Special Register Buffer Data Sampling -# CVE-2020-0543 SRBDS (special register buffer data sampling) - entry point check_CVE_2020_0543() { check_cve 'CVE-2020-0543' } -# CVE-2020-0543 SRBDS (special register buffer data sampling) - Linux mitigation check check_CVE_2020_0543_linux() { local status sys_interface_available msg kernel_srbds kernel_srbds_err status=UNK @@ -7411,7 +7783,6 @@ check_CVE_2020_0543_linux() { fi } -# CVE-2020-0543 SRBDS (special register buffer data sampling) - BSD mitigation check # FreeBSD uses the name "rngds" (Random Number Generator Data Sampling) for SRBDS check_CVE_2020_0543_bsd() { local rngds_enable rngds_state kernel_rngds @@ -7454,78 +7825,201 @@ check_CVE_2020_0543_bsd() { fi } -# >>>>>> vulns/CVE-2022-40982.sh <<<<<< +# >>>>>> vulns/CVE-2022-29900.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -######################### -# Downfall section +############################### +# CVE-2022-29900, Retbleed (AMD), Arbitrary Speculative Code Execution with Return Instructions -# CVE-2022-40982 Downfall (gather data sampling) - entry point -check_CVE_2022_40982() { - check_cve 'CVE-2022-40982' +check_CVE_2022_29900() { + check_cve 'CVE-2022-29900' } -# CVE-2022-40982 Downfall (gather data sampling) - Linux mitigation check -check_CVE_2022_40982_linux() { - local status sys_interface_available msg kernel_gds kernel_gds_err kernel_avx_disabled dmesgret ret +check_CVE_2022_29900_linux() { + local status sys_interface_available msg kernel_retbleed kernel_retbleed_err kernel_unret kernel_ibpb_entry smt_enabled status=UNK sys_interface_available=0 msg='' - if sys_interface_check "$VULN_SYSFS_BASE/gather_data_sampling"; then + # + # Kernel source inventory for retbleed (CVE-2022-29900 / CVE-2022-29901) + # + # --- sysfs messages --- + # all versions: + # "Not affected" (cpu_show_common, pre-existing) + # + # --- mainline --- + # 6b80b59b3555 (v5.19-rc7, initial retbleed sysfs): + # "Vulnerable\n" (hardcoded, no enum yet) + # 7fbf47c7ce50 (v5.19-rc7, retbleed= boot parameter): + # "Vulnerable" (RETBLEED_MITIGATION_NONE) + # "Mitigation: untrained return thunk" (RETBLEED_MITIGATION_UNRET) + # "Vulnerable: untrained return thunk on non-Zen uarch" (UNRET on non-AMD/Hygon) + # 6ad0ad2bf8a6 (v5.19-rc7, Intel mitigations): + # "Mitigation: IBRS" (RETBLEED_MITIGATION_IBRS) + # "Mitigation: Enhanced IBRS" (RETBLEED_MITIGATION_EIBRS) + # 3ebc17006888 (v5.19-rc7, retbleed=ibpb): + # "Mitigation: IBPB" (RETBLEED_MITIGATION_IBPB) + # e8ec1b6e08a2 (v5.19-rc7, STIBP for JMP2RET): + # UNRET now appends SMT status: + # "Mitigation: untrained return thunk; SMT disabled" + # "Mitigation: untrained return thunk; SMT enabled with STIBP protection" + # "Mitigation: untrained return thunk; SMT vulnerable" + # e6cfcdda8cbe (v6.0-rc1, STIBP for IBPB): + # IBPB now appends SMT status, non-AMD message changed: + # "Vulnerable: untrained return thunk / IBPB on non-AMD based uarch" + # "Mitigation: IBPB; SMT disabled" + # "Mitigation: IBPB; SMT enabled with STIBP protection" + # "Mitigation: IBPB; SMT vulnerable" + # d82a0345cf21 (v6.2-rc1, call depth tracking): + # "Mitigation: Stuffing" (RETBLEED_MITIGATION_STUFF) + # e3b78a7ad5ea (v6.16-rc1, restructure): + # added RETBLEED_MITIGATION_AUTO (internal, resolved before display) + # no new sysfs strings + # + # all messages start with either "Not affected", "Vulnerable", or "Mitigation" + # + # --- stable backports --- + # 4.14.y, 4.19.y, 5.4.y: Intel-only mitigations (IBRS, eIBRS); no UNRET, IBPB, STUFF; + # no SMT status display; simplified retbleed_show_state(). + # 5.10.y, 5.15.y, 6.1.y: full mitigations (NONE, UNRET, IBPB, IBRS, EIBRS); + # SMT status appended for UNRET/IBPB; no STUFF. + # 6.6.y, 6.12.y: adds STUFF (call depth tracking). 6.12.y uses INTEL_ model prefix. + # all stable: single retbleed_select_mitigation() (no update/apply split). + # + # --- RHEL/CentOS --- + # centos7 (~4.18): NONE, UNRET, IBPB, IBRS, EIBRS; no STUFF; SMT status for UNRET; + # no Hygon check; no UNRET_ENTRY/IBPB_ENTRY/IBRS_ENTRY Kconfig symbols; + # unique cpu_in_retbleed_whitelist() function for Intel. + # rocky8 (~4.18/5.14): NONE, UNRET, IBPB, IBRS, EIBRS; no STUFF; + # CONFIG_CPU_UNRET_ENTRY, CONFIG_CPU_IBPB_ENTRY, CONFIG_CPU_IBRS_ENTRY (old names). + # rocky9 (~6.x): same as mainline; CONFIG_MITIGATION_* names; has STUFF. + # rocky10 (~6.12+): same as mainline; has select/update/apply split. + # + # --- Kconfig symbols --- + # f43b9876e857 (v5.19-rc7): CONFIG_CPU_UNRET_ENTRY, CONFIG_CPU_IBPB_ENTRY, + # CONFIG_CPU_IBRS_ENTRY + # 80e4c1cd42ff (v6.2-rc1): CONFIG_CALL_DEPTH_TRACKING + # ac61d43983a4 (v6.9-rc1): renamed to CONFIG_MITIGATION_UNRET_ENTRY, + # CONFIG_MITIGATION_IBPB_ENTRY, CONFIG_MITIGATION_IBRS_ENTRY, + # CONFIG_MITIGATION_CALL_DEPTH_TRACKING + # 894e28857c11 (v6.12-rc1): CONFIG_MITIGATION_RETBLEED (master switch) + # + # --- kernel functions (for $opt_map / System.map) --- + # 7fbf47c7ce50 (v5.19-rc7): retbleed_select_mitigation() + # e3b78a7ad5ea (v6.16-rc1): split into retbleed_select_mitigation() + + # retbleed_update_mitigation() + retbleed_apply_mitigation() + # vendor kernels: centos7/rocky8/rocky9 have retbleed_select_mitigation() only; + # rocky10 has the full split. + # + # --- CPU affection logic (for is_cpu_affected) --- + # X86_BUG_RETBLEED is set when X86_FEATURE_BTC_NO is NOT set AND either: + # (a) CPU matches cpu_vuln_blacklist[] RETBLEED entries, OR + # (b) ARCH_CAP_RSBA is set in IA32_ARCH_CAPABILITIES MSR + # 6b80b59b3555 (v5.19-rc7, initial AMD): + # AMD: family 0x15, 0x16, 0x17; Hygon: family 0x18 + # 6ad0ad2bf8a6 (v5.19-rc7, Intel): + # Intel: SKYLAKE_L, SKYLAKE, SKYLAKE_X, KABYLAKE_L, KABYLAKE, + # ICELAKE_L, COMETLAKE, COMETLAKE_L, LAKEFIELD, ROCKETLAKE + # + any Intel with ARCH_CAP_RSBA set + # 26aae8ccbc19 (v5.19-rc7, BTC_NO): + # AMD Zen 3+ with BTC_NO are excluded + # f54d45372c6a (post-v5.19, Cannon Lake): + # Intel: + CANNONLAKE_L + # immunity: X86_FEATURE_BTC_NO (AMD) β€” Zen 3+ declare not affected + # vendor scope: AMD (0x15-0x17), Hygon (0x18), Intel (Skylake through Rocket Lake + RSBA) + # + + if sys_interface_check "$VULN_SYSFS_BASE/retbleed"; then # this kernel has the /sys interface, trust it over everything sys_interface_available=1 status=$ret_sys_interface_check_status fi if [ "$opt_sysfs_only" != 1 ]; then - pr_info_nol "* GDS is mitigated by microcode: " - if [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 0 ]; then - pstatus green OK "microcode mitigation is supported and enabled" - else - pstatus yellow NO - fi - pr_info_nol "* Kernel supports software mitigation by disabling AVX: " + pr_info_nol "* Kernel supports mitigation: " if [ -n "$g_kernel_err" ]; then - kernel_gds_err="$g_kernel_err" - elif grep -q 'gather_data_sampling' "$g_kernel"; then - kernel_gds="found gather_data_sampling in kernel image" + kernel_retbleed_err="$g_kernel_err" + elif grep -q 'retbleed' "$g_kernel"; then + kernel_retbleed="found retbleed mitigation logic in kernel image" fi - if [ -n "$kernel_gds" ]; then - pstatus green YES "$kernel_gds" - elif [ -n "$kernel_gds_err" ]; then - pstatus yellow UNKNOWN "$kernel_gds_err" + if [ -z "$kernel_retbleed" ] && [ -n "$opt_map" ]; then + if grep -q 'retbleed_select_mitigation' "$opt_map"; then + kernel_retbleed="found retbleed_select_mitigation in System.map" + fi + fi + if [ -n "$kernel_retbleed" ]; then + pstatus green YES "$kernel_retbleed" + elif [ -n "$kernel_retbleed_err" ]; then + pstatus yellow UNKNOWN "$kernel_retbleed_err" else pstatus yellow NO fi - if [ -n "$kernel_gds" ]; then - pr_info_nol "* Kernel has disabled AVX as a mitigation: " + pr_info_nol "* Kernel compiled with UNRET_ENTRY support (untrained return thunk): " + if [ -r "$opt_config" ]; then + # CONFIG_CPU_UNRET_ENTRY: Linux < 6.9 + # CONFIG_MITIGATION_UNRET_ENTRY: Linux >= 6.9 + if grep -Eq '^CONFIG_(CPU|MITIGATION)_UNRET_ENTRY=y' "$opt_config"; then + pstatus green YES + kernel_unret="CONFIG_(CPU|MITIGATION)_UNRET_ENTRY=y found in kernel config" + else + pstatus yellow NO + fi + else + if [ -n "$g_kernel_err" ]; then + pstatus yellow UNKNOWN "$g_kernel_err" + elif [ -n "$kernel_retbleed" ]; then + # if the kernel has retbleed logic, assume UNRET_ENTRY is likely compiled in + # (we can't tell for certain without the config) + kernel_unret="retbleed mitigation logic present in kernel (UNRET_ENTRY status unknown)" + pstatus yellow UNKNOWN "kernel has retbleed mitigation but config not available to verify" + else + pstatus yellow NO "your kernel is too old and doesn't have the retbleed mitigation logic" + fi + fi - # Check dmesg message to see whether AVX has been disabled - dmesg_grep 'Microcode update needed! Disabling AVX as mitigation' - dmesgret=$? - if [ "$dmesgret" -eq 0 ]; then - kernel_avx_disabled="AVX disabled by the kernel (dmesg)" - pstatus green YES "$kernel_avx_disabled" - elif [ "$cap_avx2" = 0 ]; then - # Find out by ourselves - # cpuinfo says we don't have AVX2, query - # the CPU directly about AVX2 support - read_cpuid 0x7 0x0 "$EBX" 5 1 1 - ret=$? - if [ "$ret" -eq "$READ_CPUID_RET_OK" ]; then - kernel_avx_disabled="AVX disabled by the kernel (cpuid)" - pstatus green YES "$kernel_avx_disabled" - elif [ "$ret" -eq "$READ_CPUID_RET_KO" ]; then - pstatus yellow NO "CPU doesn't support AVX" - elif [ "$dmesgret" -eq 2 ]; then - pstatus yellow UNKNOWN "dmesg truncated, can't tell whether mitigation is active, please reboot and relaunch this script" + pr_info_nol "* Kernel compiled with IBPB_ENTRY support: " + if [ -r "$opt_config" ]; then + # CONFIG_CPU_IBPB_ENTRY: Linux < 6.9 + # CONFIG_MITIGATION_IBPB_ENTRY: Linux >= 6.9 + if grep -Eq '^CONFIG_(CPU|MITIGATION)_IBPB_ENTRY=y' "$opt_config"; then + pstatus green YES + kernel_ibpb_entry="CONFIG_(CPU|MITIGATION)_IBPB_ENTRY=y found in kernel config" + else + pstatus yellow NO + fi + else + if [ -n "$g_kernel_err" ]; then + pstatus yellow UNKNOWN "$g_kernel_err" + elif [ -n "$kernel_retbleed" ]; then + kernel_ibpb_entry="retbleed mitigation logic present in kernel (IBPB_ENTRY status unknown)" + pstatus yellow UNKNOWN "kernel has retbleed mitigation but config not available to verify" + else + pstatus yellow NO "your kernel is too old and doesn't have the retbleed mitigation logic" + fi + fi + + # Zen/Zen+/Zen2: check IBPB microcode support and SMT + if [ "$cpu_family" = $((0x17)) ]; then + pr_info_nol "* CPU supports IBPB: " + if [ "$opt_live" = 1 ]; then + if [ -n "$cap_ibpb" ]; then + pstatus green YES "$cap_ibpb" else - pstatus yellow UNKNOWN "No sign of mitigation in dmesg and couldn't read cpuid info" + pstatus yellow NO fi else - pstatus yellow NO "AVX support is enabled" + pstatus blue N/A "not testable in offline mode" + fi + + pr_info_nol "* Hyper-Threading (SMT) is enabled: " + is_cpu_smt_enabled + smt_enabled=$? + if [ "$smt_enabled" = 0 ]; then + pstatus yellow YES + else + pstatus green NO fi fi @@ -7540,23 +8034,438 @@ check_CVE_2022_40982_linux() { pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" elif [ -z "$msg" ]; then # if msg is empty, sysfs check didn't fill it, rely on our own test - if [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 0 ]; then - pvulnstatus "$cve" OK "Your microcode is up to date and mitigation is enabled" - elif [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 1 ]; then - pvulnstatus "$cve" VULN "Your microcode is up to date but mitigation is disabled" - elif [ -z "$kernel_gds" ]; then - pvulnstatus "$cve" VULN "Your microcode doesn't mitigate the vulnerability, and your kernel doesn't support mitigation" - elif [ -z "$kernel_avx_disabled" ]; then - pvulnstatus "$cve" VULN "Your microcode doesn't mitigate the vulnerability, your kernel support the mitigation but the script did not detect AVX as disabled by the kernel" + if [ "$opt_sysfs_only" != 1 ]; then + if [ "$cpu_family" = $((0x17)) ]; then + # Zen/Zen+/Zen2 + if [ -z "$kernel_retbleed" ]; then + pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the retbleed mitigation logic" + elif [ "$opt_paranoid" = 1 ] && [ "$smt_enabled" = 0 ]; then + pvulnstatus "$cve" VULN "SMT is enabled, which weakens the IBPB-based mitigation" + explain "For Zen/Zen+/Zen2 CPUs in paranoid mode, proper mitigation needs SMT to be disabled\n" \ + "(this can be done by adding \`nosmt\` to your kernel command line), because IBPB alone\n" \ + "doesn't fully protect cross-thread speculation." + elif [ -z "$kernel_unret" ] && [ -z "$kernel_ibpb_entry" ]; then + pvulnstatus "$cve" VULN "Your kernel doesn't have either UNRET_ENTRY or IBPB_ENTRY compiled-in" + elif [ "$smt_enabled" = 0 ] && [ -z "$cap_ibpb" ] && [ "$opt_live" = 1 ]; then + pvulnstatus "$cve" VULN "SMT is enabled and your microcode doesn't support IBPB" + explain "Update your CPU microcode to get IBPB support, or disable SMT by adding\n" \ + "\`nosmt\` to your kernel command line." + else + pvulnstatus "$cve" OK "Your kernel and CPU support mitigation" + fi + elif [ "$cpu_family" = $((0x15)) ] || [ "$cpu_family" = $((0x16)) ]; then + # older AMD families: basic mitigation check + if [ -z "$kernel_retbleed" ]; then + pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the retbleed mitigation logic" + elif [ -n "$kernel_unret" ] || [ -n "$kernel_ibpb_entry" ]; then + pvulnstatus "$cve" OK "Your kernel supports mitigation" + else + pvulnstatus "$cve" VULN "Your kernel doesn't have UNRET_ENTRY or IBPB_ENTRY compiled-in" + fi + else + # not supposed to happen + pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" + fi else - pvulnstatus "$cve" OK "Your microcode doesn't mitigate the vulnerability, but your kernel has disabled AVX support" + pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg" + fi + else + pvulnstatus "$cve" "$status" "$msg" + fi +} + +check_CVE_2022_29900_bsd() { + if ! is_cpu_affected "$cve"; then + pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" + else + pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script" + fi +} + +# >>>>>> vulns/CVE-2022-29901.sh <<<<<< + +# vim: set ts=4 sw=4 sts=4 et: +############################### +# CVE-2022-29901, Retbleed (Intel), RSB Alternate Behavior (RSBA) + +check_CVE_2022_29901() { + check_cve 'CVE-2022-29901' +} + +check_CVE_2022_29901_linux() { + local status sys_interface_available msg kernel_retbleed kernel_retbleed_err kernel_ibrs_entry + status=UNK + sys_interface_available=0 + msg='' + + # + # Kernel source inventory for retbleed (CVE-2022-29900 / CVE-2022-29901) + # + # See CVE-2022-29900.sh for the full sysfs/Kconfig/function/stable/vendor inventory. + # + # Intel-specific notes: + # - eIBRS (IBRS_ALL) mitigates the vulnerability on Intel + # - plain retpoline does NOT mitigate on RSBA-capable CPUs (Retbleed bypasses retpoline) + # - IBRS entry also mitigates + # - call depth tracking / stuffing mitigates (v6.2+) + # + # --- Kconfig symbols (Intel-relevant) --- + # CONFIG_CPU_IBRS_ENTRY (< 6.9) / CONFIG_MITIGATION_IBRS_ENTRY (>= 6.9): Intel IBRS + # CONFIG_CALL_DEPTH_TRACKING (< 6.9) / CONFIG_MITIGATION_CALL_DEPTH_TRACKING (>= 6.9): stuffing + # + # --- CPU affection logic (Intel) --- + # 6ad0ad2bf8a6 (v5.19-rc7, initial Intel list): + # SKYLAKE_L, SKYLAKE, SKYLAKE_X, KABYLAKE_L, KABYLAKE, + # ICELAKE_L, COMETLAKE, COMETLAKE_L, LAKEFIELD, ROCKETLAKE + # f54d45372c6a (post-v5.19): + CANNONLAKE_L + # + any Intel with ARCH_CAP_RSBA set in IA32_ARCH_CAPABILITIES MSR (bit 2) + # immunity: none (no _NO bit for RETBLEED on Intel; eIBRS is a mitigation, not immunity) + # + + if sys_interface_check "$VULN_SYSFS_BASE/retbleed"; then + # this kernel has the /sys interface, trust it over everything + sys_interface_available=1 + status=$ret_sys_interface_check_status + fi + + if [ "$opt_sysfs_only" != 1 ]; then + pr_info_nol "* Kernel supports mitigation: " + if [ -n "$g_kernel_err" ]; then + kernel_retbleed_err="$g_kernel_err" + elif grep -q 'retbleed' "$g_kernel"; then + kernel_retbleed="found retbleed mitigation logic in kernel image" + fi + if [ -z "$kernel_retbleed" ] && [ -n "$opt_map" ]; then + if grep -q 'retbleed_select_mitigation' "$opt_map"; then + kernel_retbleed="found retbleed_select_mitigation in System.map" + fi + fi + if [ -n "$kernel_retbleed" ]; then + pstatus green YES "$kernel_retbleed" + elif [ -n "$kernel_retbleed_err" ]; then + pstatus yellow UNKNOWN "$kernel_retbleed_err" + else + pstatus yellow NO + fi + + pr_info_nol "* Kernel compiled with IBRS_ENTRY support: " + if [ -r "$opt_config" ]; then + # CONFIG_CPU_IBRS_ENTRY: Linux < 6.9 + # CONFIG_MITIGATION_IBRS_ENTRY: Linux >= 6.9 + if grep -Eq '^CONFIG_(CPU|MITIGATION)_IBRS_ENTRY=y' "$opt_config"; then + pstatus green YES + kernel_ibrs_entry="CONFIG_(CPU|MITIGATION)_IBRS_ENTRY=y found in kernel config" + else + pstatus yellow NO + fi + else + if [ -n "$g_kernel_err" ]; then + pstatus yellow UNKNOWN "$g_kernel_err" + elif [ -n "$kernel_retbleed" ]; then + kernel_ibrs_entry="retbleed mitigation logic present in kernel (IBRS_ENTRY status unknown)" + pstatus yellow UNKNOWN "kernel has retbleed mitigation but config not available to verify" + else + pstatus yellow NO "your kernel is too old and doesn't have the retbleed mitigation logic" + fi + fi + + pr_info_nol "* CPU supports Enhanced IBRS (IBRS_ALL): " + if [ "$opt_live" = 1 ] || [ "$cap_ibrs_all" != -1 ]; then + if [ "$cap_ibrs_all" = 1 ]; then + pstatus green YES + elif [ "$cap_ibrs_all" = 0 ]; then + pstatus yellow NO + else + pstatus yellow UNKNOWN + fi + else + pstatus blue N/A "not testable in offline mode" + fi + + pr_info_nol "* CPU has RSB Alternate Behavior (RSBA): " + if [ "$opt_live" = 1 ] || [ "$cap_rsba" != -1 ]; then + if [ "$cap_rsba" = 1 ]; then + pstatus yellow YES "this CPU is affected by RSB underflow" + elif [ "$cap_rsba" = 0 ]; then + pstatus green NO + else + pstatus yellow UNKNOWN + fi + else + pstatus blue N/A "not testable in offline mode" + fi + + elif [ "$sys_interface_available" = 0 ]; then + # we have no sysfs but were asked to use it only! + msg="/sys vulnerability interface use forced, but it's not available!" + status=UNK + fi + + if ! is_cpu_affected "$cve"; then + # override status & msg in case CPU is not vulnerable after all + pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" + elif [ -z "$msg" ]; then + # if msg is empty, sysfs check didn't fill it, rely on our own test + if [ "$opt_sysfs_only" != 1 ]; then + if [ -z "$kernel_retbleed" ]; then + pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the retbleed mitigation logic" + elif [ "$cap_ibrs_all" = 1 ]; then + if [ "$opt_paranoid" = 1 ] && [ "$cap_rrsba" = 1 ]; then + pvulnstatus "$cve" VULN "eIBRS is enabled but RRSBA is present, which may weaken the mitigation" + explain "In paranoid mode, the combination of eIBRS and RRSBA (Restricted RSB Alternate Behavior)\n" \ + "is flagged because RRSBA means the RSB can still be influenced in some scenarios.\n" \ + "Check if your firmware/kernel supports disabling RRSBA via RRSBA_CTRL." + else + pvulnstatus "$cve" OK "Enhanced IBRS (IBRS_ALL) mitigates the vulnerability" + fi + elif [ -n "$kernel_ibrs_entry" ]; then + pvulnstatus "$cve" OK "Your kernel has IBRS_ENTRY mitigation compiled-in" + else + pvulnstatus "$cve" VULN "Your kernel has retbleed mitigation but IBRS_ENTRY is not compiled-in and eIBRS is not available" + explain "Retpoline alone does NOT mitigate Retbleed on RSBA-capable Intel CPUs.\n" \ + "You need either Enhanced IBRS (eIBRS, via firmware/microcode update) or a kernel\n" \ + "compiled with IBRS_ENTRY support (Linux 5.19+, CONFIG_(CPU|MITIGATION)_IBRS_ENTRY)." + fi + else + pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg" + fi + else + pvulnstatus "$cve" "$status" "$msg" + fi +} + +check_CVE_2022_29901_bsd() { + if ! is_cpu_affected "$cve"; then + pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" + else + pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script" + fi +} + +# >>>>>> vulns/CVE-2022-40982.sh <<<<<< + +# vim: set ts=4 sw=4 sts=4 et: +############################### +# CVE-2022-40982, Downfall, GDS, Gather Data Sampling + +check_CVE_2022_40982() { + check_cve 'CVE-2022-40982' +} + +check_CVE_2022_40982_linux() { + local status sys_interface_available msg kernel_gds kernel_gds_err kernel_avx_disabled dmesgret ret + status=UNK + sys_interface_available=0 + msg='' + + if sys_interface_check "$VULN_SYSFS_BASE/gather_data_sampling"; then + # this kernel has the /sys interface, trust it over everything + sys_interface_available=1 + # + # Kernel source inventory for gather_data_sampling (GDS/Downfall) + # + # --- sysfs messages --- + # all versions: + # "Not affected" (cpu_show_common, pre-existing) + # + # --- mainline --- + # 8974eb588283 (v6.5-rc6, initial GDS sysfs): + # "Vulnerable" (GDS_MITIGATION_OFF) + # "Vulnerable: No microcode" (GDS_MITIGATION_UCODE_NEEDED) + # "Mitigation: Microcode" (GDS_MITIGATION_FULL) + # "Mitigation: Microcode (locked)" (GDS_MITIGATION_FULL_LOCKED) + # "Unknown: Dependent on hypervisor status" (GDS_MITIGATION_HYPERVISOR) + # 553a5c03e90a (v6.5-rc6, added force option): + # "Mitigation: AVX disabled, no microcode" (GDS_MITIGATION_FORCE) + # 53cf5797f114 (v6.5-rc6, added CONFIG_GDS_FORCE_MITIGATION): + # no string changes; default becomes FORCE when Kconfig enabled + # 81ac7e5d7417 (v6.5-rc6, KVM GDS_NO plumbing): + # no string changes + # be83e809ca67 (v6.9-rc1, Kconfig rename): + # no string changes; CONFIG_GDS_FORCE_MITIGATION => CONFIG_MITIGATION_GDS_FORCE + # 03267a534bb3 (v6.12-rc1, removed force Kconfig): + # no string changes; CONFIG_MITIGATION_GDS_FORCE removed + # 225f2bd064c3 (v6.12-rc1, added on/off Kconfig): + # no string changes; added CONFIG_MITIGATION_GDS (default y) + # 9dcad2fb31bd (v6.16-rc1, restructured select/apply): + # no string changes; added GDS_MITIGATION_AUTO (internal, resolved before display) + # split gds_select_mitigation() + gds_apply_mitigation() + # d4932a1b148b (v6.17-rc3, bug fix): + # no string changes; CPUs without ARCH_CAP_GDS_CTRL were incorrectly classified + # as OFF ("Vulnerable") instead of UCODE_NEEDED ("Vulnerable: No microcode"), + # and locked-mitigation detection was skipped. + # NOT backported to any stable or RHEL branch as of 2026-04. + # + # --- stable backports --- + # 5.4.y, 5.10.y, 5.15.y, 6.1.y, 6.6.y: same 7 strings as mainline. + # use CONFIG_GDS_FORCE_MITIGATION; no GDS_MITIGATION_AUTO enum; + # missing d4932a1b148b bug fix (UCODE_NEEDED vs OFF misclassification). + # 6.12.y: same 7 strings as mainline. + # uses CONFIG_MITIGATION_GDS; no GDS_MITIGATION_AUTO enum; + # missing d4932a1b148b bug fix. + # + # --- RHEL/CentOS --- + # centos7 (3.10), rocky8 (4.18): same 7 strings; CONFIG_GDS_FORCE_MITIGATION. + # centos7 uses sprintf (not sysfs_emit) and __read_mostly. + # rocky9 (5.14): same 7 strings; CONFIG_MITIGATION_GDS (skipped FORCE rename). + # rocky10 (6.12): same 7 strings; CONFIG_MITIGATION_GDS; has gds_apply_mitigation(). + # + # --- Kconfig symbols --- + # 53cf5797f114 (v6.5-rc6): CONFIG_GDS_FORCE_MITIGATION (default n) + # be83e809ca67 (v6.9-rc1): renamed to CONFIG_MITIGATION_GDS_FORCE + # 03267a534bb3 (v6.12-rc1): CONFIG_MITIGATION_GDS_FORCE removed + # 225f2bd064c3 (v6.12-rc1): CONFIG_MITIGATION_GDS (default y) + # vendor kernels: rocky9 uses CONFIG_MITIGATION_GDS on 5.14-based kernel + # + # --- kernel functions (for $opt_map / System.map) --- + # 8974eb588283 (v6.5-rc6): gds_select_mitigation(), update_gds_msr(), + # gds_parse_cmdline(), gds_show_state() + # 81ac7e5d7417 (v6.5-rc6): gds_ucode_mitigated() (exported for KVM) + # 9dcad2fb31bd (v6.16-rc1): split into gds_select_mitigation() + gds_apply_mitigation() + # stable 5.4.y-6.12.y: same 5 functions (no gds_apply_mitigation) + # rocky10 (6.12): has gds_apply_mitigation() + # + # --- CPU affection logic (for is_cpu_affected) --- + # X86_BUG_GDS is set when ALL three conditions are true: + # 1. CPU matches model blacklist (cpu_vuln_blacklist[] in common.c) + # 2. ARCH_CAP_GDS_NO (bit 26 of IA32_ARCH_CAPABILITIES) is NOT set + # 3. X86_FEATURE_AVX is present (GATHER instructions require AVX) + # 8974eb588283 (v6.5-rc6, initial model list): + # Intel: SKYLAKE_X, KABYLAKE_L, KABYLAKE, ICELAKE_L, ICELAKE_D, + # ICELAKE_X, COMETLAKE, COMETLAKE_L, TIGERLAKE_L, TIGERLAKE, + # ROCKETLAKE (all steppings) + # c9f4c45c8ec3 (v6.5-rc6, added missing client Skylake): + # Intel: + SKYLAKE_L, SKYLAKE + # 159013a7ca18 (v6.10-rc1, ITS stepping splits): + # no GDS model changes; some entries split by stepping for ITS but + # GDS flag remains on all stepping ranges for these models + # immunity: ARCH_CAP_GDS_NO (bit 26 of IA32_ARCH_CAPABILITIES) + # feature dependency: requires AVX (if AVX absent, CPU is immune) + # vendor scope: Intel only + # + # all messages start with either "Not affected", "Vulnerable", "Mitigation", + # or "Unknown" + status=$ret_sys_interface_check_status + fi + + if [ "$opt_sysfs_only" != 1 ]; then + pr_info_nol "* GDS is mitigated by microcode: " + if [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 0 ]; then + pstatus green OK "microcode mitigation is supported and enabled" + elif [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 1 ]; then + pstatus yellow NO "microcode mitigation is supported but disabled" + elif [ "$cap_gds_ctrl" = 0 ]; then + pstatus yellow NO "microcode doesn't support GDS mitigation" + else + pstatus yellow UNKNOWN "couldn't read MSR for GDS capability" + fi + + pr_info_nol "* Kernel supports software mitigation by disabling AVX: " + kernel_gds='' + kernel_gds_err='' + if [ -n "$g_kernel_err" ]; then + kernel_gds_err="$g_kernel_err" + elif grep -q 'gather_data_sampling' "$g_kernel"; then + kernel_gds="found gather_data_sampling in kernel image" + fi + if [ -z "$kernel_gds" ] && [ -r "$opt_config" ]; then + if grep -q '^CONFIG_GDS_FORCE_MITIGATION=y' "$opt_config" || + grep -q '^CONFIG_MITIGATION_GDS_FORCE=y' "$opt_config" || + grep -q '^CONFIG_MITIGATION_GDS=y' "$opt_config"; then + kernel_gds="GDS mitigation config option found enabled in kernel config" + fi + fi + if [ -z "$kernel_gds" ] && [ -n "$opt_map" ]; then + if grep -q 'gds_select_mitigation' "$opt_map"; then + kernel_gds="found gds_select_mitigation in System.map" + fi + fi + if [ -n "$kernel_gds" ]; then + pstatus green YES "$kernel_gds" + elif [ -n "$kernel_gds_err" ]; then + pstatus yellow UNKNOWN "$kernel_gds_err" + else + pstatus yellow NO + fi + + if [ -n "$kernel_gds" ]; then + pr_info_nol "* Kernel has disabled AVX as a mitigation: " + + if [ "$opt_live" = 1 ]; then + # Check dmesg message to see whether AVX has been disabled + dmesg_grep 'Microcode update needed! Disabling AVX as mitigation' + dmesgret=$? + if [ "$dmesgret" -eq 0 ]; then + kernel_avx_disabled="AVX disabled by the kernel (dmesg)" + pstatus green YES "$kernel_avx_disabled" + elif [ "$cap_avx2" = 0 ]; then + # Find out by ourselves + # cpuinfo says we don't have AVX2, query + # the CPU directly about AVX2 support + read_cpuid 0x7 0x0 "$EBX" 5 1 1 + ret=$? + if [ "$ret" -eq "$READ_CPUID_RET_OK" ]; then + kernel_avx_disabled="AVX disabled by the kernel (cpuid)" + pstatus green YES "$kernel_avx_disabled" + elif [ "$ret" -eq "$READ_CPUID_RET_KO" ]; then + pstatus yellow NO "CPU doesn't support AVX" + elif [ "$dmesgret" -eq 2 ]; then + pstatus yellow UNKNOWN "dmesg truncated, can't tell whether mitigation is active, please reboot and relaunch this script" + else + pstatus yellow UNKNOWN "No sign of mitigation in dmesg and couldn't read cpuid info" + fi + else + pstatus yellow NO "AVX support is enabled" + fi + else + pstatus blue N/A "not testable in offline mode" + fi + fi + + elif [ "$sys_interface_available" = 0 ]; then + # we have no sysfs but were asked to use it only! + msg="/sys vulnerability interface use forced, but it's not available!" + status=UNK + fi + + if ! is_cpu_affected "$cve"; then + # override status & msg in case CPU is not vulnerable after all + pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" + elif [ -z "$msg" ]; then + # if msg is empty, sysfs check didn't fill it, rely on our own test + if [ "$opt_sysfs_only" != 1 ]; then + if [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 0 ]; then + if [ "$opt_paranoid" = 1 ] && [ "$cap_gds_mitg_lock" != 1 ]; then + pvulnstatus "$cve" VULN "Microcode mitigation is enabled but not locked" + explain "In paranoid mode, the GDS mitigation must be locked to prevent a privileged attacker\n " \ + "(e.g. in a guest VM) from disabling it. Check your firmware/BIOS for an option to lock the\n " \ + "GDS mitigation, or update your microcode." + else + pvulnstatus "$cve" OK "Your microcode is up to date and mitigation is enabled" + fi + elif [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 1 ]; then + pvulnstatus "$cve" VULN "Your microcode is up to date but mitigation is disabled" + explain "The GDS mitigation has been explicitly disabled (gather_data_sampling=off or mitigations=off).\n " \ + "Remove the kernel parameter to re-enable it." + elif [ -z "$kernel_gds" ]; then + pvulnstatus "$cve" VULN "Your microcode doesn't mitigate the vulnerability, and your kernel doesn't support mitigation" + explain "Update both your CPU microcode (via BIOS/firmware update from your OEM) and your kernel\n " \ + "to a version that supports GDS mitigation (Linux 6.5+, or check if your distro has a backport)." + elif [ -z "$kernel_avx_disabled" ]; then + pvulnstatus "$cve" VULN "Your microcode doesn't mitigate the vulnerability, your kernel supports the mitigation but AVX was not disabled" + explain "Update your CPU microcode (via BIOS/firmware update from your OEM). If no microcode update\n " \ + "is available, use gather_data_sampling=force on the kernel command line to disable AVX as a workaround." + else + pvulnstatus "$cve" OK "Your microcode doesn't mitigate the vulnerability, but your kernel has disabled AVX support" + fi + else + pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg" fi else pvulnstatus "$cve" "$status" "$msg" fi } -# CVE-2022-40982 Downfall (gather data sampling) - BSD mitigation check check_CVE_2022_40982_bsd() { if ! is_cpu_affected "$cve"; then pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" @@ -7568,15 +8477,13 @@ check_CVE_2022_40982_bsd() { # >>>>>> vulns/CVE-2023-20569.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -####################### -# Inception section +############################### +# CVE-2023-20569, Inception, SRSO, Return Address Security -# CVE-2023-20569 Inception (SRSO, speculative return stack overflow) - entry point check_CVE_2023_20569() { check_cve 'CVE-2023-20569' } -# CVE-2023-20569 Inception (SRSO, speculative return stack overflow) - Linux mitigation check check_CVE_2023_20569_linux() { local status sys_interface_available msg kernel_sro kernel_sro_err kernel_srso kernel_ibpb_entry smt_enabled status=UNK @@ -7775,7 +8682,6 @@ check_CVE_2023_20569_linux() { fi } -# CVE-2023-20569 Inception (SRSO, speculative return stack overflow) - BSD mitigation check check_CVE_2023_20569_bsd() { if ! is_cpu_affected "$cve"; then pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" @@ -7787,15 +8693,13 @@ check_CVE_2023_20569_bsd() { # >>>>>> vulns/CVE-2023-20593.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -#################### -# Zenbleed section +############################### +# CVE-2023-20593, Zenbleed, Cross-Process Information Leak -# CVE-2023-20593 Zenbleed (cross-process information leak via AVX2) - entry point check_CVE_2023_20593() { check_cve 'CVE-2023-20593' } -# CVE-2023-20593 Zenbleed (cross-process information leak via AVX2) - Linux mitigation check check_CVE_2023_20593_linux() { local status sys_interface_available msg kernel_zenbleed kernel_zenbleed_err fp_backup_fix ucode_zenbleed zenbleed_print_vuln ret status=UNK @@ -7907,7 +8811,6 @@ check_CVE_2023_20593_linux() { fi } -# CVE-2023-20593 Zenbleed (cross-process information leak via AVX2) - BSD mitigation check check_CVE_2023_20593_bsd() { local zenbleed_enable zenbleed_state kernel_zenbleed pr_info_nol "* Kernel supports Zenbleed mitigation (machdep.mitigations.zenbleed.enable): " @@ -7964,15 +8867,13 @@ check_CVE_2023_20593_bsd() { # >>>>>> vulns/CVE-2023-23583.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -####################### -# Reptar section +############################### +# CVE-2023-23583, Reptar, Redundant Prefix Issue -# CVE-2023-23583 Reptar (redundant prefix issue) - entry point check_CVE_2023_23583() { check_cve 'CVE-2023-23583' } -# CVE-2023-23583 Reptar (redundant prefix issue) - Linux mitigation check check_CVE_2023_23583_linux() { local status sys_interface_available msg status=UNK @@ -7982,8 +8883,13 @@ check_CVE_2023_23583_linux() { # there is no sysfs file for this vuln, and no kernel patch, # the mitigation is only ucode-based and there's no flag exposed, # so most of the work has already been done by is_cpu_affected() + # shellcheck disable=SC2154 if ! is_cpu_affected "$cve"; then pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" + elif [ -z "$g_reptar_fixed_ucode_version" ]; then + # CPU matched the model blacklist but has no known fixing microcode + # (likely an EOL stepping that Intel won't release a fix for) + pvulnstatus "$cve" VULN "your CPU is affected and no microcode update is available for your CPU stepping" else pr_info_nol "* Reptar is mitigated by microcode: " if [ "$cpu_ucode" -lt "$g_reptar_fixed_ucode_version" ]; then @@ -7996,7 +8902,6 @@ check_CVE_2023_23583_linux() { fi } -# CVE-2023-23583 Reptar (redundant prefix issue) - BSD mitigation check check_CVE_2023_23583_bsd() { if ! is_cpu_affected "$cve"; then pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" @@ -8005,18 +8910,182 @@ check_CVE_2023_23583_bsd() { fi } +# >>>>>> vulns/CVE-2024-28956.sh <<<<<< + +# vim: set ts=4 sw=4 sts=4 et: +############################### +# CVE-2024-28956, ITS, Indirect Target Selection + +check_CVE_2024_28956() { + check_cve 'CVE-2024-28956' +} + +check_CVE_2024_28956_linux() { + local status sys_interface_available msg kernel_its kernel_its_err ret + status=UNK + sys_interface_available=0 + msg='' + + if sys_interface_check "$VULN_SYSFS_BASE/indirect_target_selection"; then + # this kernel has the /sys interface, trust it over everything + sys_interface_available=1 + # + # Kernel source inventory for indirect_target_selection (ITS) + # + # --- sysfs messages --- + # all versions: + # "Not affected" (cpu_show_common, pre-existing) + # + # --- mainline --- + # f4818881c47f (v6.15-rc2, initial ITS sysfs): + # "Vulnerable" (ITS_MITIGATION_OFF) + # "Mitigation: Aligned branch/return thunks" (ITS_MITIGATION_ALIGNED_THUNKS) + # "Mitigation: Retpolines, Stuffing RSB" (ITS_MITIGATION_RETPOLINE_STUFF) + # 2665281a07e1 (v6.15-rc2, added vmexit option): + # "Mitigation: Vulnerable, KVM: Not affected" (ITS_MITIGATION_VMEXIT_ONLY) + # facd226f7e0c (v6.15-rc2, added stuff cmdline option): + # no string changes; added "stuff" boot param value + # 61ab72c2c6bf (v6.16-rc1, restructured select/update/apply): + # no string changes; added ITS_MITIGATION_AUTO (internal, resolved before display) + # split into its_select_mitigation() + its_update_mitigation() + its_apply_mitigation() + # 0cdd2c4f35cf (v6.18-rc1, attack vector controls): + # no string changes; added per-vector on/off control + # + # --- stable backports --- + # 5.10.y, 5.15.y, 6.1.y: 3 strings only (no VMEXIT_ONLY, no RETPOLINE_STUFF + # in 5.10/5.15/6.1). Uses CONFIG_RETPOLINE/CONFIG_RETHUNK (not CONFIG_MITIGATION_*). + # 6.6.y, 6.12.y, 6.14.y, 6.15.y: all 4 strings, full vmexit+stuff support. + # 6.16.y+: restructured 3-phase select/update/apply. + # Not backported to: 5.4.y, 6.11.y, 6.13.y. + # + # --- RHEL/CentOS --- + # rocky9 (5.14): all 4 strings, restructured 3-phase version. + # rocky10 (6.12): all 4 strings, restructured 3-phase version. + # Not backported to: centos7, rocky8. + # + # --- Kconfig symbols --- + # f4818881c47f (v6.15-rc2): CONFIG_MITIGATION_ITS (default y) + # depends on CPU_SUP_INTEL && X86_64 && MITIGATION_RETPOLINE && MITIGATION_RETHUNK + # stable 5.10.y, 5.15.y, 6.1.y: CONFIG_MITIGATION_ITS + # depends on CONFIG_RETPOLINE && CONFIG_RETHUNK (pre-rename names) + # + # --- kernel functions (for $opt_map / System.map) --- + # f4818881c47f (v6.15-rc2): its_select_mitigation(), its_parse_cmdline(), + # its_show_state() + # 61ab72c2c6bf (v6.16-rc1): split into its_select_mitigation() + + # its_update_mitigation() + its_apply_mitigation() + # stable 5.10.y-6.15.y: its_select_mitigation() (no split) + # rocky9, rocky10: its_select_mitigation() + its_update_mitigation() + + # its_apply_mitigation() + # + # --- CPU affection logic (for is_cpu_affected) --- + # X86_BUG_ITS is set when ALL conditions are true: + # 1. Intel vendor, family 6 + # 2. CPU matches model blacklist (with stepping constraints) + # 3. ARCH_CAP_ITS_NO (bit 62 of IA32_ARCH_CAPABILITIES) is NOT set + # 4. X86_FEATURE_BHI_CTRL is NOT present + # 159013a7ca18 (v6.15-rc2, initial model list): + # Intel: SKYLAKE_X (stepping > 5), KABYLAKE_L (stepping > 0xb), + # KABYLAKE (stepping > 0xc), ICELAKE_L, ICELAKE_D, ICELAKE_X, + # COMETLAKE, COMETLAKE_L, TIGERLAKE_L, TIGERLAKE, ROCKETLAKE + # (all steppings unless noted) + # ITS_NATIVE_ONLY flag (X86_BUG_ITS_NATIVE_ONLY): set for + # ICELAKE_L, ICELAKE_D, ICELAKE_X, TIGERLAKE_L, TIGERLAKE, ROCKETLAKE + # These CPUs are affected for user-to-kernel but NOT guest-to-host (VMX) + # immunity: ARCH_CAP_ITS_NO (bit 62 of IA32_ARCH_CAPABILITIES) + # immunity: X86_FEATURE_BHI_CTRL (none of the affected CPUs have this) + # vendor scope: Intel only + # + # all messages start with either "Not affected", "Vulnerable", or "Mitigation" + status=$ret_sys_interface_check_status + fi + + if [ "$opt_sysfs_only" != 1 ]; then + pr_info_nol "* Kernel supports ITS mitigation: " + kernel_its='' + kernel_its_err='' + if [ -n "$g_kernel_err" ]; then + kernel_its_err="$g_kernel_err" + elif grep -q 'indirect_target_selection' "$g_kernel"; then + kernel_its="found indirect_target_selection in kernel image" + fi + if [ -z "$kernel_its" ] && [ -r "$opt_config" ]; then + if grep -q '^CONFIG_MITIGATION_ITS=y' "$opt_config"; then + kernel_its="ITS mitigation config option found enabled in kernel config" + fi + fi + if [ -z "$kernel_its" ] && [ -n "$opt_map" ]; then + if grep -q 'its_select_mitigation' "$opt_map"; then + kernel_its="found its_select_mitigation in System.map" + fi + fi + if [ -n "$kernel_its" ]; then + pstatus green YES "$kernel_its" + elif [ -n "$kernel_its_err" ]; then + pstatus yellow UNKNOWN "$kernel_its_err" + else + pstatus yellow NO + fi + + pr_info_nol "* CPU explicitly indicates not being affected by ITS (ITS_NO): " + if [ "$cap_its_no" = -1 ]; then + pstatus yellow UNKNOWN + elif [ "$cap_its_no" = 1 ]; then + pstatus green YES + else + pstatus yellow NO + fi + + elif [ "$sys_interface_available" = 0 ]; then + # we have no sysfs but were asked to use it only! + msg="/sys vulnerability interface use forced, but it's not available!" + status=UNK + fi + + if ! is_cpu_affected "$cve"; then + # override status & msg in case CPU is not vulnerable after all + pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" + elif [ -z "$msg" ]; then + # if msg is empty, sysfs check didn't fill it, rely on our own test + if [ "$opt_sysfs_only" != 1 ]; then + if [ "$cap_its_no" = 1 ]; then + pvulnstatus "$cve" OK "CPU is not affected (ITS_NO)" + elif [ -n "$kernel_its" ]; then + pvulnstatus "$cve" OK "Kernel mitigates the vulnerability" + elif [ -z "$kernel_its" ] && [ -z "$kernel_its_err" ]; then + pvulnstatus "$cve" VULN "Your kernel doesn't support ITS mitigation" + explain "Update your kernel to a version that includes ITS mitigation (Linux 6.15+, or check\n" \ + "if your distro has a backport). Also update your CPU microcode to ensure IBPB fully\n" \ + "flushes indirect branch predictions (microcode-20250512+)." + else + pvulnstatus "$cve" UNK "couldn't determine mitigation status: $kernel_its_err" + fi + else + pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg" + fi + else + pvulnstatus "$cve" "$status" "$msg" + fi +} + +check_CVE_2024_28956_bsd() { + if ! is_cpu_affected "$cve"; then + pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" + else + pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script" + fi +} + # >>>>>> vulns/CVE-2024-36350.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -#################### -# TSA-SQ section +############################### +# CVE-2024-36350, TSA-SQ, Transient Scheduler Attack Store Queue -# CVE-2024-36350 TSA-SQ (transient scheduler attack - store queue) - entry point check_CVE_2024_36350() { check_cve 'CVE-2024-36350' } -# CVE-2024-36350 TSA-SQ (transient scheduler attack - store queue) - Linux mitigation check check_CVE_2024_36350_linux() { local status sys_interface_available msg kernel_tsa kernel_tsa_err smt_enabled status=UNK @@ -8176,7 +9245,6 @@ check_CVE_2024_36350_linux() { fi } -# CVE-2024-36350 TSA-SQ (transient scheduler attack - store queue) - BSD mitigation check check_CVE_2024_36350_bsd() { if ! is_cpu_affected "$cve"; then pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" @@ -8188,15 +9256,13 @@ check_CVE_2024_36350_bsd() { # >>>>>> vulns/CVE-2024-36357.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: -#################### -# TSA-L1 section +############################### +# CVE-2024-36357, TSA-L1, Transient Scheduler Attack L1 -# CVE-2024-36357 TSA-L1 (transient scheduler attack - L1 cache) - entry point check_CVE_2024_36357() { check_cve 'CVE-2024-36357' } -# CVE-2024-36357 TSA-L1 (transient scheduler attack - L1 cache) - Linux mitigation check check_CVE_2024_36357_linux() { local status sys_interface_available msg kernel_tsa kernel_tsa_err status=UNK @@ -8349,7 +9415,6 @@ check_CVE_2024_36357_linux() { fi } -# CVE-2024-36357 TSA-L1 (transient scheduler attack - L1 cache) - BSD mitigation check check_CVE_2024_36357_bsd() { if ! is_cpu_affected "$cve"; then pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" @@ -8358,6 +9423,212 @@ check_CVE_2024_36357_bsd() { fi } +# >>>>>> vulns/CVE-2024-45332.sh <<<<<< + +# vim: set ts=4 sw=4 sts=4 et: +############################### +# CVE-2024-45332, BPI, Branch Privilege Injection + +check_CVE_2024_45332() { + check_cve 'CVE-2024-45332' +} + +check_CVE_2024_45332_linux() { + local status sys_interface_available msg + status=UNK + sys_interface_available=0 + msg='' + + # There is no dedicated sysfs file for this vulnerability, and no kernel + # mitigation code. The fix is purely a microcode update that corrects the + # asynchronous branch predictor update timing so that eIBRS and IBPB work + # as originally intended. There is no new CPUID bit, MSR bit, or ARCH_CAP + # flag to detect the fix, so we hardcode known-fixing microcode versions + # per CPU (see bpi_ucode_list in is_cpu_affected). + + # shellcheck disable=SC2154 + if ! is_cpu_affected "$cve"; then + pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" + elif [ -z "$g_bpi_fixed_ucode_version" ]; then + # CPU matched the model blacklist but has no known fixing microcode + # (likely an EOL stepping that Intel won't release a fix for) + pvulnstatus "$cve" VULN "your CPU is affected and no microcode update is available for your CPU stepping" + explain "CVE-2024-45332 (Branch Privilege Injection) is a race condition in the branch predictor\n" \ + "that undermines eIBRS and IBPB protections. The fix is a microcode update, but no\n" \ + "update is available for your specific CPU stepping." + else + pr_info_nol "* BPI is mitigated by microcode: " + if [ "$cpu_ucode" -lt "$g_bpi_fixed_ucode_version" ]; then + pstatus yellow NO "You have ucode $(printf "0x%x" "$cpu_ucode") and version $(printf "0x%x" "$g_bpi_fixed_ucode_version") minimum is required" + pvulnstatus "$cve" VULN "Your microcode is too old to mitigate the vulnerability" + explain "CVE-2024-45332 (Branch Privilege Injection) is a race condition in the branch predictor\n" \ + "that undermines eIBRS and IBPB protections. The fix is a microcode update only.\n" \ + "No kernel changes are required." + else + pstatus green YES "You have ucode $(printf "0x%x" "$cpu_ucode") which is recent enough (>= $(printf "0x%x" "$g_bpi_fixed_ucode_version"))" + pvulnstatus "$cve" OK "Your microcode mitigates the vulnerability" + fi + fi +} + +check_CVE_2024_45332_bsd() { + if ! is_cpu_affected "$cve"; then + pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" + else + pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script" + fi +} + +# >>>>>> vulns/CVE-2025-40300.sh <<<<<< + +# vim: set ts=4 sw=4 sts=4 et: +############################### +# CVE-2025-40300, VMScape, VM-Exit Stale Branch Prediction + +check_CVE_2025_40300() { + check_cve 'CVE-2025-40300' +} + +check_CVE_2025_40300_linux() { + local status sys_interface_available msg kernel_vmscape kernel_vmscape_err + status=UNK + sys_interface_available=0 + msg='' + + if sys_interface_check "$VULN_SYSFS_BASE/vmscape"; then + # this kernel has the /sys interface, trust it over everything + sys_interface_available=1 + # + # Kernel source inventory for vmscape, traced via git blame: + # + # --- sysfs messages --- + # all versions: + # "Not affected" (cpu_show_common, pre-existing) + # + # --- mainline --- + # a508cec6e521 (v6.17-rc6, initial vmscape sysfs): + # "Vulnerable" (VMSCAPE_MITIGATION_NONE) + # "Mitigation: IBPB before exit to userspace" (VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER) + # 2f8f17341 (v6.17-rc6, vmscape_update_mitigation): + # "Mitigation: IBPB on VMEXIT" (VMSCAPE_MITIGATION_IBPB_ON_VMEXIT) + # (when retbleed uses IBPB or srso uses IBPB_ON_VMEXIT) + # + # --- stable backports --- + # 6.16.x (v6.16.7): identical to mainline (d83e6111337f) + # 6.12.x (v6.12.47): identical to mainline (7c62c442b6eb) + # 6.6.x (v6.6.106): identical to mainline (813cb831439c) + # 6.1.x (v6.1.152): identical strings; uses VULNBL_INTEL_STEPPINGS macro, + # missing ARROWLAKE_U, ATOM_CRESTMONT_X, AMD 0x1a. + # Uses ALDERLAKE_N instead of type-specific ALDERLAKE split. (304d1fb275af) + # + # --- RHEL/CentOS --- + # Not yet backported. + # + # --- Kconfig symbols --- + # a508cec6e521 (v6.17-rc6): CONFIG_MITIGATION_VMSCAPE (default y) + # depends on KVM + # + # --- kernel functions (for $opt_map / System.map) --- + # a508cec6e521 (v6.17-rc6): vmscape_select_mitigation(), + # vmscape_update_mitigation(), vmscape_apply_mitigation(), + # vmscape_parse_cmdline(), vmscape_show_state() + # + # --- CPU affection logic (for is_cpu_affected) --- + # X86_BUG_VMSCAPE is set when ALL conditions are true: + # 1. CPU matches model blacklist + # 2. X86_FEATURE_HYPERVISOR is NOT set (bare metal only) + # a508cec6e521 (v6.17-rc6, initial model list): + # Intel: SKYLAKE_X, SKYLAKE_L, SKYLAKE, KABYLAKE_L, KABYLAKE, + # CANNONLAKE_L, COMETLAKE, COMETLAKE_L, ALDERLAKE, + # ALDERLAKE_L, RAPTORLAKE, RAPTORLAKE_P, RAPTORLAKE_S, + # METEORLAKE_L, ARROWLAKE_H, ARROWLAKE, ARROWLAKE_U, + # LUNARLAKE_M, SAPPHIRERAPIDS_X, GRANITERAPIDS_X, + # EMERALDRAPIDS_X, ATOM_GRACEMONT, ATOM_CRESTMONT_X + # AMD: family 0x17 (Zen 1/+/2), family 0x19 (Zen 3/4), + # family 0x1a (Zen 5) + # Hygon: family 0x18 + # 8a68d64bb103 (v6.17-rc6, added old Intel CPUs): + # Intel: + SANDYBRIDGE_X, SANDYBRIDGE, IVYBRIDGE_X, IVYBRIDGE, + # HASWELL, HASWELL_L, HASWELL_G, HASWELL_X, + # BROADWELL_D, BROADWELL_X, BROADWELL_G, BROADWELL + # Intel NOT affected: ICELAKE_*, TIGERLAKE_*, LAKEFIELD, ROCKETLAKE, + # ATOM_TREMONT_*, ATOM_GOLDMONT_* + # immunity: no ARCH_CAP bits β€” determination is purely via blacklist + # note: bare metal only (X86_FEATURE_HYPERVISOR excludes guests) + # vendor scope: Intel + AMD + Hygon + # + # all messages start with either "Not affected", "Vulnerable", or "Mitigation" + status=$ret_sys_interface_check_status + fi + + if [ "$opt_sysfs_only" != 1 ]; then + check_has_vmm + pr_info_nol "* Kernel supports VMScape mitigation: " + kernel_vmscape='' + kernel_vmscape_err='' + if [ -n "$g_kernel_err" ]; then + kernel_vmscape_err="$g_kernel_err" + elif grep -q 'vmscape' "$g_kernel"; then + kernel_vmscape="found vmscape in kernel image" + fi + if [ -z "$kernel_vmscape" ] && [ -r "$opt_config" ]; then + if grep -q '^CONFIG_MITIGATION_VMSCAPE=y' "$opt_config"; then + kernel_vmscape="VMScape mitigation config option found enabled in kernel config" + fi + fi + if [ -z "$kernel_vmscape" ] && [ -n "$opt_map" ]; then + if grep -q 'vmscape_select_mitigation' "$opt_map"; then + kernel_vmscape="found vmscape_select_mitigation in System.map" + fi + fi + if [ -n "$kernel_vmscape" ]; then + pstatus green YES "$kernel_vmscape" + elif [ -n "$kernel_vmscape_err" ]; then + pstatus yellow UNKNOWN "$kernel_vmscape_err" + else + pstatus yellow NO + fi + + elif [ "$sys_interface_available" = 0 ]; then + # we have no sysfs but were asked to use it only! + msg="/sys vulnerability interface use forced, but it's not available!" + status=UNK + fi + + if ! is_cpu_affected "$cve"; then + # override status & msg in case CPU is not vulnerable after all + pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" + elif [ -z "$msg" ]; then + # if msg is empty, sysfs check didn't fill it, rely on our own test + if [ "$opt_sysfs_only" != 1 ]; then + if [ "$g_has_vmm" = 0 ]; then + pvulnstatus "$cve" OK "this system is not running a hypervisor" + elif [ -n "$kernel_vmscape" ]; then + pvulnstatus "$cve" OK "Kernel mitigates the vulnerability" + elif [ -z "$kernel_vmscape" ] && [ -z "$kernel_vmscape_err" ]; then + pvulnstatus "$cve" VULN "Your kernel doesn't support VMScape mitigation" + explain "Update your kernel to a version that includes the VMScape mitigation (Linux 6.18+, or check\n" \ + "if your distro has a backport). The mitigation issues IBPB before returning to userspace\n" \ + "after a VM exit, preventing stale guest branch predictions from leaking host kernel memory." + else + pvulnstatus "$cve" UNK "couldn't determine mitigation status: $kernel_vmscape_err" + fi + else + pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg" + fi + else + pvulnstatus "$cve" "$status" "$msg" + fi +} + +check_CVE_2025_40300_bsd() { + if ! is_cpu_affected "$cve"; then + pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" + else + pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script" + fi +} + # >>>>>> main.sh <<<<<< # vim: set ts=4 sw=4 sts=4 et: