peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2026-04-03 05:37:11 +02:00
Code Issues Projects Releases Wiki Activity

chore: add proper header to all src/vulns/* files

Browse Source 
built from commit 3ea8e213ec
 dated 2026-04-02 20:47:54 +0200
 by Stéphane Lesimple (speed47_github@speed47.net)
This commit is contained in:
github-actions[bot]
2026-04-02 19:35:40 +00:00
parent 5c571bacc6
commit fbfdb89e7a
1 changed files with 121 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

231
spectre-meltdown-checker.sh
View File

@@ -13,7 +13,7 @@
# #
# Stephane Lesimple # Stephane Lesimple
# #
VERSION='26.21.0402757' VERSION='26.21.0402815'
# --- Common paths and basedirs --- # --- Common paths and basedirs ---
readonly VULN_SYSFS_BASE="/sys/devices/system/cpu/vulnerabilities" readonly VULN_SYSFS_BASE="/sys/devices/system/cpu/vulnerabilities"
@@ -492,6 +492,14 @@ is_cpu_affected() {
pr_debug "is_cpu_affected: cpu not affected by Special Register Buffer Data Sampling" pr_debug "is_cpu_affected: cpu not affected by Special Register Buffer Data Sampling"
fi fi
# NO_SPECTRE_V2: Centaur family 7 and Zhaoxin family 7 are immune to Spectre V2
# kernel commit 1e41a766c98b (v5.6-rc1): added NO_SPECTRE_V2 exemption
# Zhaoxin vendor_id is " Shanghai " in cpuinfo (parsed as "Shanghai" by awk)
if { [ "$cpu_vendor" = "CentaurHauls" ] || [ "$cpu_vendor" = "Shanghai" ]; } && [ "$cpu_family" = 7 ]; then
_infer_immune variant2
pr_debug "is_cpu_affected: Centaur/Zhaoxin family 7 immune to Spectre V2 (NO_SPECTRE_V2)"
fi
if is_cpu_specex_free; then if is_cpu_specex_free; then
_set_immune variant1 _set_immune variant1
_set_immune variant2 _set_immune variant2
@@ -897,6 +905,13 @@ is_cpu_specex_free() {
return 0 return 0
fi fi
fi fi
# Centaur family 5 and NSC family 5 are also non-speculative
if [ "$cpu_vendor" = "CentaurHauls" ] && [ "$cpu_family" = 5 ]; then
return 0
fi
if [ "$cpu_vendor" = "Geode by NSC" ] && [ "$cpu_family" = 5 ]; then
return 0
fi
[ "$cpu_family" = 4 ] && return 0 [ "$cpu_family" = 4 ] && return 0
return 1 return 1
} }
@@ -4567,16 +4582,14 @@ check_mds_linux() {
# >>>>>> vulns/CVE-2017-5715.sh <<<<<< # >>>>>> vulns/CVE-2017-5715.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et: # vim: set ts=4 sw=4 sts=4 et:
################### ###############################
# SPECTRE 2 SECTION # CVE-2017-5715, Spectre V2, Branch Target Injection
# CVE-2017-5715 Spectre Variant 2 (branch target injection) - entry point
# Sets: vulnstatus # Sets: vulnstatus
check_CVE_2017_5715() { check_CVE_2017_5715() {
check_cve 'CVE-2017-5715' check_cve 'CVE-2017-5715'
} }
# CVE-2017-5715 Spectre Variant 2 (branch target injection) - Linux mitigation check
# Sets: g_ibrs_can_tell, g_ibrs_supported, g_ibrs_enabled, g_ibrs_fw_enabled, # Sets: g_ibrs_can_tell, g_ibrs_supported, g_ibrs_enabled, g_ibrs_fw_enabled,
# g_ibpb_can_tell, g_ibpb_supported, g_ibpb_enabled, g_specex_knob_dir # g_ibpb_can_tell, g_ibpb_supported, g_ibpb_enabled, g_specex_knob_dir
check_CVE_2017_5715_linux() { check_CVE_2017_5715_linux() {
@@ -4776,6 +4789,43 @@ check_CVE_2017_5715_linux() {
# rocky9 (RHEL 9, kernel 5.14): matches mainline. Semicolons, BHI, all fields. # rocky9 (RHEL 9, kernel 5.14): matches mainline. Semicolons, BHI, all fields.
# rocky10 (RHEL 10, kernel 6.12): matches mainline. # rocky10 (RHEL 10, kernel 6.12): matches mainline.
# #
#
# --- Kconfig symbols ---
# 76b043848fd2 (v4.15-rc8): CONFIG_RETPOLINE
# f43b9876e857 (v5.19-rc7): CONFIG_CPU_IBRS_ENTRY (kernel IBRS on entry)
# aefb2f2e619b (v6.9-rc1): renamed CONFIG_RETPOLINE => CONFIG_MITIGATION_RETPOLINE
# 1da8d2172ce5 (v6.9-rc1): renamed CONFIG_CPU_IBRS_ENTRY => CONFIG_MITIGATION_IBRS_ENTRY
# ec9404e40e8f (v6.9-rc4): CONFIG_SPECTRE_BHI_ON / CONFIG_SPECTRE_BHI_OFF
# 4f511739c54b (v6.9-rc4): replaced by CONFIG_MITIGATION_SPECTRE_BHI
# 72c70f480a70 (v6.12-rc1): CONFIG_MITIGATION_SPECTRE_V2 (top-level on/off)
# 8754e67ad4ac (v6.15-rc7): CONFIG_MITIGATION_ITS (indirect target selection)
# stable 5.4.y-6.6.y: CONFIG_RETPOLINE (pre-rename)
# stable 6.12.y: CONFIG_MITIGATION_RETPOLINE, CONFIG_MITIGATION_SPECTRE_V2
#
# --- kernel functions (for $opt_map / System.map) ---
# da285121560e (v4.15-rc8): spectre_v2_select_mitigation(),
# spectre_v2_parse_cmdline(), nospectre_v2_parse_cmdline()
# 20ffa1caecca (v4.16-rc1): spectre_v2_module_string(), retpoline_module_ok()
# a8f76ae41cd6 (v4.20-rc5): spectre_v2_user_select_mitigation(),
# spectre_v2_user_parse_cmdline()
# 7c693f54c873 (v5.19-rc7): spectre_v2_in_ibrs_mode(), spectre_v2_in_eibrs_mode()
# 44a3918c8245 (v5.17-rc8): spectre_v2_show_state()
# 480e803dacf8 (v6.16-rc1): split into spectre_v2_select_mitigation() +
# spectre_v2_apply_mitigation() + spectre_v2_update_mitigation() +
# spectre_v2_user_apply_mitigation() + spectre_v2_user_update_mitigation()
#
# --- CPU affection logic (for is_cpu_affected) ---
# X86_BUG_SPECTRE_V2 is set for ALL x86 CPUs except:
# - CPUs matching NO_SPECULATION: family 4 (all vendors), Centaur/Intel/NSC/Vortex
# family 5, Intel Atom Bonnell/Saltwell
# - CPUs matching NO_SPECTRE_V2: Centaur family 7, Zhaoxin family 7
# 99c6fa2511d8 (v4.15-rc8): unconditional for all x86 CPUs
# 1e41a766c98b (v5.6-rc1): added NO_SPECTRE_V2 exemption for Centaur/Zhaoxin
# 98c7a713db91 (v6.15-rc1): added X86_BUG_SPECTRE_V2_USER as separate bit
# No MSR/CPUID immunity bits — purely whitelist-based.
# vendor scope: all x86 vendors affected (Intel, AMD, Hygon, etc.)
# except Centaur family 7 and Zhaoxin family 7.
#
# all messages start with either "Not affected", "Mitigation", or "Vulnerable" # all messages start with either "Not affected", "Mitigation", or "Vulnerable"
fi fi
if [ "$opt_sysfs_only" != 1 ]; then if [ "$opt_sysfs_only" != 1 ]; then
@@ -4900,6 +4950,19 @@ check_CVE_2017_5715_linux() {
if grep -q spec_ctrl "$opt_map"; then if grep -q spec_ctrl "$opt_map"; then
g_ibrs_supported="found spec_ctrl in symbols file" g_ibrs_supported="found spec_ctrl in symbols file"
pr_debug "ibrs: found '*spec_ctrl*' symbol in $opt_map" pr_debug "ibrs: found '*spec_ctrl*' symbol in $opt_map"
elif grep -q -e spectre_v2_select_mitigation -e spectre_v2_apply_mitigation "$opt_map"; then
# spectre_v2_select_mitigation exists since v4.15; split into
# spectre_v2_select_mitigation + spectre_v2_apply_mitigation in v6.16
g_ibrs_supported="found spectre_v2 mitigation function in symbols file"
pr_debug "ibrs: found spectre_v2_*_mitigation symbol in $opt_map"
fi
fi
# CONFIG_CPU_IBRS_ENTRY (v5.19) / CONFIG_MITIGATION_IBRS_ENTRY (v6.9): kernel IBRS on entry
if [ -z "$g_ibrs_supported" ] && [ -n "$opt_config" ] && [ -r "$opt_config" ]; then
g_ibrs_can_tell=1
if grep -q '^CONFIG_\(CPU_\|MITIGATION_\)IBRS_ENTRY=y' "$opt_config"; then
g_ibrs_supported="CONFIG_CPU_IBRS_ENTRY/CONFIG_MITIGATION_IBRS_ENTRY found in kernel config"
pr_debug "ibrs: found IBRS entry config option in $opt_config"
fi fi
fi fi
# recent (4.15) vanilla kernels have IBPB but not IBRS, and without the debugfs tunables of Red Hat # recent (4.15) vanilla kernels have IBPB but not IBRS, and without the debugfs tunables of Red Hat
@@ -5147,7 +5210,7 @@ check_CVE_2017_5715_linux() {
rsb_filling=0 rsb_filling=0
if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then
# if we're live and we aren't denied looking into /sys, let's do it # if we're live and we aren't denied looking into /sys, let's do it
if echo "$msg" | grep -qw RSB; then if echo "$ret_sys_interface_check_fullmsg" | grep -qw RSB; then
rsb_filling=1 rsb_filling=1
pstatus green YES pstatus green YES
fi fi
@@ -5247,6 +5310,11 @@ check_CVE_2017_5715_linux() {
*) pstatus yellow UNKNOWN ;; *) pstatus yellow UNKNOWN ;;
esac esac
# --- SMT state (used in STIBP inference and verdict) ---
is_cpu_smt_enabled
smt_enabled=$?
# smt_enabled: 0=enabled, 1=disabled, 2=unknown
# --- v2_stibp_status --- # --- v2_stibp_status ---
pr_info_nol " * STIBP status: " pr_info_nol " * STIBP status: "
if [ -n "$ret_sys_interface_check_fullmsg" ]; then if [ -n "$ret_sys_interface_check_fullmsg" ]; then
@@ -5389,11 +5457,6 @@ check_CVE_2017_5715_linux() {
fi fi
fi fi
# --- SMT state (used in verdict) ---
is_cpu_smt_enabled
smt_enabled=$?
# smt_enabled: 0=enabled, 1=disabled, 2=unknown
elif [ "$sys_interface_available" = 0 ]; then elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only! # we have no sysfs but were asked to use it only!
msg="/sys vulnerability interface use forced, but it's not available!" msg="/sys vulnerability interface use forced, but it's not available!"
@@ -5408,6 +5471,8 @@ check_CVE_2017_5715_linux() {
# --- own logic using Phase 2 variables --- # --- own logic using Phase 2 variables ---
# Helper: collect caveats for the verdict message # Helper: collect caveats for the verdict message
_v2_caveats='' _v2_caveats=''
# Append a caveat string to the _v2_caveats list
# Callers: check_CVE_2017_5715_linux (eIBRS, IBRS, retpoline verdict paths)
_v2_add_caveat() { _v2_caveats="${_v2_caveats:+$_v2_caveats; }$1"; } _v2_add_caveat() { _v2_caveats="${_v2_caveats:+$_v2_caveats; }$1"; }
# ARM branch predictor hardening (unchanged) # ARM branch predictor hardening (unchanged)
@@ -5675,6 +5740,9 @@ check_CVE_2017_5715_linux() {
pvulnstatus "$cve" OK "offline mode: kernel supports IBRS + IBPB to mitigate the vulnerability" pvulnstatus "$cve" OK "offline mode: kernel supports IBRS + IBPB to mitigate the vulnerability"
elif [ "$cap_ibrs_all" = 1 ] || [ "$cap_autoibrs" = 1 ]; then elif [ "$cap_ibrs_all" = 1 ] || [ "$cap_autoibrs" = 1 ]; then
pvulnstatus "$cve" OK "offline mode: CPU supports Enhanced / Automatic IBRS" pvulnstatus "$cve" OK "offline mode: CPU supports Enhanced / Automatic IBRS"
# CONFIG_MITIGATION_SPECTRE_V2 (v6.12+): top-level on/off for all Spectre V2 mitigations
elif [ -n "$opt_config" ] && [ -r "$opt_config" ] && grep -q '^CONFIG_MITIGATION_SPECTRE_V2=y' "$opt_config"; then
pvulnstatus "$cve" OK "offline mode: kernel has Spectre V2 mitigation framework enabled (CONFIG_MITIGATION_SPECTRE_V2)"
elif [ "$g_ibrs_can_tell" != 1 ]; then elif [ "$g_ibrs_can_tell" != 1 ]; then
pvulnstatus "$cve" UNK "offline mode: not enough information" pvulnstatus "$cve" UNK "offline mode: not enough information"
explain "Re-run this script with root privileges, and give it the kernel image (--kernel), the kernel configuration (--config) and the System.map file (--map) corresponding to the kernel you would like to inspect." explain "Re-run this script with root privileges, and give it the kernel image (--kernel), the kernel configuration (--config) and the System.map file (--map) corresponding to the kernel you would like to inspect."
@@ -5705,7 +5773,6 @@ check_CVE_2017_5715_linux() {
fi fi
} }
# CVE-2017-5715 Spectre Variant 2 (branch target injection) - BSD mitigation check
# Sets: vulnstatus # Sets: vulnstatus
check_CVE_2017_5715_bsd() { check_CVE_2017_5715_bsd() {
local ibrs_disabled ibrs_active retpoline nb_thunks local ibrs_disabled ibrs_active retpoline nb_thunks
@@ -5767,16 +5834,14 @@ check_CVE_2017_5715_bsd() {
# >>>>>> vulns/CVE-2017-5753.sh <<<<<< # >>>>>> vulns/CVE-2017-5753.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et: # vim: set ts=4 sw=4 sts=4 et:
################### ###############################
# SPECTRE 1 SECTION # CVE-2017-5753, Spectre V1, Bounds Check Bypass
# CVE-2017-5753 Spectre Variant 1 (bounds check bypass) - entry point
# Sets: (none directly, delegates to check_cve) # Sets: (none directly, delegates to check_cve)
check_CVE_2017_5753() { check_CVE_2017_5753() {
check_cve 'CVE-2017-5753' check_cve 'CVE-2017-5753'
} }
# CVE-2017-5753 Spectre Variant 1 (bounds check bypass) - Linux mitigation check
# Sets: g_redhat_canonical_spectre (via check_redhat_canonical_spectre) # Sets: g_redhat_canonical_spectre (via check_redhat_canonical_spectre)
check_CVE_2017_5753_linux() { check_CVE_2017_5753_linux() {
local status sys_interface_available msg v1_kernel_mitigated v1_kernel_mitigated_err v1_mask_nospec ret explain_text local status sys_interface_available msg v1_kernel_mitigated v1_kernel_mitigated_err v1_mask_nospec ret explain_text
@@ -6047,7 +6112,6 @@ check_CVE_2017_5753_linux() {
fi fi
} }
# CVE-2017-5753 Spectre Variant 1 (bounds check bypass) - BSD mitigation check
check_CVE_2017_5753_bsd() { check_CVE_2017_5753_bsd() {
if ! is_cpu_affected "$cve"; then if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
@@ -6059,8 +6123,8 @@ check_CVE_2017_5753_bsd() {
# >>>>>> vulns/CVE-2017-5754.sh <<<<<< # >>>>>> vulns/CVE-2017-5754.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et: # vim: set ts=4 sw=4 sts=4 et:
################## ###############################
# MELTDOWN SECTION # CVE-2017-5754, Meltdown, Rogue Data Cache Load
# no security impact but give a hint to the user in verbose mode # no security impact but give a hint to the user in verbose mode
# about PCID/INVPCID cpuid features that must be present to avoid # about PCID/INVPCID cpuid features that must be present to avoid
@@ -6100,12 +6164,10 @@ pti_performance_check() {
fi fi
} }
# CVE-2017-5754 Meltdown (rogue data cache load) - entry point
check_CVE_2017_5754() { check_CVE_2017_5754() {
check_cve 'CVE-2017-5754' check_cve 'CVE-2017-5754'
} }
# CVE-2017-5754 Meltdown (rogue data cache load) - Linux mitigation check
check_CVE_2017_5754_linux() { check_CVE_2017_5754_linux() {
local status sys_interface_available msg kpti_support kpti_can_tell kpti_enabled dmesg_grep pti_xen_pv_domU xen_pv_domo xen_pv_domu explain_text local status sys_interface_available msg kpti_support kpti_can_tell kpti_enabled dmesg_grep pti_xen_pv_domU xen_pv_domo xen_pv_domu explain_text
status=UNK status=UNK
@@ -6308,7 +6370,6 @@ check_CVE_2017_5754_linux() {
fi fi
} }
# CVE-2017-5754 Meltdown (rogue data cache load) - BSD mitigation check
check_CVE_2017_5754_bsd() { check_CVE_2017_5754_bsd() {
local kpti_enabled local kpti_enabled
pr_info_nol "* Kernel supports Page Table Isolation (PTI): " pr_info_nol "* Kernel supports Page Table Isolation (PTI): "
@@ -6343,10 +6404,9 @@ check_CVE_2017_5754_bsd() {
# >>>>>> vulns/CVE-2018-12126.sh <<<<<< # >>>>>> vulns/CVE-2018-12126.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et: # vim: set ts=4 sw=4 sts=4 et:
################### ###############################
# MSBDS SECTION # CVE-2018-12126, MSBDS, Fallout, Microarchitectural Store Buffer Data Sampling
# CVE-2018-12126 MSBDS (microarchitectural store buffer data sampling) - entry point
check_CVE_2018_12126() { check_CVE_2018_12126() {
check_cve 'CVE-2018-12126' check_mds check_cve 'CVE-2018-12126' check_mds
} }
@@ -6354,10 +6414,9 @@ check_CVE_2018_12126() {
# >>>>>> vulns/CVE-2018-12127.sh <<<<<< # >>>>>> vulns/CVE-2018-12127.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et: # vim: set ts=4 sw=4 sts=4 et:
################### ###############################
# MLPDS SECTION # CVE-2018-12127, MLPDS, RIDL, Microarchitectural Load Port Data Sampling
# CVE-2018-12127 MLPDS (microarchitectural load port data sampling) - entry point
check_CVE_2018_12127() { check_CVE_2018_12127() {
check_cve 'CVE-2018-12127' check_mds check_cve 'CVE-2018-12127' check_mds
} }
@@ -6365,10 +6424,9 @@ check_CVE_2018_12127() {
# >>>>>> vulns/CVE-2018-12130.sh <<<<<< # >>>>>> vulns/CVE-2018-12130.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et: # vim: set ts=4 sw=4 sts=4 et:
################### ###############################
# MFBDS SECTION # CVE-2018-12130, MFBDS, ZombieLoad, Microarchitectural Fill Buffer Data Sampling
# CVE-2018-12130 MFBDS (microarchitectural fill buffer data sampling) - entry point
check_CVE_2018_12130() { check_CVE_2018_12130() {
check_cve 'CVE-2018-12130' check_mds check_cve 'CVE-2018-12130' check_mds
} }
@@ -6376,15 +6434,13 @@ check_CVE_2018_12130() {
# >>>>>> vulns/CVE-2018-12207.sh <<<<<< # >>>>>> vulns/CVE-2018-12207.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et: # vim: set ts=4 sw=4 sts=4 et:
####################### ###############################
# iTLB Multihit section # CVE-2018-12207, iTLB Multihit, No eXcuses, Machine Check Exception on Page Size Changes
# CVE-2018-12207 iTLB multihit (machine check exception on page size changes) - entry point
check_CVE_2018_12207() { check_CVE_2018_12207() {
check_cve 'CVE-2018-12207' check_cve 'CVE-2018-12207'
} }
# CVE-2018-12207 iTLB multihit (machine check exception on page size changes) - Linux mitigation check
check_CVE_2018_12207_linux() { check_CVE_2018_12207_linux() {
local status sys_interface_available msg kernel_itlbmh kernel_itlbmh_err local status sys_interface_available msg kernel_itlbmh kernel_itlbmh_err
status=UNK status=UNK
@@ -6462,7 +6518,6 @@ check_CVE_2018_12207_linux() {
fi fi
} }
# CVE-2018-12207 iTLB multihit (machine check exception on page size changes) - BSD mitigation check
check_CVE_2018_12207_bsd() { check_CVE_2018_12207_bsd() {
local kernel_2m_x_ept local kernel_2m_x_ept
pr_info_nol "* Kernel supports disabling superpages for executable mappings under EPT: " pr_info_nol "* Kernel supports disabling superpages for executable mappings under EPT: "
@@ -6496,10 +6551,9 @@ check_CVE_2018_12207_bsd() {
# >>>>>> vulns/CVE-2018-3615.sh <<<<<< # >>>>>> vulns/CVE-2018-3615.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et: # vim: set ts=4 sw=4 sts=4 et:
########################### ###############################
# L1TF / FORESHADOW SECTION # CVE-2018-3615, Foreshadow (SGX), L1 Terminal Fault
# CVE-2018-3615 Foreshadow (L1 terminal fault SGX) - entry point
check_CVE_2018_3615() { check_CVE_2018_3615() {
local cve local cve
cve='CVE-2018-3615' cve='CVE-2018-3615'
@@ -6535,12 +6589,13 @@ check_CVE_2018_3615() {
# >>>>>> vulns/CVE-2018-3620.sh <<<<<< # >>>>>> vulns/CVE-2018-3620.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et: # vim: set ts=4 sw=4 sts=4 et:
# CVE-2018-3620 Foreshadow-NG OS (L1 terminal fault OS) - entry point ###############################
# CVE-2018-3620, Foreshadow-NG (OS/SMM), L1 Terminal Fault
check_CVE_2018_3620() { check_CVE_2018_3620() {
check_cve 'CVE-2018-3620' check_cve 'CVE-2018-3620'
} }
# CVE-2018-3620 Foreshadow-NG OS (L1 terminal fault OS) - Linux mitigation check
check_CVE_2018_3620_linux() { check_CVE_2018_3620_linux() {
local status sys_interface_available msg pteinv_supported pteinv_active local status sys_interface_available msg pteinv_supported pteinv_active
status=UNK status=UNK
@@ -6619,7 +6674,6 @@ check_CVE_2018_3620_linux() {
fi fi
} }
# CVE-2018-3620 Foreshadow-NG OS (L1 terminal fault OS) - BSD mitigation check
check_CVE_2018_3620_bsd() { check_CVE_2018_3620_bsd() {
local bsd_zero_reserved local bsd_zero_reserved
pr_info_nol "* Kernel reserved the memory page at physical address 0x0: " pr_info_nol "* Kernel reserved the memory page at physical address 0x0: "
@@ -6655,15 +6709,13 @@ check_CVE_2018_3620_bsd() {
# >>>>>> vulns/CVE-2018-3639.sh <<<<<< # >>>>>> vulns/CVE-2018-3639.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et: # vim: set ts=4 sw=4 sts=4 et:
################### ###############################
# VARIANT 4 SECTION # CVE-2018-3639, Variant 4, SSB, Speculative Store Bypass
# CVE-2018-3639 Variant 4 (speculative store bypass) - entry point
check_CVE_2018_3639() { check_CVE_2018_3639() {
check_cve 'CVE-2018-3639' check_cve 'CVE-2018-3639'
} }
# CVE-2018-3639 Variant 4 (speculative store bypass) - Linux mitigation check
check_CVE_2018_3639_linux() { check_CVE_2018_3639_linux() {
local status sys_interface_available msg kernel_ssb kernel_ssbd_enabled mitigated_processes local status sys_interface_available msg kernel_ssb kernel_ssbd_enabled mitigated_processes
status=UNK status=UNK
@@ -6791,7 +6843,6 @@ check_CVE_2018_3639_linux() {
fi fi
} }
# CVE-2018-3639 Variant 4 (speculative store bypass) - BSD mitigation check
check_CVE_2018_3639_bsd() { check_CVE_2018_3639_bsd() {
local kernel_ssb ssb_enabled ssb_active local kernel_ssb ssb_enabled ssb_active
pr_info_nol "* Kernel supports speculation store bypass: " pr_info_nol "* Kernel supports speculation store bypass: "
@@ -6846,10 +6897,9 @@ check_CVE_2018_3639_bsd() {
# >>>>>> vulns/CVE-2018-3640.sh <<<<<< # >>>>>> vulns/CVE-2018-3640.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et: # vim: set ts=4 sw=4 sts=4 et:
#################### ###############################
# VARIANT 3A SECTION # CVE-2018-3640, Variant 3a, Rogue System Register Read
# CVE-2018-3640 Variant 3a (rogue system register read) - entry point
check_CVE_2018_3640() { check_CVE_2018_3640() {
local status sys_interface_available msg cve local status sys_interface_available msg cve
cve='CVE-2018-3640' cve='CVE-2018-3640'
@@ -6882,12 +6932,13 @@ check_CVE_2018_3640() {
# >>>>>> vulns/CVE-2018-3646.sh <<<<<< # >>>>>> vulns/CVE-2018-3646.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et: # vim: set ts=4 sw=4 sts=4 et:
# CVE-2018-3646 Foreshadow-NG VMM (L1 terminal fault VMM) - entry point ###############################
# CVE-2018-3646, Foreshadow-NG (VMM), L1 Terminal Fault
check_CVE_2018_3646() { check_CVE_2018_3646() {
check_cve 'CVE-2018-3646' check_cve 'CVE-2018-3646'
} }
# CVE-2018-3646 Foreshadow-NG VMM (L1 terminal fault VMM) - Linux mitigation check
check_CVE_2018_3646_linux() { check_CVE_2018_3646_linux() {
local status sys_interface_available msg l1d_mode ept_disabled l1d_kernel l1d_kernel_err l1d_xen_hardware l1d_xen_hypervisor l1d_xen_pv_domU smt_enabled local status sys_interface_available msg l1d_mode ept_disabled l1d_kernel l1d_kernel_err l1d_xen_hardware l1d_xen_hypervisor l1d_xen_pv_domU smt_enabled
status=UNK status=UNK
@@ -7117,7 +7168,6 @@ check_CVE_2018_3646_linux() {
fi fi
} }
# CVE-2018-3646 Foreshadow-NG VMM (L1 terminal fault VMM) - BSD mitigation check
check_CVE_2018_3646_bsd() { check_CVE_2018_3646_bsd() {
local kernel_l1d_supported kernel_l1d_enabled local kernel_l1d_supported kernel_l1d_enabled
pr_info_nol "* Kernel supports L1D flushing: " pr_info_nol "* Kernel supports L1D flushing: "
@@ -7154,10 +7204,9 @@ check_CVE_2018_3646_bsd() {
# >>>>>> vulns/CVE-2019-11091.sh <<<<<< # >>>>>> vulns/CVE-2019-11091.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et: # vim: set ts=4 sw=4 sts=4 et:
################### ###############################
# MDSUM SECTION # CVE-2019-11091, MDSUM, RIDL, Microarchitectural Data Sampling Uncacheable Memory
# CVE-2019-11091 MDSUM (microarchitectural data sampling uncacheable memory) - entry point
check_CVE_2019_11091() { check_CVE_2019_11091() {
check_cve 'CVE-2019-11091' check_mds check_cve 'CVE-2019-11091' check_mds
} }
@@ -7165,15 +7214,13 @@ check_CVE_2019_11091() {
# >>>>>> vulns/CVE-2019-11135.sh <<<<<< # >>>>>> vulns/CVE-2019-11135.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et: # vim: set ts=4 sw=4 sts=4 et:
################### ###############################
# TAA SECTION # CVE-2019-11135, TAA, ZombieLoad V2, TSX Asynchronous Abort
# CVE-2019-11135 TAA (TSX asynchronous abort) - entry point
check_CVE_2019_11135() { check_CVE_2019_11135() {
check_cve 'CVE-2019-11135' check_cve 'CVE-2019-11135'
} }
# CVE-2019-11135 TAA (TSX asynchronous abort) - Linux mitigation check
check_CVE_2019_11135_linux() { check_CVE_2019_11135_linux() {
local status sys_interface_available msg kernel_taa kernel_taa_err local status sys_interface_available msg kernel_taa kernel_taa_err
status=UNK status=UNK
@@ -7251,7 +7298,6 @@ check_CVE_2019_11135_linux() {
fi fi
} }
# CVE-2019-11135 TAA (TSX asynchronous abort) - BSD mitigation check
check_CVE_2019_11135_bsd() { check_CVE_2019_11135_bsd() {
local taa_enable taa_state mds_disable kernel_taa kernel_mds local taa_enable taa_state mds_disable kernel_taa kernel_mds
pr_info_nol "* Kernel supports TAA mitigation (machdep.mitigations.taa.enable): " pr_info_nol "* Kernel supports TAA mitigation (machdep.mitigations.taa.enable): "
@@ -7311,15 +7357,13 @@ check_CVE_2019_11135_bsd() {
# >>>>>> vulns/CVE-2020-0543.sh <<<<<< # >>>>>> vulns/CVE-2020-0543.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et: # vim: set ts=4 sw=4 sts=4 et:
################### ###############################
# SRBDS SECTION # CVE-2020-0543, SRBDS, CROSSTalk, Special Register Buffer Data Sampling
# CVE-2020-0543 SRBDS (special register buffer data sampling) - entry point
check_CVE_2020_0543() { check_CVE_2020_0543() {
check_cve 'CVE-2020-0543' check_cve 'CVE-2020-0543'
} }
# CVE-2020-0543 SRBDS (special register buffer data sampling) - Linux mitigation check
check_CVE_2020_0543_linux() { check_CVE_2020_0543_linux() {
local status sys_interface_available msg kernel_srbds kernel_srbds_err local status sys_interface_available msg kernel_srbds kernel_srbds_err
status=UNK status=UNK
@@ -7416,7 +7460,6 @@ check_CVE_2020_0543_linux() {
fi fi
} }
# CVE-2020-0543 SRBDS (special register buffer data sampling) - BSD mitigation check
# FreeBSD uses the name "rngds" (Random Number Generator Data Sampling) for SRBDS # FreeBSD uses the name "rngds" (Random Number Generator Data Sampling) for SRBDS
check_CVE_2020_0543_bsd() { check_CVE_2020_0543_bsd() {
local rngds_enable rngds_state kernel_rngds local rngds_enable rngds_state kernel_rngds
@@ -7462,15 +7505,13 @@ check_CVE_2020_0543_bsd() {
# >>>>>> vulns/CVE-2022-40982.sh <<<<<< # >>>>>> vulns/CVE-2022-40982.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et: # vim: set ts=4 sw=4 sts=4 et:
######################### ###############################
# Downfall section # CVE-2022-40982, Downfall, GDS, Gather Data Sampling
# CVE-2022-40982 Downfall (gather data sampling) - entry point
check_CVE_2022_40982() { check_CVE_2022_40982() {
check_cve 'CVE-2022-40982' check_cve 'CVE-2022-40982'
} }
# CVE-2022-40982 Downfall (gather data sampling) - Linux mitigation check
check_CVE_2022_40982_linux() { check_CVE_2022_40982_linux() {
local status sys_interface_available msg kernel_gds kernel_gds_err kernel_avx_disabled dmesgret ret local status sys_interface_available msg kernel_gds kernel_gds_err kernel_avx_disabled dmesgret ret
status=UNK status=UNK
@@ -7565,13 +7606,6 @@ check_CVE_2022_40982_linux() {
# all messages start with either "Not affected", "Vulnerable", "Mitigation", # all messages start with either "Not affected", "Vulnerable", "Mitigation",
# or "Unknown" # or "Unknown"
status=$ret_sys_interface_check_status status=$ret_sys_interface_check_status
# Override: when the kernel says "Unknown: Dependent on hypervisor status", it
# gave up because it's running as a VM guest and can't read MCU_OPT_CTRL.
# We can often do better: the hypervisor may have exposed GDS_NO or GDS_CTRL
# to us via ARCH_CAPABILITIES, so let our own Phase 2 checks take over.
if echo "$ret_sys_interface_check_fullmsg" | grep -qi 'Dependent on hypervisor'; then
status=UNK
fi
fi fi
if [ "$opt_sysfs_only" != 1 ]; then if [ "$opt_sysfs_only" != 1 ]; then
@@ -7673,13 +7707,6 @@ check_CVE_2022_40982_linux() {
pvulnstatus "$cve" VULN "Your microcode is up to date but mitigation is disabled" pvulnstatus "$cve" VULN "Your microcode is up to date but mitigation is disabled"
explain "The GDS mitigation has been explicitly disabled (gather_data_sampling=off or mitigations=off).\n " \ explain "The GDS mitigation has been explicitly disabled (gather_data_sampling=off or mitigations=off).\n " \
"Remove the kernel parameter to re-enable it." "Remove the kernel parameter to re-enable it."
elif [ "$sys_interface_available" = 1 ] &&
echo "$ret_sys_interface_check_fullmsg" | grep -qi 'Dependent on hypervisor'; then
# We're in a VM guest, the kernel gave up, and we couldn't read the
# GDS MSR bits either (cap_gds_ctrl != 1). We genuinely can't tell.
pvulnstatus "$cve" UNK "Running in a VM, mitigation depends on the hypervisor"
explain "This system is running as a virtual machine guest. GDS mitigation must be handled by\n " \
"the host hypervisor. Contact your VM/cloud provider to verify that GDS is mitigated on the host."
elif [ -z "$kernel_gds" ]; then elif [ -z "$kernel_gds" ]; then
pvulnstatus "$cve" VULN "Your microcode doesn't mitigate the vulnerability, and your kernel doesn't support mitigation" pvulnstatus "$cve" VULN "Your microcode doesn't mitigate the vulnerability, and your kernel doesn't support mitigation"
explain "Update both your CPU microcode (via BIOS/firmware update from your OEM) and your kernel\n " \ explain "Update both your CPU microcode (via BIOS/firmware update from your OEM) and your kernel\n " \
@@ -7699,7 +7726,6 @@ check_CVE_2022_40982_linux() {
fi fi
} }
# CVE-2022-40982 Downfall (gather data sampling) - BSD mitigation check
check_CVE_2022_40982_bsd() { check_CVE_2022_40982_bsd() {
if ! is_cpu_affected "$cve"; then if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
@@ -7711,15 +7737,13 @@ check_CVE_2022_40982_bsd() {
# >>>>>> vulns/CVE-2023-20569.sh <<<<<< # >>>>>> vulns/CVE-2023-20569.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et: # vim: set ts=4 sw=4 sts=4 et:
####################### ###############################
# Inception section # CVE-2023-20569, Inception, SRSO, Return Address Security
# CVE-2023-20569 Inception (SRSO, speculative return stack overflow) - entry point
check_CVE_2023_20569() { check_CVE_2023_20569() {
check_cve 'CVE-2023-20569' check_cve 'CVE-2023-20569'
} }
# CVE-2023-20569 Inception (SRSO, speculative return stack overflow) - Linux mitigation check
check_CVE_2023_20569_linux() { check_CVE_2023_20569_linux() {
local status sys_interface_available msg kernel_sro kernel_sro_err kernel_srso kernel_ibpb_entry smt_enabled local status sys_interface_available msg kernel_sro kernel_sro_err kernel_srso kernel_ibpb_entry smt_enabled
status=UNK status=UNK
@@ -7918,7 +7942,6 @@ check_CVE_2023_20569_linux() {
fi fi
} }
# CVE-2023-20569 Inception (SRSO, speculative return stack overflow) - BSD mitigation check
check_CVE_2023_20569_bsd() { check_CVE_2023_20569_bsd() {
if ! is_cpu_affected "$cve"; then if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
@@ -7930,15 +7953,13 @@ check_CVE_2023_20569_bsd() {
# >>>>>> vulns/CVE-2023-20593.sh <<<<<< # >>>>>> vulns/CVE-2023-20593.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et: # vim: set ts=4 sw=4 sts=4 et:
#################### ###############################
# Zenbleed section # CVE-2023-20593, Zenbleed, Cross-Process Information Leak
# CVE-2023-20593 Zenbleed (cross-process information leak via AVX2) - entry point
check_CVE_2023_20593() { check_CVE_2023_20593() {
check_cve 'CVE-2023-20593' check_cve 'CVE-2023-20593'
} }
# CVE-2023-20593 Zenbleed (cross-process information leak via AVX2) - Linux mitigation check
check_CVE_2023_20593_linux() { check_CVE_2023_20593_linux() {
local status sys_interface_available msg kernel_zenbleed kernel_zenbleed_err fp_backup_fix ucode_zenbleed zenbleed_print_vuln ret local status sys_interface_available msg kernel_zenbleed kernel_zenbleed_err fp_backup_fix ucode_zenbleed zenbleed_print_vuln ret
status=UNK status=UNK
@@ -8050,7 +8071,6 @@ check_CVE_2023_20593_linux() {
fi fi
} }
# CVE-2023-20593 Zenbleed (cross-process information leak via AVX2) - BSD mitigation check
check_CVE_2023_20593_bsd() { check_CVE_2023_20593_bsd() {
local zenbleed_enable zenbleed_state kernel_zenbleed local zenbleed_enable zenbleed_state kernel_zenbleed
pr_info_nol "* Kernel supports Zenbleed mitigation (machdep.mitigations.zenbleed.enable): " pr_info_nol "* Kernel supports Zenbleed mitigation (machdep.mitigations.zenbleed.enable): "
@@ -8107,15 +8127,13 @@ check_CVE_2023_20593_bsd() {
# >>>>>> vulns/CVE-2023-23583.sh <<<<<< # >>>>>> vulns/CVE-2023-23583.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et: # vim: set ts=4 sw=4 sts=4 et:
####################### ###############################
# Reptar section # CVE-2023-23583, Reptar, Redundant Prefix Issue
# CVE-2023-23583 Reptar (redundant prefix issue) - entry point
check_CVE_2023_23583() { check_CVE_2023_23583() {
check_cve 'CVE-2023-23583' check_cve 'CVE-2023-23583'
} }
# CVE-2023-23583 Reptar (redundant prefix issue) - Linux mitigation check
check_CVE_2023_23583_linux() { check_CVE_2023_23583_linux() {
local status sys_interface_available msg local status sys_interface_available msg
status=UNK status=UNK
@@ -8139,7 +8157,6 @@ check_CVE_2023_23583_linux() {
fi fi
} }
# CVE-2023-23583 Reptar (redundant prefix issue) - BSD mitigation check
check_CVE_2023_23583_bsd() { check_CVE_2023_23583_bsd() {
if ! is_cpu_affected "$cve"; then if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
@@ -8151,15 +8168,13 @@ check_CVE_2023_23583_bsd() {
# >>>>>> vulns/CVE-2024-36350.sh <<<<<< # >>>>>> vulns/CVE-2024-36350.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et: # vim: set ts=4 sw=4 sts=4 et:
#################### ###############################
# TSA-SQ section # CVE-2024-36350, TSA-SQ, Transient Scheduler Attack Store Queue
# CVE-2024-36350 TSA-SQ (transient scheduler attack - store queue) - entry point
check_CVE_2024_36350() { check_CVE_2024_36350() {
check_cve 'CVE-2024-36350' check_cve 'CVE-2024-36350'
} }
# CVE-2024-36350 TSA-SQ (transient scheduler attack - store queue) - Linux mitigation check
check_CVE_2024_36350_linux() { check_CVE_2024_36350_linux() {
local status sys_interface_available msg kernel_tsa kernel_tsa_err smt_enabled local status sys_interface_available msg kernel_tsa kernel_tsa_err smt_enabled
status=UNK status=UNK
@@ -8319,7 +8334,6 @@ check_CVE_2024_36350_linux() {
fi fi
} }
# CVE-2024-36350 TSA-SQ (transient scheduler attack - store queue) - BSD mitigation check
check_CVE_2024_36350_bsd() { check_CVE_2024_36350_bsd() {
if ! is_cpu_affected "$cve"; then if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
@@ -8331,15 +8345,13 @@ check_CVE_2024_36350_bsd() {
# >>>>>> vulns/CVE-2024-36357.sh <<<<<< # >>>>>> vulns/CVE-2024-36357.sh <<<<<<
# vim: set ts=4 sw=4 sts=4 et: # vim: set ts=4 sw=4 sts=4 et:
#################### ###############################
# TSA-L1 section # CVE-2024-36357, TSA-L1, Transient Scheduler Attack L1
# CVE-2024-36357 TSA-L1 (transient scheduler attack - L1 cache) - entry point
check_CVE_2024_36357() { check_CVE_2024_36357() {
check_cve 'CVE-2024-36357' check_cve 'CVE-2024-36357'
} }
# CVE-2024-36357 TSA-L1 (transient scheduler attack - L1 cache) - Linux mitigation check
check_CVE_2024_36357_linux() { check_CVE_2024_36357_linux() {
local status sys_interface_available msg kernel_tsa kernel_tsa_err local status sys_interface_available msg kernel_tsa kernel_tsa_err
status=UNK status=UNK
@@ -8492,7 +8504,6 @@ check_CVE_2024_36357_linux() {
fi fi
} }
# CVE-2024-36357 TSA-L1 (transient scheduler attack - L1 cache) - BSD mitigation check
check_CVE_2024_36357_bsd() { check_CVE_2024_36357_bsd() {
if ! is_cpu_affected "$cve"; then if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"