mirror of
https://github.com/speed47/spectre-meltdown-checker.git
synced 2026-04-02 05:07:07 +02:00
feat: add CVE-2023-20593 (Zenbleed) mitigation detection for BSD
This commit is contained in:
Stéphane Lesimple
@@ -118,3 +118,57 @@ check_CVE_2023_20593_linux() {
|
|||||||
pvulnstatus "$cve" "$status" "$msg"
|
pvulnstatus "$cve" "$status" "$msg"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# CVE-2023-20593 Zenbleed (cross-process information leak via AVX2) - BSD mitigation check
|
||||||
|
check_CVE_2023_20593_bsd() {
|
||||||
|
local zenbleed_enable zenbleed_state kernel_zenbleed
|
||||||
|
pr_info_nol "* Kernel supports Zenbleed mitigation (machdep.mitigations.zenbleed.enable): "
|
||||||
|
zenbleed_enable=$(sysctl -n machdep.mitigations.zenbleed.enable 2>/dev/null)
|
||||||
|
if [ -n "$zenbleed_enable" ]; then
|
||||||
|
kernel_zenbleed=1
|
||||||
|
case "$zenbleed_enable" in
|
||||||
|
0) pstatus yellow YES "force disabled" ;;
|
||||||
|
1) pstatus green YES "force enabled" ;;
|
||||||
|
2) pstatus green YES "automatic (default)" ;;
|
||||||
|
*) pstatus yellow YES "unknown value: $zenbleed_enable" ;;
|
||||||
|
esac
|
||||||
|
else
|
||||||
|
kernel_zenbleed=0
|
||||||
|
pstatus yellow NO
|
||||||
|
fi
|
||||||
|
|
||||||
|
pr_info_nol "* Zenbleed mitigation state: "
|
||||||
|
zenbleed_state=$(sysctl -n machdep.mitigations.zenbleed.state 2>/dev/null)
|
||||||
|
if [ -n "$zenbleed_state" ]; then
|
||||||
|
if echo "$zenbleed_state" | grep -qi 'not.applicable\|mitigation.enabled'; then
|
||||||
|
pstatus green YES "$zenbleed_state"
|
||||||
|
elif echo "$zenbleed_state" | grep -qi 'mitigation.disabled'; then
|
||||||
|
pstatus yellow NO "$zenbleed_state"
|
||||||
|
else
|
||||||
|
pstatus yellow UNKNOWN "$zenbleed_state"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
pstatus yellow NO "sysctl not available"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! is_cpu_affected "$cve"; then
|
||||||
|
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
|
||||||
|
elif [ "$kernel_zenbleed" = 1 ] && [ "$zenbleed_enable" != 0 ]; then
|
||||||
|
if [ -n "$zenbleed_state" ] && echo "$zenbleed_state" | grep -qi 'mitigation.enabled'; then
|
||||||
|
pvulnstatus "$cve" OK "Zenbleed mitigation is enabled ($zenbleed_state)"
|
||||||
|
elif [ -n "$zenbleed_state" ] && echo "$zenbleed_state" | grep -qi 'not.applicable'; then
|
||||||
|
pvulnstatus "$cve" OK "Zenbleed mitigation not applicable to this CPU ($zenbleed_state)"
|
||||||
|
else
|
||||||
|
pvulnstatus "$cve" OK "Zenbleed mitigation is enabled"
|
||||||
|
fi
|
||||||
|
elif [ "$kernel_zenbleed" = 1 ] && [ "$zenbleed_enable" = 0 ]; then
|
||||||
|
pvulnstatus "$cve" VULN "Zenbleed mitigation is supported but force disabled"
|
||||||
|
explain "To re-enable Zenbleed mitigation, run \`sysctl machdep.mitigations.zenbleed.enable=2' for automatic mode.\n " \
|
||||||
|
"To make this persistent, add 'machdep.mitigations.zenbleed.enable=2' to /etc/sysctl.conf."
|
||||||
|
else
|
||||||
|
pvulnstatus "$cve" VULN "your kernel doesn't support Zenbleed mitigation, update it"
|
||||||
|
explain "Your CPU vendor may also have a new microcode for your CPU model that mitigates this issue.\n " \
|
||||||
|
"Updating to FreeBSD 14.0 or later will provide kernel-level Zenbleed mitigation via the\n " \
|
||||||
|
"machdep.mitigations.zenbleed sysctl."
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user