split script in multiple files, reassembled through build.sh

2026-04-07 17:23:18 +02:00 · 2026-03-30 20:04:16 +02:00
parent 7e660812e9
commit cebda01d05
47 changed files with 7712 additions and 7617 deletions
--- a/src/vulns/CVE-2018-12207.sh
+++ b/src/vulns/CVE-2018-12207.sh
@@ -0,0 +1,111 @@
+# vim: set ts=4 sw=4 sts=4 et:
+#######################
+# iTLB Multihit section
+
+# CVE-2018-12207 iTLB multihit (machine check exception on page size changes) - entry point
+check_CVE_2018_12207() {
+    check_cve 'CVE-2018-12207'
+}
+
+# CVE-2018-12207 iTLB multihit (machine check exception on page size changes) - Linux mitigation check
+check_CVE_2018_12207_linux() {
+    local status sys_interface_available msg kernel_itlbmh kernel_itlbmh_err
+    status=UNK
+    sys_interface_available=0
+    msg=''
+    if sys_interface_check "$VULN_SYSFS_BASE/itlb_multihit"; then
+        # this kernel has the /sys interface, trust it over everything
+        sys_interface_available=1
+        status=$ret_sys_interface_check_status
+    fi
+    if [ "$opt_sysfs_only" != 1 ]; then
+        check_has_vmm
+
+        pr_info_nol "* iTLB Multihit mitigation is supported by kernel: "
+        kernel_itlbmh=''
+        if [ -n "$g_kernel_err" ]; then
+            kernel_itlbmh_err="$g_kernel_err"
+        # commit 5219505fcbb640e273a0d51c19c38de0100ec5a9
+        elif grep -q 'itlb_multihit' "$g_kernel"; then
+            kernel_itlbmh="found itlb_multihit in kernel image"
+        fi
+        if [ -n "$kernel_itlbmh" ]; then
+            pstatus green YES "$kernel_itlbmh"
+        elif [ -n "$kernel_itlbmh_err" ]; then
+            pstatus yellow UNKNOWN "$kernel_itlbmh_err"
+        else
+            pstatus yellow NO
+        fi
+
+        pr_info_nol "* iTLB Multihit mitigation enabled and active: "
+        if [ "$opt_live" = 1 ]; then
+            if [ -n "$ret_sys_interface_check_fullmsg" ]; then
+                if echo "$ret_sys_interface_check_fullmsg" | grep -qF 'Mitigation'; then
+                    pstatus green YES "$ret_sys_interface_check_fullmsg"
+                else
+                    pstatus yellow NO
+                fi
+            else
+                pstatus yellow NO "itlb_multihit not found in sysfs hierarchy"
+            fi
+        else
+            pstatus blue N/A "not testable in offline mode"
+        fi
+    elif [ "$sys_interface_available" = 0 ]; then
+        # we have no sysfs but were asked to use it only!
+        msg="/sys vulnerability interface use forced, but it's not available!"
+        status=UNK
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ "$g_has_vmm" = 0 ]; then
+        pvulnstatus "$cve" OK "this system is not running a hypervisor"
+    elif [ -z "$msg" ]; then
+        # if msg is empty, sysfs check didn't fill it, rely on our own test
+        if [ "$opt_live" = 1 ]; then
+            # if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
+            pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it"
+        else
+            if [ -n "$kernel_itlbmh" ]; then
+                pvulnstatus "$cve" OK "Your kernel supports iTLB Multihit mitigation"
+            else
+                pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it"
+            fi
+        fi
+    else
+        pvulnstatus "$cve" "$status" "$msg"
+    fi
+}
+
+# CVE-2018-12207 iTLB multihit (machine check exception on page size changes) - BSD mitigation check
+check_CVE_2018_12207_bsd() {
+    local kernel_2m_x_ept
+    pr_info_nol "* Kernel supports disabling superpages for executable mappings under EPT: "
+    kernel_2m_x_ept=$(sysctl -n vm.pmap.allow_2m_x_ept 2>/dev/null)
+    if [ -z "$kernel_2m_x_ept" ]; then
+        pstatus yellow NO
+    else
+        pstatus green YES
+    fi
+
+    pr_info_nol "* Superpages are disabled for executable mappings under EPT: "
+    if [ "$kernel_2m_x_ept" = 0 ]; then
+        pstatus green YES
+    else
+        pstatus yellow NO
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ -z "$kernel_2m_x_ept" ]; then
+        pvulnstatus "$cve" VULN "Your kernel doesn't support mitigating this CVE, you should update it"
+    elif [ "$kernel_2m_x_ept" != 0 ]; then
+        pvulnstatus "$cve" VULN "Your kernel supports mitigating this CVE, but the mitigation is disabled"
+        explain "To enable the mitigation, use \`sysctl vm.pmap.allow_2m_x_ept=0\`"
+    else
+        pvulnstatus "$cve" OK "Your kernel has support for mitigation and the mitigation is enabled"
+    fi
+}