enh: add known fixed ucode versions for CVE-2023-23583 (Reptar) and CVE-2024-45332 (BPI)

2026-04-09 10:13:18 +02:00 · 2026-04-04 17:50:04 +02:00
parent 090f109c52
commit cccb3c0081
4 changed files with 135 additions and 26 deletions
--- a/src/vulns/CVE-2023-23583.sh
+++ b/src/vulns/CVE-2023-23583.sh
@@ -15,8 +15,13 @@ check_CVE_2023_23583_linux() {
    # there is no sysfs file for this vuln, and no kernel patch,
    # the mitigation is only ucode-based and there's no flag exposed,
    # so most of the work has already been done by is_cpu_affected()
+    # shellcheck disable=SC2154
    if ! is_cpu_affected "$cve"; then
        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ -z "$g_reptar_fixed_ucode_version" ]; then
+        # CPU matched the model blacklist but has no known fixing microcode
+        # (likely an EOL stepping that Intel won't release a fix for)
+        pvulnstatus "$cve" VULN "your CPU is affected and no microcode update is available for your CPU stepping"
    else
        pr_info_nol "* Reptar is mitigated by microcode: "
        if [ "$cpu_ucode" -lt "$g_reptar_fixed_ucode_version" ]; then
--- a/src/vulns/CVE-2024-45332.sh
+++ b/src/vulns/CVE-2024-45332.sh
@@ -13,21 +13,34 @@ check_CVE_2024_45332_linux() {
    msg=''

    # There is no dedicated sysfs file for this vulnerability, and no kernel
-    # mitigation code.  The fix is purely a microcode update (intel-microcode
-    # 20250512+) that corrects the asynchronous branch predictor update timing
-    # so that eIBRS and IBPB work as originally intended.  There is no new
-    # CPUID bit, MSR bit, or ARCH_CAP flag to detect the fix.  The only
-    # reliable indicator is the microcode version, which we cannot check
-    # without violating design principle 3 (never hardcode microcode versions).
+    # mitigation code.  The fix is purely a microcode update that corrects the
+    # asynchronous branch predictor update timing so that eIBRS and IBPB work
+    # as originally intended.  There is no new CPUID bit, MSR bit, or ARCH_CAP
+    # flag to detect the fix, so we hardcode known-fixing microcode versions
+    # per CPU (see bpi_ucode_list in is_cpu_affected).

+    # shellcheck disable=SC2154
    if ! is_cpu_affected "$cve"; then
        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
-    else
-        pvulnstatus "$cve" UNK "the microcode fix for this vulnerability cannot be detected (no CPUID/MSR indicator); ensure you have intel-microcode 20250512 or later installed"
+    elif [ -z "$g_bpi_fixed_ucode_version" ]; then
+        # CPU matched the model blacklist but has no known fixing microcode
+        # (likely an EOL stepping that Intel won't release a fix for)
+        pvulnstatus "$cve" VULN "your CPU is affected and no microcode update is available for your CPU stepping"
        explain "CVE-2024-45332 (Branch Privilege Injection) is a race condition in the branch predictor\n" \
-            "that undermines eIBRS and IBPB protections. The fix is a microcode update only (intel-microcode\n" \
-            "20250512+). No kernel changes are required. Verify your microcode version with: grep microcode\n" \
-            "/proc/cpuinfo. Contact your OS vendor to ensure the latest Intel microcode package is installed."
+            "that undermines eIBRS and IBPB protections. The fix is a microcode update, but no\n" \
+            "update is available for your specific CPU stepping."
+    else
+        pr_info_nol "* BPI is mitigated by microcode: "
+        if [ "$cpu_ucode" -lt "$g_bpi_fixed_ucode_version" ]; then
+            pstatus yellow NO "You have ucode $(printf "0x%x" "$cpu_ucode") and version $(printf "0x%x" "$g_bpi_fixed_ucode_version") minimum is required"
+            pvulnstatus "$cve" VULN "Your microcode is too old to mitigate the vulnerability"
+            explain "CVE-2024-45332 (Branch Privilege Injection) is a race condition in the branch predictor\n" \
+                "that undermines eIBRS and IBPB protections. The fix is a microcode update only.\n" \
+                "No kernel changes are required."
+        else
+            pstatus green YES "You have ucode $(printf "0x%x" "$cpu_ucode") which is recent enough (>= $(printf "0x%x" "$g_bpi_fixed_ucode_version"))"
+            pvulnstatus "$cve" OK "Your microcode mitigates the vulnerability"
+        fi
    fi
 }