From fe376887abd8035518da7c165e99f8f945d1b504 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 1 Apr 2026 20:39:36 +0000
Subject: [PATCH] enh: CVE-2017-5715; check for unprivileged eBPF for paranoid
 mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

 built from commit e5c6d2d9056b0d2c09f43f34687e4323d446ea66
 dated 2026-04-01 20:37:54 +0000
 by Stéphane Lesimple (speed47_github@speed47.net)
---
 spectre-meltdown-checker.sh | 31 +++++++++++++++++++++++++++----
 1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
index 2a5fe77..e9ae363 100755
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@@ -13,7 +13,7 @@
 #
 # Stephane Lesimple
 #
-VERSION='26.21.0401841'
+VERSION='26.21.0401860'
 
 # --- Common paths and basedirs ---
 readonly VULN_SYSFS_BASE="/sys/devices/system/cpu/vulnerabilities"
@@ -5468,6 +5468,24 @@ check_CVE_2017_5715_linux() {
                     fi
                 fi
 
+                # eBPF caveat: eIBRS without retpoline is insufficient when unprivileged eBPF is enabled
+                _ebpf_disabled=''
+                if [ "$v2_base_mode" = "eibrs" ] || [ "$v2_base_mode" = "eibrs_lfence" ]; then
+                    # shellcheck disable=SC2154
+                    if [ -n "${SMC_MOCK_UNPRIVILEGED_BPF_DISABLED:-}" ]; then
+                        _ebpf_disabled="$SMC_MOCK_UNPRIVILEGED_BPF_DISABLED"
+                        g_mocked=1
+                    elif [ "$opt_live" = 1 ] && [ -r "$g_procfs/sys/kernel/unprivileged_bpf_disabled" ]; then
+                        _ebpf_disabled=$(cat "$g_procfs/sys/kernel/unprivileged_bpf_disabled" 2>/dev/null)
+                        g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_UNPRIVILEGED_BPF_DISABLED='$_ebpf_disabled'")
+                    fi
+                    # In paranoid mode, enabled unprivileged eBPF makes eIBRS insufficient
+                    if [ "$_v2_ok" = 1 ] && [ "$_ebpf_disabled" = 0 ] && [ "$opt_paranoid" = 1 ]; then
+                        _v2_ok=0
+                        _v2_add_caveat "unprivileged eBPF enabled (eIBRS insufficient)"
+                    fi
+                fi
+
                 # Build the base description
                 case "$v2_base_mode" in
                     eibrs) _v2_desc="Enhanced / Automatic IBRS" ;;
@@ -5481,14 +5499,19 @@ check_CVE_2017_5715_linux() {
                     else
                         pvulnstatus "$cve" OK "$_v2_desc mitigates the vulnerability"
                     fi
-                    # eBPF caveat: we cannot detect unprivileged eBPF status
                     if [ "$v2_base_mode" = "eibrs" ] || [ "$v2_base_mode" = "eibrs_lfence" ]; then
                         pr_info "    NOTE: eIBRS is considered vulnerable by the kernel when unprivileged eBPF is enabled."
-                        pr_info "    This script cannot detect unprivileged eBPF status. Check \`sysctl kernel.unprivileged_bpf_disabled\`."
+                        if [ "$_ebpf_disabled" = 0 ]; then
+                            pr_info "    Unprivileged eBPF is currently ENABLED (kernel.unprivileged_bpf_disabled=0): this system may be vulnerable!"
+                        elif [ "$_ebpf_disabled" = 1 ] || [ "$_ebpf_disabled" = 2 ]; then
+                            pr_info "    Unprivileged eBPF is currently disabled (kernel.unprivileged_bpf_disabled=$_ebpf_disabled): eIBRS is sufficient."
+                        else
+                            pr_info "    Could not read kernel.unprivileged_bpf_disabled, check it manually with \`sysctl kernel.unprivileged_bpf_disabled\`."
+                        fi
                     fi
                 else
                     pvulnstatus "$cve" VULN "$_v2_desc active but insufficient: $_v2_caveats"
-                    explain "Your system uses $_v2_desc but has gaps in sub-mitigations: $_v2_caveats. Update your kernel and microcode to the latest versions. If BHI is vulnerable, a kernel with CONFIG_MITIGATION_SPECTRE_BHI or BHI_DIS_S microcode support is needed. If PBRSB-eIBRS is vulnerable, update the kernel for RSB VM exit mitigation. If STIBP is disabled on AMD AutoIBRS with SMT, add \`spectre_v2_user=on\` or disable SMT with \`nosmt\`. In paranoid mode, disable SMT with \`nosmt\` and set \`spectre_v2_user=on\` for IBPB always-on."
+                    explain "Your system uses $_v2_desc but has gaps in sub-mitigations: $_v2_caveats. Update your kernel and microcode to the latest versions. If BHI is vulnerable, a kernel with CONFIG_MITIGATION_SPECTRE_BHI or BHI_DIS_S microcode support is needed. If PBRSB-eIBRS is vulnerable, update the kernel for RSB VM exit mitigation. If STIBP is disabled on AMD AutoIBRS with SMT, add \`spectre_v2_user=on\` or disable SMT with \`nosmt\`. If unprivileged eBPF is enabled, disable it with \`sysctl -w kernel.unprivileged_bpf_disabled=1\`. In paranoid mode, disable SMT with \`nosmt\` and set \`spectre_v2_user=on\` for IBPB always-on."
                 fi
 
             # Kernel IBRS path