split script in multiple files, reassembled through build.sh

2026-04-11 11:13:21 +02:00 · 2026-03-30 20:04:16 +02:00
parent 7e660812e9
commit cebda01d05
47 changed files with 7712 additions and 7617 deletions
--- a/src/vulns/CVE-2022-40982.sh
+++ b/src/vulns/CVE-2022-40982.sh
@@ -0,0 +1,99 @@
+# vim: set ts=4 sw=4 sts=4 et:
+#########################
+# Downfall section
+
+# CVE-2022-40982 Downfall (gather data sampling) - entry point
+check_CVE_2022_40982() {
+    check_cve 'CVE-2022-40982'
+}
+
+# CVE-2022-40982 Downfall (gather data sampling) - Linux mitigation check
+check_CVE_2022_40982_linux() {
+    local status sys_interface_available msg kernel_gds kernel_gds_err kernel_avx_disabled dmesgret ret
+    status=UNK
+    sys_interface_available=0
+    msg=''
+
+    if sys_interface_check "$VULN_SYSFS_BASE/gather_data_sampling"; then
+        # this kernel has the /sys interface, trust it over everything
+        sys_interface_available=1
+        status=$ret_sys_interface_check_status
+    fi
+
+    if [ "$opt_sysfs_only" != 1 ]; then
+        pr_info_nol "* GDS is mitigated by microcode: "
+        if [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 0 ]; then
+            pstatus green OK "microcode mitigation is supported and enabled"
+        else
+            pstatus yellow NO
+        fi
+        pr_info_nol "* Kernel supports software mitigation by disabling AVX: "
+        if [ -n "$g_kernel_err" ]; then
+            kernel_gds_err="$g_kernel_err"
+        elif grep -q 'gather_data_sampling' "$g_kernel"; then
+            kernel_gds="found gather_data_sampling in kernel image"
+        fi
+        if [ -n "$kernel_gds" ]; then
+            pstatus green YES "$kernel_gds"
+        elif [ -n "$kernel_gds_err" ]; then
+            pstatus yellow UNKNOWN "$kernel_gds_err"
+        else
+            pstatus yellow NO
+        fi
+
+        if [ -n "$kernel_gds" ]; then
+            pr_info_nol "* Kernel has disabled AVX as a mitigation: "
+
+            # Check dmesg message to see whether AVX has been disabled
+            dmesg_grep 'Microcode update needed! Disabling AVX as mitigation'
+            dmesgret=$?
+            if [ "$dmesgret" -eq 0 ]; then
+                kernel_avx_disabled="AVX disabled by the kernel (dmesg)"
+                pstatus green YES "$kernel_avx_disabled"
+            elif [ "$cap_avx2" = 0 ]; then
+                # Find out by ourselves
+                # cpuinfo says we don't have AVX2, query
+                # the CPU directly about AVX2 support
+                read_cpuid 0x7 0x0 "$EBX" 5 1 1
+                ret=$?
+                if [ "$ret" -eq "$READ_CPUID_RET_OK" ]; then
+                    kernel_avx_disabled="AVX disabled by the kernel (cpuid)"
+                    pstatus green YES "$kernel_avx_disabled"
+                elif [ "$ret" -eq "$READ_CPUID_RET_KO" ]; then
+                    pstatus yellow NO "CPU doesn't support AVX"
+                elif [ "$dmesgret" -eq 2 ]; then
+                    pstatus yellow UNKNOWN "dmesg truncated, can't tell whether mitigation is active, please reboot and relaunch this script"
+                else
+                    pstatus yellow UNKNOWN "No sign of mitigation in dmesg and couldn't read cpuid info"
+                fi
+            else
+                pstatus yellow NO "AVX support is enabled"
+            fi
+        fi
+
+    elif [ "$sys_interface_available" = 0 ]; then
+        # we have no sysfs but were asked to use it only!
+        msg="/sys vulnerability interface use forced, but it's not available!"
+        status=UNK
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ -z "$msg" ]; then
+        # if msg is empty, sysfs check didn't fill it, rely on our own test
+        if [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 0 ]; then
+            pvulnstatus "$cve" OK "Your microcode is up to date and mitigation is enabled"
+        elif [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 1 ]; then
+            pvulnstatus "$cve" VULN "Your microcode is up to date but mitigation is disabled"
+        elif [ -z "$kernel_gds" ]; then
+            pvulnstatus "$cve" VULN "Your microcode doesn't mitigate the vulnerability, and your kernel doesn't support mitigation"
+        elif [ -z "$kernel_avx_disabled" ]; then
+            pvulnstatus "$cve" VULN "Your microcode doesn't mitigate the vulnerability, your kernel support the mitigation but the script did not detect AVX as disabled by the kernel"
+        else
+            pvulnstatus "$cve" OK "Your microcode doesn't mitigate the vulnerability, but your kernel has disabled AVX support"
+        fi
+    else
+        pvulnstatus "$cve" "$status" "$msg"
+    fi
+}