split script in multiple files, reassembled through build.sh

src/vulns/CVE-2023-20593.sh

@@ -0,0 +1,120 @@
+# vim: set ts=4 sw=4 sts=4 et:
+####################
+# Zenbleed section
+
+# CVE-2023-20593 Zenbleed (cross-process information leak via AVX2) - entry point
+check_CVE_2023_20593() {
+    check_cve 'CVE-2023-20593'
+}
+
+# CVE-2023-20593 Zenbleed (cross-process information leak via AVX2) - Linux mitigation check
+check_CVE_2023_20593_linux() {
+    local status sys_interface_available msg kernel_zenbleed kernel_zenbleed_err fp_backup_fix ucode_zenbleed zenbleed_print_vuln ret
+    status=UNK
+    sys_interface_available=0
+    msg=''
+    if [ "$opt_sysfs_only" != 1 ]; then
+        pr_info_nol "* Zenbleed mitigation is supported by kernel: "
+        kernel_zenbleed=''
+        if [ -n "$g_kernel_err" ]; then
+            kernel_zenbleed_err="$g_kernel_err"
+        # commit 522b1d69219d8f083173819fde04f994aa051a98
+        elif grep -q 'Zenbleed:' "$g_kernel"; then
+            kernel_zenbleed="found zenbleed message in kernel image"
+        fi
+        if [ -n "$kernel_zenbleed" ]; then
+            pstatus green YES "$kernel_zenbleed"
+        elif [ -n "$kernel_zenbleed_err" ]; then
+            pstatus yellow UNKNOWN "$kernel_zenbleed_err"
+        else
+            pstatus yellow NO
+        fi
+        pr_info_nol "* Zenbleed kernel mitigation enabled and active: "
+        if [ "$opt_live" = 1 ]; then
+            # read the DE_CFG MSR, we want to check the 9th bit
+            # don't do it on non-Zen2 AMD CPUs or later, aka Family 17h,
+            # as the behavior could be unknown on others
+            if is_amd && [ "$cpu_family" -ge $((0x17)) ]; then
+                read_msr 0xc0011029
+                ret=$?
+                if [ "$ret" = "$READ_MSR_RET_OK" ]; then
+                    if [ $((ret_read_msr_value >> 9 & 1)) -eq 1 ]; then
+                        pstatus green YES "FP_BACKUP_FIX bit set in DE_CFG"
+                        fp_backup_fix=1
+                    else
+                        pstatus yellow NO "FP_BACKUP_FIX is cleared in DE_CFG"
+                        fp_backup_fix=0
+                    fi
+                elif [ "$ret" = "$READ_MSR_RET_KO" ]; then
+                    pstatus yellow UNKNOWN "Couldn't read the DE_CFG MSR"
+                else
+                    pstatus yellow UNKNOWN "$ret_read_msr_msg"
+                fi
+            else
+                fp_backup_fix=0
+                pstatus blue N/A "CPU is incompatible"
+            fi
+        else
+            pstatus blue N/A "not testable in offline mode"
+        fi
+
+        pr_info_nol "* Zenbleed mitigation is supported by CPU microcode: "
+        has_zenbleed_fixed_firmware
+        ret=$?
+        if [ "$ret" -eq 0 ]; then
+            pstatus green YES
+            ucode_zenbleed=1
+        elif [ "$ret" -eq 1 ]; then
+            pstatus yellow NO
+            ucode_zenbleed=2
+        else
+            pstatus yellow UNKNOWN
+            ucode_zenbleed=3
+        fi
+
+    elif [ "$sys_interface_available" = 0 ]; then
+        # we have no sysfs but were asked to use it only!
+        msg="/sys vulnerability interface use forced, but it's not available!"
+        status=UNK
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ -z "$msg" ]; then
+        # if msg is empty, sysfs check didn't fill it, rely on our own test
+        zenbleed_print_vuln=0
+        if [ "$opt_live" = 1 ]; then
+            if [ "$fp_backup_fix" = 1 ] && [ "$ucode_zenbleed" = 1 ]; then
+                # this should never happen, but if it does, it's interesting to know
+                pvulnstatus "$cve" OK "Both your CPU microcode and kernel are mitigating Zenbleed"
+            elif [ "$ucode_zenbleed" = 1 ]; then
+                pvulnstatus "$cve" OK "Your CPU microcode mitigates Zenbleed"
+            elif [ "$fp_backup_fix" = 1 ]; then
+                pvulnstatus "$cve" OK "Your kernel mitigates Zenbleed"
+            else
+                zenbleed_print_vuln=1
+            fi
+        else
+            if [ "$ucode_zenbleed" = 1 ]; then
+                pvulnstatus "$cve" OK "Your CPU microcode mitigates Zenbleed"
+            elif [ -n "$kernel_zenbleed" ]; then
+                pvulnstatus "$cve" OK "Your kernel mitigates Zenbleed"
+            else
+                zenbleed_print_vuln=1
+            fi
+        fi
+        if [ "$zenbleed_print_vuln" = 1 ]; then
+            pvulnstatus "$cve" VULN "Your kernel is too old to mitigate Zenbleed and your CPU microcode doesn't mitigate it either"
+            explain "Your CPU vendor may have a new microcode for your CPU model that mitigates this issue (refer to the hardware section above).\n " \
+                "Otherwise, the Linux kernel is able to mitigate this issue regardless of the microcode version you have, but in this case\n " \
+                "your kernel is too old to support this, your Linux distribution vendor might have a more recent version you should upgrade to.\n " \
+                "Note that either having an up to date microcode OR an up to date kernel is enough to mitigate this issue.\n " \
+                "To manually mitigate the issue right now, you may use the following command: \`wrmsr -a 0xc0011029 \$((\$(rdmsr -c 0xc0011029) | (1<<9)))\`,\n " \
+                "however note that this manual mitigation will only be active until the next reboot."
+        fi
+        unset zenbleed_print_vuln
+    else
+        pvulnstatus "$cve" "$status" "$msg"
+    fi
+}