peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2026-04-22 16:43:20 +02:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: peter:278989d5504e4bc73dccfb51bff5fcb481a05045
Branches Tags
peter:master peter:test-build peter:test peter:source-build peter:source peter:vuln-watch
peter:v26.33.0420460 peter:v26.26.0404682 peter:v26.21.0401891 peter:v0.46 peter:v0.45 peter:v0.44 peter:v0.43 peter:v0.42 peter:v0.41 peter:v0.40 peter:v0.39 peter:v0.38 peter:v0.37 peter:v0.36 peter:v0.35 peter:v0.34 peter:v0.33 peter:v0.32 peter:v0.31 peter:v0.30 peter:v0.29 peter:v0.28 peter:v0.27 peter:v0.26 peter:v0.25 peter:v0.24 peter:v0.23 peter:v0.22 peter:v0.21 peter:v0.20 peter:v0.19 peter:v0.18 peter:v0.17 peter:v0.16 peter:v0.15 peter:v0.14 peter:v0.13 peter:v0.12 peter:v0.11 peter:v0.10 peter:v0.09 peter:v0.08 peter:v0.07 peter:v0.06 peter:v0.05 peter:v0.04 peter:v0.03 peter:v0.02 peter:v0.01
...
compare: peter:e5c6d2d9056b0d2c09f43f34687e4323d446ea66
Branches Tags
peter:test-build peter:test peter:master peter:source-build peter:source peter:vuln-watch
peter:v26.33.0420460 peter:v26.26.0404682 peter:v26.21.0401891 peter:v0.46 peter:v0.45 peter:v0.44 peter:v0.43 peter:v0.42 peter:v0.41 peter:v0.40 peter:v0.39 peter:v0.38 peter:v0.37 peter:v0.36 peter:v0.35 peter:v0.34 peter:v0.33 peter:v0.32 peter:v0.31 peter:v0.30 peter:v0.29 peter:v0.28 peter:v0.27 peter:v0.26 peter:v0.25 peter:v0.24 peter:v0.23 peter:v0.22 peter:v0.21 peter:v0.20 peter:v0.19 peter:v0.18 peter:v0.17 peter:v0.16 peter:v0.15 peter:v0.14 peter:v0.13 peter:v0.12 peter:v0.11 peter:v0.10 peter:v0.09 peter:v0.08 peter:v0.07 peter:v0.06 peter:v0.05 peter:v0.04 peter:v0.03 peter:v0.02 peter:v0.01

20 Commits
278989d550 ... e5c6d2d905

Author SHA1 Message Date
Stéphane Lesimple
e5c6d2d905 enh: CVE-2017-5715; check for unprivileged eBPF for paranoid mode 2026-04-01 20:37:54 +00:00
Stéphane Lesimple
ac327ce7c5 chore: shellcheck fixes 2026-04-01 20:10:29 +00:00
Stéphane Lesimple
03f63714b5 fix: CVE-2023-20569: logic errors with kernel_sro type change (bool => str) 2026-04-01 19:58:20 +00:00
Stéphane Lesimple
08702b07c9 fix: bad kernel/config var names 2026-04-01 19:53:34 +00:00
Stéphane Lesimple
4718134427 chore: cap_ipred unused for now, make shellcheck happy 2026-04-01 21:37:56 +02:00
Stéphane Lesimple
e23712129d enh: rework is_cpu_affected() to enhance maintainability 2026-04-01 21:36:45 +02:00
Stéphane Lesimple
43c515ac74 enh: CVE-2017-5715 (spectre v2): make vuln assessment cap_bhi-aware 2026-04-01 21:34:12 +02:00
Stéphane Lesimple
8c3fb7b2cc enh: CVE-2024-36357 CVE-2024-36350 (TSA): inventory of sysfs strings + consider vuln if TSA mitigation forced to user/kernel on hypervisors 2026-04-01 21:12:23 +02:00
Stéphane Lesimple
d05601ed3f feat: add CVE-2023-20593 (Zenbleed) mitigation detection for BSD 2026-04-01 21:12:23 +02:00
Stéphane Lesimple
690725ccc1 enh: add BSD stubs for CVE-2022-40982 CVE-2023-20569 CVE-2023-23583, detecting unaffected CPUs 2026-04-01 21:12:23 +02:00
Stéphane Lesimple
4875b4c71c feat: add CVE-2020-0543 (SRBDS) mitigation detection under BSD 2026-04-01 21:12:23 +02:00
Stéphane Lesimple
2b603c68ce feat: add CVE-2019-11135 (TAA) mitigation detection under BSD 2026-04-01 21:12:23 +02:00
Stéphane Lesimple
0628a3e565 enh: vmm detection has been greatly enhanced 
We also cache the result instead of computing it every time
 2026-04-01 21:12:23 +02:00
Stéphane Lesimple
536dfb8701 enh: massive update for Spectre v2 (CVE-2017-5715) 
The state of the mitigations for spectre v2 has been
updated several times in the kernel, this commit brings
up the script to par with the view of the most recent kernels.

When run on old kernels, that might deem the vulnerability as
mitigated, we'll reclassify it as vulnerable if applicable, unless
the `--sysfs-only` parameter is passed, which instructs the script
to blindly trust what the kernel has to say.

A full inventory of all mitigation strings found in mainline,
stable and redhat kernels since the first spectre v2 mitigation
has been added as a gigantic comment to help understanding the context.

Gory details below:

  1. New structured sub-mitigation parsing ("Mitigation 3")

  A new section parses the sysfs message into discrete variables for each sub-mitigation component:
  - v2_base_mode: The primary mitigation (eibrs, eibrs_lfence, eibrs_retpoline, ibrs, retpoline, lfence, none) - parsed from sysfs with hardware fallback
  - v2_stibp_status: STIBP state (always-on, forced, conditional, disabled, eibrs-implicit, etc.)
  - v2_ibpb_mode: IBPB mode (always-on, conditional, disabled)
  - v2_pbrsb_status: PBRSB-eIBRS mitigation (not-affected, sw-sequence, vulnerable)
  - v2_bhi_status: BHI mitigation (not-affected, bhi_dis_s, sw-loop, retpoline, vulnerable)
  - v2_vuln_module: Whether a non-retpoline kernel module is loaded
  - v2_is_autoibrs: Distinguishes AMD AutoIBRS from Intel eIBRS (they have different cross-thread properties)

  2. Rewritten verdict logic (Phase 4)

  The old flat if/elif chain is replaced with per-base-mode branches, each checking all relevant sub-mitigations:
  - LFENCE: Always VULN (reclassified in kernel v5.17)
  - eIBRS path: Checks BHI, PBRSB (VMM-only), AutoIBRS STIBP, vulnerable modules, paranoid mode (IBPB always-on + SMT off)
  - IBRS path: Checks IBPB, STIBP+SMT, RSB filling on Skylake+, BHI, paranoid mode
  - Retpoline path: Checks compiler, runtime enable, RSB filling, BHI+RRSBA, IBPB, vulnerable modules, paranoid mode

  3. Caveat accumulation pattern

  A _v2_add_caveat helper collects all gaps into a single string, producing verdicts like "eIBRS active but insufficient: BHI vulnerable; STIBP not active with SMT on AMD AutoIBRS" instead of the old single-issue messages.

  4. Other changes

  - check_has_vmm called early in Phase 2 (for PBRSB VMM-awareness)
  - explain_hypervisor variable removed - its advice is now folded into the per-path explain calls
  - Offline mode gains eIBRS/AutoIBRS detection via cap_ibrs_all/cap_autoibrs
  - smt_enabled variable added (via is_cpu_smt_enabled) for cross-thread checks
 2026-04-01 21:12:23 +02:00
Stéphane Lesimple
e09d0cf221 enh: check_cpu: look for cap_stibp and cap_autoibrs 2026-04-01 21:12:23 +02:00
Stéphane Lesimple
b062fe2184 enh: CVE-2017-5715: inventory of all sysfs strings, fix --sysfs-only path 2026-04-01 21:12:23 +02:00
Stéphane Lesimple
dfe48d67ce enh: CVE-2018-3646: document all sysfs variations, fix --sysfs-only path 2026-04-01 21:12:23 +02:00
Stéphane Lesimple
35d83e19a8 fix: --sysfs-only path for CVE-2018-12207 CVE-2018-3620 2026-04-01 21:12:23 +02:00
Stéphane Lesimple
123ad1c8e6 CVE-2023-20569: detect old kernels sysfs saying mitigations are correct whereas they are not 2026-04-01 21:12:23 +02:00
Stéphane Lesimple
b9e7f7cb8a docs: update development guidelines 2026-04-01 21:12:23 +02:00
15 changed files with 1659 additions and 420 deletions
Expand all files Collapse all files

257
DEVELOPMENT.md
View File

@@ -100,10 +100,10 @@ There is no separate test suite. CI (`.github/workflows/check.yml`) runs shellch
The entire tool is a single bash script with no external script dependencies. Key structural sections:
- **Output/logging functions** (~line 253): `pr_warn`, `pr_info`, `pr_verbose`, `pr_debug`, `explain`, `pstatus`, `pvulnstatus` verbosity-aware output with color support
- **CPU detection** (~line 2171): `parse_cpu_details`, `is_intel`/`is_amd`/`is_hygon`, `read_cpuid`, `read_msr`, `is_cpu_smt_enabled` hardware identification via CPUID/MSR registers
- **Output/logging functions** (~line 253): `pr_warn`, `pr_info`, `pr_verbose`, `pr_debug`, `explain`, `pstatus`, `pvulnstatus` - verbosity-aware output with color support
- **CPU detection** (~line 2171): `parse_cpu_details`, `is_intel`/`is_amd`/`is_hygon`, `read_cpuid`, `read_msr`, `is_cpu_smt_enabled` - hardware identification via CPUID/MSR registers
- **Microcode database** (embedded): Intel/AMD microcode version lookup via `read_mcedb`/`read_inteldb`; updated automatically via `.github/workflows/autoupdate.yml`
- **Kernel analysis** (~line 1568): `extract_kernel`, `try_decompress` extracts and inspects kernel images (handles gzip, bzip2, xz, lz4, zstd compression)
- **Kernel analysis** (~line 1568): `extract_kernel`, `try_decompress` - extracts and inspects kernel images (handles gzip, bzip2, xz, lz4, zstd compression)
- **Vulnerability checks**: 19 `check_CVE_<year>_<number>()` functions, each with `_linux()` and `_bsd()` variants. Uses whitelist logic (assumes affected unless proven otherwise)
- **Main flow** (~line 6668): Parse options → detect CPU → loop through requested CVEs → output results (text/json/nrpe/prometheus) → cleanup
@@ -249,24 +249,24 @@ check_CVE_YYYY_NNNNN_bsd() {
}
```
The entry point calls `check_cve`, which prints the CVE header and dispatches to `_linux()` or `_bsd()` based on `$g_os`. If BSD mitigations are not yet understood, use the stub above it correctly reports UNK rather than a false OK.
The entry point calls `check_cve`, which prints the CVE header and dispatches to `_linux()` or `_bsd()` based on `$g_os`. If BSD mitigations are not yet understood, use the stub above - it correctly reports UNK rather than a false OK.
### Step 2: Register the CVE in the CPU Affection Logic
In `src/libs/200_cpu_affected.sh`, add an `affected_yourname` variable and populate it inside `is_cpu_affected()`. The variable follows the whitelist principle: **assume affected (`1`) unless you can prove the CPU is immune (`0`)**. Two kinds of evidence can prove immunity:
- **Static identifiers**: CPU vendor, family, model, stepping these identify the hardware design.
- **Static identifiers**: CPU vendor, family, model, stepping - these identify the hardware design.
- **Hardware immunity `cap_*` bits**: CPUID or MSR bits that the CPU vendor defines to explicitly declare "this hardware is not affected" (e.g. `cap_rdcl_no` for Meltdown, `cap_ssb_no` for Variant 4, `cap_gds_no` for Downfall, `cap_tsa_sq_no`/`cap_tsa_l1_no` for TSA). These are read in `check_cpu()` and stored as `cap_*` globals.
Never use microcode version strings.
**Important**: Do not confuse hardware immunity bits with *mitigation* capability bits. A hardware immunity bit (e.g. `GDS_NO`, `TSA_SQ_NO`) declares that the CPU design is architecturally free of the vulnerability it belongs here in `is_cpu_affected()`. A mitigation capability bit (e.g. `VERW_CLEAR`, `MD_CLEAR`) indicates that updated microcode provides a mechanism to work around a vulnerability the CPU *does* have it belongs in the `check_CVE_YYYY_NNNNN_linux()` function (Phase 2), where it is used to determine whether mitigations are in place.
**Important**: Do not confuse hardware immunity bits with *mitigation* capability bits. A hardware immunity bit (e.g. `GDS_NO`, `TSA_SQ_NO`) declares that the CPU design is architecturally free of the vulnerability - it belongs here in `is_cpu_affected()`. A mitigation capability bit (e.g. `VERW_CLEAR`, `MD_CLEAR`) indicates that updated microcode provides a mechanism to work around a vulnerability the CPU *does* have - it belongs in the `check_CVE_YYYY_NNNNN_linux()` function (Phase 2), where it is used to determine whether mitigations are in place.
### Step 3: Implement the Linux Check
The `_linux()` function follows a standard algorithm with four phases:
**Phase 1 Initialize and check sysfs:**
**Phase 1 - Initialize and check sysfs:**
```sh
check_CVE_YYYY_NNNNN_linux() {
@@ -282,7 +282,7 @@ check_CVE_YYYY_NNNNN_linux() {
`sys_interface_check` reads `/sys/devices/system/cpu/vulnerabilities/<name>` and parses the kernel's own assessment into `ret_sys_interface_check_status` (OK/VULN/UNK) and `ret_sys_interface_check_fullmsg`. If the sysfs file doesn't exist (older kernel, or the CVE predates kernel awareness), it returns false and `sys_interface_available` stays 0.
**Phase 2 Custom detection (kernel + runtime):**
**Phase 2 - Custom detection (kernel + runtime):**
Guarded by `if [ "$opt_sysfs_only" != 1 ]; then` so users who trust sysfs can skip it.
@@ -296,18 +296,18 @@ This is where the real detection lives. Check for mitigations at each layer:
kernel_mitigated="found mitigation evidence in kernel image"
fi
```
Guard with `if [ -n "$g_kernel_err" ]; then` first the kernel image may be unavailable.
Guard with `if [ -n "$g_kernel_err" ]; then` first - the kernel image may be unavailable.
- **Kernel config** (`$g_kernel_config`): Look for the `CONFIG_*` option that enables the mitigation.
- **Kernel config** (`$opt_config`): Look for the `CONFIG_*` option that enables the mitigation.
```sh
if [ -n "$g_kernel_config" ] && grep -q '^CONFIG_MITIGATION_NAME=y' "$g_kernel_config"; then
if [ -n "$opt_config" ] && grep -q '^CONFIG_MITIGATION_NAME=y' "$opt_config"; then
kernel_mitigated="found mitigation config option enabled"
fi
```
- **System.map** (`$g_kernel_map`): Look for function names directly linked to the mitigation.
- **System.map** (`$opt_map`): Look for function names directly linked to the mitigation.
```sh
if [ -n "$g_kernel_map" ] && grep -q 'mitigation_function_name' "$g_kernel_map"; then
if [ -n "$opt_map" ] && grep -q 'mitigation_function_name' "$opt_map"; then
kernel_mitigated="found mitigation function in System.map"
fi
```
@@ -337,38 +337,227 @@ Close the `opt_sysfs_only` block with the forced-sysfs fallback:
fi
```
**Phase 3 CPU affection gate:**
**Phase 3 - CPU affection gate:**
```sh
if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
```
If the CPU is not affected, nothing else matters report OK and return. This overrides any sysfs or custom detection result.
If the CPU is not affected, nothing else matters - report OK and return. This overrides any sysfs or custom detection result.
**Phase 4 Final status determination:**
**Phase 4 - Final status determination:**
For affected CPUs, combine the evidence from Phase 2 into a final verdict:
For affected CPUs, combine the evidence from Phase 2 into a final verdict. The dispatch
works through `msg`: if Phase 1 (sysfs) or a sysfs override set `msg` to non-empty, use
it directly; otherwise run own logic or fall back to the raw sysfs result.
```sh
elif [ "$opt_sysfs_only" != 1 ]; then
if [ "$microcode_ok" = 1 ] && [ -n "$kernel_mitigated" ]; then
pvulnstatus "$cve" OK "Both kernel and microcode mitigate the vulnerability"
elif [ "$microcode_ok" = 1 ]; then
pvulnstatus "$cve" OK "Microcode mitigates the vulnerability"
elif [ -n "$kernel_mitigated" ]; then
pvulnstatus "$cve" OK "Kernel mitigates the vulnerability"
elif [ -z "$msg" ]; then
# msg is empty: sysfs either wasn't available, or gave a standard
# response that wasn't overridden. Use our own logic when we have it.
if [ "$opt_sysfs_only" != 1 ]; then
# --- own logic using Phase 2 variables ---
if [ "$microcode_ok" = 1 ] && [ -n "$kernel_mitigated" ]; then
pvulnstatus "$cve" OK "Both kernel and microcode mitigate the vulnerability"
else
pvulnstatus "$cve" VULN "Neither kernel nor microcode mitigate the vulnerability"
explain "Remediation advice here..."
fi
else
pvulnstatus "$cve" VULN "Neither kernel nor microcode mitigate the vulnerability"
explain "Remediation advice here..."
# --sysfs-only: Phase 2 variables are unset, fall back to the
# raw sysfs result (status + fullmsg were set in Phase 1).
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
fi
else
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
# msg was explicitly set - either by the "sysfs not available" elif
# above, or by a sysfs override in Phase 1. Use it as-is.
pvulnstatus "$cve" "$status" "$msg"
fi
}
```
The exact combination logic depends on the CVE. Some require **both** microcode and kernel fixes (report VULN if either is missing). Others are mitigated by **either** layer alone (report OK if one is present). Some also require SMT to be disabled — check with `is_cpu_smt_enabled()`.
The `opt_sysfs_only` guard inside the `[ -z "$msg" ]` branch is **critical**: without it,
`--sysfs-only` mode would fall into own-logic with all Phase 2 variables unset, producing
wrong results. The `else` at line `pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"`
is safe because it is only reachable when sysfs was available (if it wasn't, the "sysfs not
available" `elif` at the end of Phase 2 would have set `msg`, sending us to the other branch).
The exact combination logic depends on the CVE. Some require **both** microcode and kernel fixes (report VULN if either is missing). Others are mitigated by **either** layer alone (report OK if one is present). Some also require SMT to be disabled - check with `is_cpu_smt_enabled()`.
**Sysfs overrides:** When the kernel's sysfs reporting is known to be incorrect for certain
messages (e.g. old kernels misclassifying a partial mitigation as fully mitigated), add an
override in Phase 1 after `sys_interface_check` returns. The override sets both `status` and
`msg`, which routes Phase 4 to the `else` branch - bypassing own logic entirely. This is
correct because the override and own logic will always agree on the verdict. Example:
```sh
if sys_interface_check "$VULN_SYSFS_BASE/vuln_name"; then
sys_interface_available=1
status=$ret_sys_interface_check_status
# Override: old kernels (before <commit>) incorrectly reported this as mitigated
if echo "$ret_sys_interface_check_fullmsg" | grep -qi 'Mitigation:.*partial mitigation.*missing piece'; then
status=VULN
msg="Vulnerable: partial mitigation, missing piece (your kernel incorrectly reports this as mitigated, it was fixed in more recent kernels)"
fi
fi
```
When adding a sysfs override, also add an `explain` call in the `else` branch of Phase 4
(where `msg` is non-empty) to tell the user why the kernel says "Mitigated" while the script
reports vulnerable. Additionally, in Phase 2, add a kernel-image grep to inform the user
whether their kernel has the corrected reporting (the post-fix kernel will contain the new
vulnerability string in its image).
**Sysfs message inventory:** Before writing Phase 1 (and any sysfs overrides), audit **every
version** of the sysfs message that the kernel has ever produced for this vulnerability. The
script may run on any kernel - from early release candidates that first introduced the sysfs
file, through every stable release, up to the latest mainline. The inventory must catalogue
every string variant, including:
- Messages that only existed briefly between two commits in the same release cycle.
- Format changes (e.g. field reordering, renamed labels).
- New states added in later kernels (e.g. new flush modes, new mitigation strategies).
- Reporting corrections where a later kernel changed its assessment of what counts as
mitigated (e.g. a message that said `"Mitigation: ..."` in kernel A is reclassified as
`"Vulnerable: ..."` in kernel B under the same conditions).
Document all discovered variants as comments in the CVE file, grouped by the kernel commit
that introduced or changed them, so future readers can understand the evolution at a glance.
See `src/vulns/CVE-2018-3646.sh` (Phase 1 comment block) for a reference example.
This inventory matters because later kernels may have a different - and more accurate - view
of what is vulnerable versus mitigated for a given vulnerability, as understanding progresses
over time. The script must be able to reach the same conclusions as the most recent kernel,
even when running under an old kernel that misreports a vulnerability as mitigated. This is
exactly what sysfs overrides (described above) are for: when the inventory reveals that an
old kernel's message is now known to be wrong, add an override in Phase 1 to correct the
status, and use the Phase 2 kernel-image grep to tell the user whether their kernel has the
corrected reporting.
**How to build the inventory - git blame walkback method:**
The goal is to find every commit that changed the sysfs output strings for a given
vulnerability. The method uses `git blame` iteratively, walking backwards through history
until the vulnerability's sysfs reporting no longer exists.
1. **Locate the output function.** Most vulnerability sysfs files are generated from
`arch/x86/kernel/cpu/bugs.c`. Find the `*_show_state()` function for the vulnerability
(e.g. `l1tf_show_state()`, `mds_show_state()`) and the corresponding `case X86_BUG_*`
in `cpu_show_common()`. Both paths can produce messages: the show_state function handles
the mitigated cases, while `cpu_show_common()` handles `"Not affected"` (common to all
bugs) and `"Vulnerable"` (fallthrough). Some vulnerabilities also use string arrays
(e.g. `l1tf_vmx_states[]`, `spectre_v1_strings[]`) - include those in the audit.
2. **Blame the current code.** Run `git blame` on the relevant line range:
```
git blame -L<start>,<end> arch/x86/kernel/cpu/bugs.c
```
For each line that contributes to the sysfs output (format strings, string arrays, enum
lookups, conditional branches that select different messages), note the commit hash.
3. **Walk back one commit at a time.** For each commit found in step 2, check the state of
the file **before** that commit to see what changed:
```
git show <commit>^:arch/x86/kernel/cpu/bugs.c | grep -n -A10 '<function_name>'
```
Compare the output strings, format patterns, and conditional logic with the version after
the commit. Record any differences: added/removed/renamed states, reordered fields,
changed conditions.
4. **Repeat until the vulnerability disappears.** Take the oldest commit found and check the
parent. Eventually you reach a version where the `case X86_BUG_*` for this vulnerability
does not exist - that is the boundary.
5. **Watch for non-obvious string changes.** Some commits change the output without touching
the format strings themselves:
- **Condition changes**: A commit may change *when* a branch is taken (e.g. switching from
`cpu_smt_control == CPU_SMT_ENABLED` to `sched_smt_active()`), which changes which
message appears for the same hardware state, even though the strings are identical.
- **Enum additions**: A new entry in a string array (e.g. adding `"flush not necessary"` to
`l1tf_vmx_states[]`) adds a new possible message without changing the format string.
- **Early returns**: Adding or removing an early-return path changes which messages are
reachable (e.g. returning `L1TF_DEFAULT_MSG` for `FLUSH_AUTO` before reaching the VMX
format string).
- **Mechanical changes**: `sprintf` → `sysfs_emit`, `const` qualifications, whitespace
reformats - these do not change strings and can be noted briefly or omitted.
6. **Cross-check with `git log`.** After the blame walkback, run a targeted `git log` to
confirm no commits were missed:
```
git log --all --oneline -- arch/x86/kernel/cpu/bugs.c | xargs -I{} \
sh -c 'git show {} -- arch/x86/kernel/cpu/bugs.c | grep -q "<vuln_name>" && echo {}'
```
Any commit that touches lines mentioning the vulnerability name should already be in
your inventory. If one is missing, inspect it.
7. **Audit the stable tree.** After completing the mainline inventory, repeat the process on
the linux-stable repository (`~/linux-stable`). Stable/LTS branches can carry backports
that differ from mainline in subtle ways:
- **Partial backports**: A stable branch may backport the mitigation but not the VMX
reporting, producing a simpler set of messages than mainline (e.g. 4.4.y has l1tf's
`"PTE Inversion"` but no VMX flush state reporting at all).
- **Stable-only commits**: Maintainers sometimes make stable-specific changes that never
existed in mainline (e.g. renaming a string to match upstream without backporting the
full commit that originally renamed it).
- **Backport batching**: Multiple mainline commits may land in the same stable release,
meaning intermediate formats (that existed briefly between mainline commits) may never
have shipped in any stable release. Note this when it happens - it narrows the set of
messages that real-world kernels can produce, but the script should still handle the
intermediate formats since someone could be running a mainline rc kernel.
- **Missing backports**: Some stable branches reach EOL before a fix is backported (e.g.
the `sched_smt_active()` change was not backported to 4.17.y or 4.18.y). This doesn't
change the strings but can change which message appears for the same hardware state.
Check each LTS/stable branch that was active when the vulnerability's sysfs support was
introduced. A quick way to identify relevant branches:
```
cd ~/linux-stable
for branch in $(git branch -r | grep 'linux-'); do
count=$(git show "$branch:arch/x86/kernel/cpu/bugs.c" 2>/dev/null | grep -c '<vuln_name>')
[ "$count" -gt 0 ] && echo "$branch: $count matches"
done
```
Then for each branch with matches, show the output function and compare it with mainline.
Document stable-specific differences in a separate `--- stable backports ---` section of
the inventory comment.
**Comment format in CVE files:**
The inventory comment goes in Phase 1, right after `sys_interface_check` returns successfully.
Group entries chronologically by commit, newest last. For each commit, show the hash, the
kernel version it appeared in, and the exact message(s) it introduced or changed. Use `+` to
indicate incremental additions to an enum or format. Example:
```sh
# Complete sysfs message inventory for <vuln>, traced via git blame:
#
# all versions:
# "Not affected" (cpu_show_common, <commit>)
# "Vulnerable" (cpu_show_common fallthrough, <commit>)
#
# <commit> (<version>, <what changed>):
# "Mitigation: <original message>"
# <commit> (<version>, <what changed>):
# "Mitigation: <new message format>"
# <field>: value1 | value2 | value3
# <commit> (<version>, <what changed>):
# <field>: + value4
#
# all messages start with either "Not affected", "Mitigation", or "Vulnerable"
```
The final line (`all messages start with ...`) is a summary that helps verify the grep
patterns used to derive `status` from the message are complete.
### Cross-Cutting Features
@@ -405,7 +594,7 @@ Other paranoid-mode effects include requiring unconditional (rather than conditi
The `--vmm` option tells the script whether the system is a hypervisor host running untrusted virtual machines. It accepts three values: `auto` (default, auto-detect by looking for `qemu`/`kvm`/`xen` processes), `yes` (force hypervisor mode), or `no` (force non-hypervisor mode). The result is stored in `g_has_vmm` by the `check_has_vmm()` function.
Some vulnerabilities (e.g. L1TF/CVE-2018-3646, ITLBMH/CVE-2018-12207) only matter or require additional mitigations when the host is running a hypervisor with untrusted guests. If `g_has_vmm` is 0, the system can be reported as not vulnerable to these VMM-specific aspects:
Some vulnerabilities (e.g. L1TF/CVE-2018-3646, ITLBMH/CVE-2018-12207) only matter - or require additional mitigations - when the host is running a hypervisor with untrusted guests. If `g_has_vmm` is 0, the system can be reported as not vulnerable to these VMM-specific aspects:
```sh
if [ "$g_has_vmm" = 0 ]; then
@@ -429,13 +618,13 @@ CVEs that need VMM context should call `check_has_vmm` early in their `_linux()`
### Key Rules to Remember
- **Never hardcode kernel or microcode versions** detect capabilities directly (design principles 2 and 3).
- **Assume affected by default** only mark a CPU as unaffected when there is positive evidence (design principle 4).
- **Always handle both live and offline modes** use `$opt_live` to branch, and print `N/A "not testable in offline mode"` for runtime-only checks when offline.
- **Never hardcode kernel or microcode versions** - detect capabilities directly (design principles 2 and 3).
- **Assume affected by default** - only mark a CPU as unaffected when there is positive evidence (design principle 4).
- **Always handle both live and offline modes** - use `$opt_live` to branch, and print `N/A "not testable in offline mode"` for runtime-only checks when offline.
- **Use `explain()`** when reporting VULN to give actionable remediation advice (see "Cross-Cutting Features" above).
- **Handle `--paranoid` and `--vmm`** when the CVE has stricter mitigation tiers or VMM-specific aspects (see "Cross-Cutting Features" above).
- **All indentation must use tabs** (CI enforces this).
- **Stay POSIX-compatible** no bashisms, no GNU-only flags in portable code paths.
- **Stay POSIX-compatible** - no bashisms, no GNU-only flags in portable code paths.
## Function documentation headers
@@ -461,7 +650,7 @@ Every function must have a documentation header immediately above its definition
**Rules:**
- The `# Sets:` line is critical it makes global side effects explicit so any reviewer can immediately see what a function mutates.
- The `# Sets:` line is critical - it makes global side effects explicit so any reviewer can immediately see what a function mutates.
- The `# Callers:` line is required for all `_`-prefixed functions. It documents which functions depend on this helper, making it safe to refactor.
- Keep descriptions to one line when possible. If more context is needed, add continuation comment lines before the structured lines.
- Parameter documentation uses `$1=name` format. Append `(optional, default X)` for optional parameters.

272
src/libs/200_cpu_affected.sh
View File

@@ -1,4 +1,32 @@
# vim: set ts=4 sw=4 sts=4 et:
# Helpers for is_cpu_affected: encode the 4 patterns for setting affected_* variables.
# Each function takes the variable suffix as $1 (e.g. "variantl1tf", not "affected_variantl1tf").
# Variables hold 1 (not affected / immune) or 0 (affected / vuln); empty = not yet decided.
# Set affected_$1 to 1 (not affected) unconditionally.
# Use for: hardware capability bits (cap_rdcl_no, cap_ssb_no, cap_gds_no, cap_tsa_*_no),
# is_cpu_specex_free results, and vendor-wide immune facts (AMD/L1TF, Cavium, etc.).
# This always wins and cannot be overridden by _infer_vuln (which only fires on empty).
# Must not be followed by _set_vuln for the same variable in the same code path.
_set_immune() { eval "affected_$1=1"; }
# Set affected_$1 to 0 (affected) unconditionally.
# Use for: confirmed-vuln model/erratum lists, ARM unknown-CPU fallback.
# Note: intentionally overrides a prior _infer_immune (1) — this is required for ARM
# big.LITTLE cumulative logic where a second vuln core must override a prior safe core.
# Must not be called after _set_immune for the same variable in the same code path.
_set_vuln() { eval "affected_$1=0"; }
# Set affected_$1 to 1 (not affected) only if not yet decided (currently empty).
# Use for: model/family whitelists, per-part ARM immune inferences,
# AMD/ARM partial immunity (immune on this variant axis but not others).
_infer_immune() { eval "[ -z \"\$affected_$1\" ] && affected_$1=1 || :"; }
# Set affected_$1 to 0 (affected) only if not yet decided (currently empty).
# Use for: family-level catch-all fallbacks (Intel L1TF non-whitelist, itlbmh non-whitelist).
_infer_vuln() { eval "[ -z \"\$affected_$1\" ] && affected_$1=0 || :"; }
# Return the cached affected_* status for a given CVE
# Args: $1=cve_id
# Returns: 0 if affected, 1 if not affected
@@ -72,79 +100,79 @@ is_cpu_affected() {
affected_itlbmh=''
affected_srbds=''
# Zenbleed and Inception are both AMD specific, look for "is_amd" below:
affected_zenbleed=immune
affected_inception=immune
_set_immune zenbleed
_set_immune inception
# TSA is AMD specific (Zen 3/4), look for "is_amd" below:
affected_tsa=immune
_set_immune tsa
# Downfall & Reptar are Intel specific, look for "is_intel" below:
affected_downfall=immune
affected_reptar=immune
_set_immune downfall
_set_immune reptar
if is_cpu_mds_free; then
[ -z "$affected_msbds" ] && affected_msbds=immune
[ -z "$affected_mfbds" ] && affected_mfbds=immune
[ -z "$affected_mlpds" ] && affected_mlpds=immune
[ -z "$affected_mdsum" ] && affected_mdsum=immune
_infer_immune msbds
_infer_immune mfbds
_infer_immune mlpds
_infer_immune mdsum
pr_debug "is_cpu_affected: cpu not affected by Microarchitectural Data Sampling"
fi
if is_cpu_taa_free; then
[ -z "$affected_taa" ] && affected_taa=immune
_infer_immune taa
pr_debug "is_cpu_affected: cpu not affected by TSX Asynhronous Abort"
fi
if is_cpu_srbds_free; then
[ -z "$affected_srbds" ] && affected_srbds=immune
_infer_immune srbds
pr_debug "is_cpu_affected: cpu not affected by Special Register Buffer Data Sampling"
fi
if is_cpu_specex_free; then
affected_variant1=immune
affected_variant2=immune
affected_variant3=immune
affected_variant3a=immune
affected_variant4=immune
affected_variantl1tf=immune
affected_msbds=immune
affected_mfbds=immune
affected_mlpds=immune
affected_mdsum=immune
affected_taa=immune
affected_srbds=immune
_set_immune variant1
_set_immune variant2
_set_immune variant3
_set_immune variant3a
_set_immune variant4
_set_immune variantl1tf
_set_immune msbds
_set_immune mfbds
_set_immune mlpds
_set_immune mdsum
_set_immune taa
_set_immune srbds
elif is_intel; then
# Intel
# https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not affected
# https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => meltdown affected
# model name : Pentium(R) Dual-Core CPU E5200 @ 2.50GHz
if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
affected_variant1=vuln
[ -z "$affected_variant2" ] && affected_variant2=immune
affected_variant3=vuln
_set_vuln variant1
_infer_immune variant2
_set_vuln variant3
fi
if [ "$cap_rdcl_no" = 1 ]; then
# capability bit for future Intel processor that will explicitly state
# that they're not affected to Meltdown
# this var is set in check_cpu()
[ -z "$affected_variant3" ] && affected_variant3=immune
[ -z "$affected_variantl1tf" ] && affected_variantl1tf=immune
_set_immune variant3
_set_immune variantl1tf
pr_debug "is_cpu_affected: RDCL_NO is set so not vuln to meltdown nor l1tf"
fi
if [ "$cap_ssb_no" = 1 ]; then
# capability bit for future Intel processor that will explicitly state
# that they're not affected to Variant 4
# this var is set in check_cpu()
[ -z "$affected_variant4" ] && affected_variant4=immune
_set_immune variant4
pr_debug "is_cpu_affected: SSB_NO is set so not vuln to affected_variant4"
fi
if is_cpu_ssb_free; then
[ -z "$affected_variant4" ] && affected_variant4=immune
_infer_immune variant4
pr_debug "is_cpu_affected: cpu not affected by speculative store bypass so not vuln to affected_variant4"
fi
# variant 3a
if [ "$cpu_family" = 6 ]; then
if [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] || [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ]; then
pr_debug "is_cpu_affected: xeon phi immune to variant 3a"
[ -z "$affected_variant3a" ] && affected_variant3a=immune
_infer_immune variant3a
elif [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_D" ]; then
@@ -153,10 +181,10 @@ is_cpu_affected() {
# => silvermont CPUs (aka cherry lake for tablets and brawsell for mobile/desktop) don't seem to be affected
# => goldmont ARE affected
pr_debug "is_cpu_affected: silvermont immune to variant 3a"
[ -z "$affected_variant3a" ] && affected_variant3a=immune
_infer_immune variant3a
fi
fi
# L1TF (RDCL_NO already checked above)
# L1TF (cap_rdcl_no already checked above)
if [ "$cpu_family" = 6 ]; then
if [ "$cpu_model" = "$INTEL_FAM6_ATOM_SALTWELL" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SALTWELL_TABLET" ] ||
@@ -177,14 +205,14 @@ is_cpu_affected() {
[ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ]; then
pr_debug "is_cpu_affected: intel family 6 but model known to be immune to l1tf"
[ -z "$affected_variantl1tf" ] && affected_variantl1tf=immune
_infer_immune variantl1tf
else
pr_debug "is_cpu_affected: intel family 6 is vuln to l1tf"
[ -z "$affected_variantl1tf" ] && affected_variantl1tf=vuln
_infer_vuln variantl1tf
fi
elif [ "$cpu_family" -lt 6 ]; then
pr_debug "is_cpu_affected: intel family < 6 is immune to l1tf"
[ -z "$affected_variantl1tf" ] && affected_variantl1tf=immune
_infer_immune variantl1tf
fi
# Downfall
if [ "$cap_gds_no" = 1 ]; then
@@ -192,7 +220,7 @@ is_cpu_affected() {
# that they're unaffected by GDS. Also set by hypervisors on virtual CPUs
# so that the guest kernel doesn't try to mitigate GDS when it's already mitigated on the host
pr_debug "is_cpu_affected: downfall: not affected (GDS_NO)"
affected_downfall=immune
_set_immune downfall
elif [ "$cpu_family" = 6 ]; then
# list from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=64094e7e3118aff4b0be8ff713c242303e139834
set -u
@@ -208,7 +236,7 @@ is_cpu_affected() {
[ "$cpu_model" = "$INTEL_FAM6_TIGERLAKE" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ROCKETLAKE" ]; then
pr_debug "is_cpu_affected: downfall: affected"
affected_downfall=vuln
_set_vuln downfall
elif [ "$cap_avx2" = 0 ] && [ "$cap_avx512" = 0 ]; then
pr_debug "is_cpu_affected: downfall: no avx; immune"
else
@@ -267,7 +295,7 @@ is_cpu_affected() {
)
if [ "$cpu_cpuid" = "$affected_cpuid" ] && [ $((cpu_platformid & ucode_platformid_mask)) -gt 0 ]; then
# this is not perfect as Intel never tells about their EOL CPUs, so more CPUs might be affected but there's no way to tell
affected_reptar=vuln
_set_vuln reptar
g_reptar_fixed_ucode_version=$fixed_ucode_ver
break
fi
@@ -276,26 +304,26 @@ is_cpu_affected() {
elif is_amd || is_hygon; then
# AMD revised their statement about affected_variant2 => affected
# https://www.amd.com/en/corporate/speculative-execution
affected_variant1=vuln
affected_variant2=vuln
[ -z "$affected_variant3" ] && affected_variant3=immune
_set_vuln variant1
_set_vuln variant2
_infer_immune variant3
# https://www.amd.com/en/corporate/security-updates
# "We have not identified any AMD x86 products susceptible to the Variant 3a vulnerability in our analysis to-date."
[ -z "$affected_variant3a" ] && affected_variant3a=immune
_infer_immune variant3a
if is_cpu_ssb_free; then
[ -z "$affected_variant4" ] && affected_variant4=immune
_infer_immune variant4
pr_debug "is_cpu_affected: cpu not affected by speculative store bypass so not vuln to affected_variant4"
fi
affected_variantl1tf=immune
_set_immune variantl1tf
# Zenbleed
amd_legacy_erratum "$(amd_model_range 0x17 0x30 0x0 0x4f 0xf)" && affected_zenbleed=vuln
amd_legacy_erratum "$(amd_model_range 0x17 0x60 0x0 0x7f 0xf)" && affected_zenbleed=vuln
amd_legacy_erratum "$(amd_model_range 0x17 0xa0 0x0 0xaf 0xf)" && affected_zenbleed=vuln
amd_legacy_erratum "$(amd_model_range 0x17 0x30 0x0 0x4f 0xf)" && _set_vuln zenbleed
amd_legacy_erratum "$(amd_model_range 0x17 0x60 0x0 0x7f 0xf)" && _set_vuln zenbleed
amd_legacy_erratum "$(amd_model_range 0x17 0xa0 0x0 0xaf 0xf)" && _set_vuln zenbleed
# Inception (according to kernel, zen 1 to 4)
if [ "$cpu_family" = $((0x17)) ] || [ "$cpu_family" = $((0x19)) ]; then
affected_inception=vuln
_set_vuln inception
fi
# TSA (Zen 3/4 are affected, unless CPUID says otherwise)
@@ -304,19 +332,19 @@ is_cpu_affected() {
# they're not affected to TSA-SQ and TSA-L1
# these vars are set in check_cpu()
pr_debug "is_cpu_affected: TSA_SQ_NO and TSA_L1_NO are set so not vuln to TSA"
affected_tsa=immune
_set_immune tsa
elif [ "$cpu_family" = $((0x19)) ]; then
affected_tsa=vuln
_set_vuln tsa
fi
elif [ "$cpu_vendor" = CAVIUM ]; then
affected_variant3=immune
affected_variant3a=immune
affected_variantl1tf=immune
_set_immune variant3
_set_immune variant3a
_set_immune variantl1tf
elif [ "$cpu_vendor" = PHYTIUM ]; then
affected_variant3=immune
affected_variant3a=immune
affected_variantl1tf=immune
_set_immune variant3
_set_immune variant3a
_set_immune variantl1tf
elif [ "$cpu_vendor" = ARM ]; then
# ARM
# reference: https://developer.arm.com/support/security-update
@@ -348,73 +376,73 @@ is_cpu_affected() {
# Maintain cumulative check of vulnerabilities -
# if at least one of the cpu is affected, then the system is affected
if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
affected_variant1=vuln
affected_variant2=vuln
[ -z "$affected_variant3" ] && affected_variant3=immune
[ -z "$affected_variant3a" ] && affected_variant3a=immune
[ -z "$affected_variant4" ] && affected_variant4=immune
_set_vuln variant1
_set_vuln variant2
_infer_immune variant3
_infer_immune variant3a
_infer_immune variant4
pr_debug "checking cpu$i: armv7 A8/A9/A12/A17 non affected to variants 3, 3a & 4"
elif [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc0f; then
affected_variant1=vuln
affected_variant2=vuln
[ -z "$affected_variant3" ] && affected_variant3=immune
affected_variant3a=vuln
[ -z "$affected_variant4" ] && affected_variant4=immune
_set_vuln variant1
_set_vuln variant2
_infer_immune variant3
_set_vuln variant3a
_infer_immune variant4
pr_debug "checking cpu$i: armv7 A15 non affected to variants 3 & 4"
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then
affected_variant1=vuln
affected_variant2=vuln
[ -z "$affected_variant3" ] && affected_variant3=immune
affected_variant3a=vuln
affected_variant4=vuln
_set_vuln variant1
_set_vuln variant2
_infer_immune variant3
_set_vuln variant3a
_set_vuln variant4
pr_debug "checking cpu$i: armv8 A57/A72 non affected to variants 3"
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd09; then
affected_variant1=vuln
affected_variant2=vuln
[ -z "$affected_variant3" ] && affected_variant3=immune
[ -z "$affected_variant3a" ] && affected_variant3a=immune
affected_variant4=vuln
_set_vuln variant1
_set_vuln variant2
_infer_immune variant3
_infer_immune variant3a
_set_vuln variant4
pr_debug "checking cpu$i: armv8 A73 non affected to variants 3 & 3a"
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0a; then
affected_variant1=vuln
affected_variant2=vuln
affected_variant3=vuln
[ -z "$affected_variant3a" ] && affected_variant3a=immune
affected_variant4=vuln
_set_vuln variant1
_set_vuln variant2
_set_vuln variant3
_infer_immune variant3a
_set_vuln variant4
pr_debug "checking cpu$i: armv8 A75 non affected to variant 3a"
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
affected_variant1=vuln
[ -z "$affected_variant2" ] && affected_variant2=immune
[ -z "$affected_variant3" ] && affected_variant3=immune
[ -z "$affected_variant3a" ] && affected_variant3a=immune
affected_variant4=vuln
_set_vuln variant1
_infer_immune variant2
_infer_immune variant3
_infer_immune variant3a
_set_vuln variant4
pr_debug "checking cpu$i: armv8 A76/A77/NeoverseN1 non affected to variant 2, 3 & 3a"
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd40 -e 0xd49 -e 0xd4f; then
affected_variant1=vuln
[ -z "$affected_variant2" ] && affected_variant2=immune
[ -z "$affected_variant3" ] && affected_variant3=immune
[ -z "$affected_variant3a" ] && affected_variant3a=immune
[ -z "$affected_variant4" ] && affected_variant4=immune
_set_vuln variant1
_infer_immune variant2
_infer_immune variant3
_infer_immune variant3a
_infer_immune variant4
pr_debug "checking cpu$i: armv8 NeoverseN2/V1/V2 non affected to variant 2, 3, 3a & 4"
elif [ "$cpuarch" -le 7 ] || { [ "$cpuarch" = 8 ] && [ $((cpupart)) -lt $((0xd07)) ]; }; then
[ -z "$affected_variant1" ] && affected_variant1=immune
[ -z "$affected_variant2" ] && affected_variant2=immune
[ -z "$affected_variant3" ] && affected_variant3=immune
[ -z "$affected_variant3a" ] && affected_variant3a=immune
[ -z "$affected_variant4" ] && affected_variant4=immune
_infer_immune variant1
_infer_immune variant2
_infer_immune variant3
_infer_immune variant3a
_infer_immune variant4
pr_debug "checking cpu$i: arm arch$cpuarch, all immune (v7 or v8 and model < 0xd07)"
else
affected_variant1=vuln
affected_variant2=vuln
affected_variant3=vuln
affected_variant3a=vuln
affected_variant4=vuln
_set_vuln variant1
_set_vuln variant2
_set_vuln variant3
_set_vuln variant3a
_set_vuln variant4
pr_debug "checking cpu$i: arm unknown arch$cpuarch part$cpupart, considering vuln"
fi
fi
pr_debug "is_cpu_affected: for cpu$i and so far, we have <$affected_variant1> <$affected_variant2> <$affected_variant3> <$affected_variant3a> <$affected_variant4>"
done
affected_variantl1tf=immune
_set_immune variantl1tf
fi
# we handle iTLB Multihit here (not linked to is_specex_free)
@@ -437,43 +465,31 @@ is_cpu_affected() {
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_D" ] ||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_PLUS" ]; then
pr_debug "is_cpu_affected: intel family 6 but model known to be immune to itlbmh"
[ -z "$affected_itlbmh" ] && affected_itlbmh=immune
_infer_immune itlbmh
else
pr_debug "is_cpu_affected: intel family 6 is vuln to itlbmh"
affected_itlbmh=vuln
_infer_vuln itlbmh
fi
elif [ "$cpu_family" -lt 6 ]; then
pr_debug "is_cpu_affected: intel family < 6 is immune to itlbmh"
[ -z "$affected_itlbmh" ] && affected_itlbmh=immune
_infer_immune itlbmh
fi
else
pr_debug "is_cpu_affected: non-intel not affected to itlbmh"
[ -z "$affected_itlbmh" ] && affected_itlbmh=immune
_infer_immune itlbmh
fi
pr_debug "is_cpu_affected: temp results are <$affected_variant1> <$affected_variant2> <$affected_variant3> <$affected_variant3a> <$affected_variant4> <$affected_variantl1tf>"
[ "$affected_variant1" = "immune" ] && affected_variant1=1 || affected_variant1=0
[ "$affected_variant2" = "immune" ] && affected_variant2=1 || affected_variant2=0
[ "$affected_variant3" = "immune" ] && affected_variant3=1 || affected_variant3=0
[ "$affected_variant3a" = "immune" ] && affected_variant3a=1 || affected_variant3a=0
[ "$affected_variant4" = "immune" ] && affected_variant4=1 || affected_variant4=0
[ "$affected_variantl1tf" = "immune" ] && affected_variantl1tf=1 || affected_variantl1tf=0
[ "$affected_msbds" = "immune" ] && affected_msbds=1 || affected_msbds=0
[ "$affected_mfbds" = "immune" ] && affected_mfbds=1 || affected_mfbds=0
[ "$affected_mlpds" = "immune" ] && affected_mlpds=1 || affected_mlpds=0
[ "$affected_mdsum" = "immune" ] && affected_mdsum=1 || affected_mdsum=0
[ "$affected_taa" = "immune" ] && affected_taa=1 || affected_taa=0
[ "$affected_itlbmh" = "immune" ] && affected_itlbmh=1 || affected_itlbmh=0
[ "$affected_srbds" = "immune" ] && affected_srbds=1 || affected_srbds=0
[ "$affected_zenbleed" = "immune" ] && affected_zenbleed=1 || affected_zenbleed=0
[ "$affected_downfall" = "immune" ] && affected_downfall=1 || affected_downfall=0
[ "$affected_inception" = "immune" ] && affected_inception=1 || affected_inception=0
[ "$affected_reptar" = "immune" ] && affected_reptar=1 || affected_reptar=0
[ "$affected_tsa" = "immune" ] && affected_tsa=1 || affected_tsa=0
# shellcheck disable=SC2154 # affected_zenbleed/inception/tsa/downfall/reptar set via eval (_set_immune)
{
pr_debug "is_cpu_affected: final results: variant1=$affected_variant1 variant2=$affected_variant2 variant3=$affected_variant3 variant3a=$affected_variant3a"
pr_debug "is_cpu_affected: final results: variant4=$affected_variant4 variantl1tf=$affected_variantl1tf msbds=$affected_msbds mfbds=$affected_mfbds"
pr_debug "is_cpu_affected: final results: mlpds=$affected_mlpds mdsum=$affected_mdsum taa=$affected_taa itlbmh=$affected_itlbmh srbds=$affected_srbds"
pr_debug "is_cpu_affected: final results: zenbleed=$affected_zenbleed inception=$affected_inception tsa=$affected_tsa downfall=$affected_downfall reptar=$affected_reptar"
}
affected_variantl1tf_sgx="$affected_variantl1tf"
# even if we are affected to L1TF, if there's no SGX, we're not affected to the original foreshadow
[ "$cap_sgx" = 0 ] && affected_variantl1tf_sgx=1
pr_debug "is_cpu_affected: final results are <$affected_variant1> <$affected_variant2> <$affected_variant3> <$affected_variant3a> <$affected_variant4> <$affected_variantl1tf> <$affected_variantl1tf_sgx>"
[ "$cap_sgx" = 0 ] && _set_immune variantl1tf_sgx
pr_debug "is_cpu_affected: variantl1tf_sgx=<$affected_variantl1tf_sgx>"
g_is_cpu_affected_cached=1
_is_cpu_affected_cached "$1"
return $?

150
src/libs/400_hw_check.sh
View File

@@ -481,26 +481,27 @@ check_cpu() {
pr_info_nol " * CPU indicates STIBP capability: "
# intel: A processor supports STIBP if it enumerates CPUID (EAX=7H,ECX=0):EDX[27] as 1
# amd: 8000_0008 EBX[15]=1
cap_stibp=''
if is_intel; then
read_cpuid 0x7 0x0 $EDX 27 1 1
ret=$?
if [ $ret = $READ_CPUID_RET_OK ]; then
pstatus green YES "Intel STIBP feature bit"
#cpuid_stibp='Intel STIBP'
cap_stibp='Intel STIBP'
fi
elif is_amd; then
read_cpuid 0x80000008 0x0 $EBX 15 1 1
ret=$?
if [ $ret = $READ_CPUID_RET_OK ]; then
pstatus green YES "AMD STIBP feature bit"
#cpuid_stibp='AMD STIBP'
cap_stibp='AMD STIBP'
fi
elif is_hygon; then
read_cpuid 0x80000008 0x0 $EBX 15 1 1
ret=$?
if [ $ret = $READ_CPUID_RET_OK ]; then
pstatus green YES "HYGON STIBP feature bit"
#cpuid_stibp='HYGON STIBP'
cap_stibp='HYGON STIBP'
fi
else
ret=invalid
@@ -662,6 +663,8 @@ check_cpu() {
pr_info_nol " * Indirect Predictor Disable feature is available: "
read_cpuid 0x7 0x2 $EDX 1 1 1
ret=$?
# cap_ipred is not yet used in verdict logic (no kernel sysfs/config to cross-reference)
# shellcheck disable=SC2034
if [ $ret = $READ_CPUID_RET_OK ]; then
cap_ipred=1
pstatus green YES "IPRED_CTRL feature bit"
@@ -700,9 +703,6 @@ check_cpu() {
cap_bhi=-1
pstatus yellow UNKNOWN "$ret_read_cpuid_msg"
fi
# make shellcheck happy while we're not yet using these new cpuid values in our checks
export cap_ipred cap_rrsba cap_bhi
fi
if is_intel; then
@@ -1006,6 +1006,20 @@ check_cpu() {
else
pstatus yellow UNKNOWN "$ret_read_cpuid_msg"
fi
pr_info_nol " * CPU indicates AutoIBRS capability: "
cap_autoibrs=''
read_cpuid 0x80000021 0x0 $EAX 8 1 1
ret=$?
if [ $ret = $READ_CPUID_RET_OK ]; then
pstatus green YES
cap_autoibrs=1
elif [ $ret = $READ_CPUID_RET_KO ]; then
pstatus yellow NO
cap_autoibrs=0
else
pstatus yellow UNKNOWN "$ret_read_cpuid_msg"
fi
fi
pr_info_nol " * CPU supports Transactional Synchronization Extensions (TSX): "
@@ -1159,60 +1173,92 @@ check_redhat_canonical_spectre() {
fi
}
# Detect whether this system is hosting virtual machines (hypervisor check)
# Sets: g_has_vmm
# Detect whether this system is hosting virtual machines (hypervisor check).
# Detection runs only on the first call; subsequent calls reuse the cached
# result. The status line is always printed so each CVE section shows the
# hypervisor context to the user.
# Sets: g_has_vmm, g_has_vmm_reason
check_has_vmm() {
local binary pid
pr_info_nol "* This system is a host running a hypervisor: "
g_has_vmm=$opt_vmm
if [ "$g_has_vmm" = -1 ] && [ "$opt_paranoid" = 1 ]; then
# In paranoid mode, if --vmm was not specified on the command-line,
# we want to be secure before everything else, so assume we're running
# a hypervisor, as this requires more mitigations
g_has_vmm=2
elif [ "$g_has_vmm" = -1 ]; then
# Here, we want to know if we are hosting a hypervisor, and running some VMs on it.
# If we find no evidence that this is the case, assume we're not (to avoid scaring users),
# this can always be overridden with --vmm in any case.
g_has_vmm=0
if command -v pgrep >/dev/null 2>&1; then
# remove xenbus and xenwatch, also present inside domU
# remove libvirtd as it can also be used to manage containers and not VMs
# for each binary we want to grep, get the pids
for binary in qemu kvm xenstored xenconsoled; do
for pid in $(pgrep -x "$binary"); do
# resolve the exe symlink, if it doesn't resolve with -m,
# which doesn't even need the dest to exist, it means the symlink
# is null, which is the case for kernel threads: ignore those to
# avoid false positives (such as [kvm-irqfd-clean] under at least RHEL 7.6/7.7)
if ! [ "$(readlink -m "/proc/$pid/exe")" = "/proc/$pid/exe" ]; then
pr_debug "g_has_vmm: found PID $pid"
g_has_vmm=1
fi
done
done
unset binary pid
if [ "$g_has_vmm_cached" != 1 ]; then
g_has_vmm=$opt_vmm
if [ "$g_has_vmm" != -1 ]; then
# --vmm was explicitly set on the command line
g_has_vmm_reason="forced from command line"
elif [ "$opt_paranoid" = 1 ]; then
# In paranoid mode, if --vmm was not specified on the command-line,
# we want to be secure before everything else, so assume we're running
# a hypervisor, as this requires more mitigations
g_has_vmm=1
g_has_vmm_reason="paranoid mode"
else
# ignore SC2009 as `ps ax` is actually used as a fallback if `pgrep` isn't installed
# shellcheck disable=SC2009
if command -v ps >/dev/null && ps ax | grep -vw grep | grep -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then
g_has_vmm=1
# Here, we want to know if we are hosting a hypervisor, and running some VMs on it.
# If we find no evidence that this is the case, assume we're not (to avoid scaring users),
# this can always be overridden with --vmm in any case.
g_has_vmm=0
if command -v pgrep >/dev/null 2>&1; then
# Exclude xenbus/xenwatch (present inside domU guests) and
# libvirtd (also manages containers, not just VMs).
# Use pgrep -x (exact match) for most binaries. QEMU is
# special: the binary is almost never just "qemu" — it is
# "qemu-system-x86_64", "qemu-system-aarch64", etc. We
# keep "qemu" for the rare wrapper/symlink case and add
# "qemu-system-" as a substring match via a separate pgrep
# call (without -x) to catch all qemu-system-* variants.
# Kernel threads (e.g. [kvm-irqfd-clean]) are filtered out
# below via the /proc/$pid/exe symlink check.
# Note: the kernel truncates process names to 15 chars
# (TASK_COMM_LEN), so pgrep -x can't match longer names.
# "cloud-hypervisor" (16 chars) is handled in the substring
# block below alongside qemu-system-*.
for binary in qemu kvm xenstored xenconsoled \
VBoxHeadless VBoxSVC vmware-vmx firecracker bhyve; do
for pid in $(pgrep -x "$binary"); do
# resolve the exe symlink, if it doesn't resolve with -m,
# which doesn't even need the dest to exist, it means the symlink
# is null, which is the case for kernel threads: ignore those to
# avoid false positives (such as [kvm-irqfd-clean] under at least RHEL 7.6/7.7)
if ! [ "$(readlink -m "/proc/$pid/exe")" = "/proc/$pid/exe" ]; then
pr_debug "g_has_vmm: found PID $pid ($binary)"
g_has_vmm=1
g_has_vmm_reason="$binary process found (PID $pid)"
fi
done
done
# substring matches for names that pgrep -x can't handle:
# - qemu-system-*: variable suffix (x86_64, aarch64, ...)
# - cloud-hypervisor: 16 chars, exceeds TASK_COMM_LEN (15)
if [ "$g_has_vmm" = 0 ]; then
for binary in "qemu-system-" "cloud-hyperviso"; do
for pid in $(pgrep "$binary"); do
if ! [ "$(readlink -m "/proc/$pid/exe")" = "/proc/$pid/exe" ]; then
pr_debug "g_has_vmm: found PID $pid ($binary*)"
g_has_vmm=1
g_has_vmm_reason="$binary* process found (PID $pid)"
fi
done
done
fi
unset binary pid
else
# ignore SC2009 as `ps ax` is actually used as a fallback if `pgrep` isn't installed
# shellcheck disable=SC2009
if command -v ps >/dev/null && ps ax | grep -vw grep | grep -q \
-e '\<qemu' -e '/qemu' -e '\<kvm' -e '/kvm' \
-e '/xenstored' -e '/xenconsoled' \
-e '\<VBoxHeadless' -e '\<VBoxSVC' -e '\<vmware-vmx' \
-e '\<firecracker' -e '\<cloud-hypervisor' -e '\<bhyve'; then
g_has_vmm=1
g_has_vmm_reason="hypervisor process found"
fi
fi
fi
g_has_vmm_cached=1
fi
if [ "$g_has_vmm" = 0 ]; then
if [ "$opt_vmm" != -1 ]; then
pstatus green NO "forced from command line"
else
pstatus green NO
fi
pstatus green NO "$g_has_vmm_reason"
else
if [ "$opt_vmm" != -1 ]; then
pstatus blue YES "forced from command line"
elif [ "$g_has_vmm" = 2 ]; then
pstatus blue YES "paranoid mode"
else
pstatus blue YES
fi
pstatus blue YES "$g_has_vmm_reason"
fi
}

834
src/vulns/CVE-2017-5715.sh
View File

@@ -3,22 +3,224 @@
# SPECTRE 2 SECTION
# CVE-2017-5715 Spectre Variant 2 (branch target injection) - entry point
# Sets: vulnstatus
check_CVE_2017_5715() {
check_cve 'CVE-2017-5715'
}
# CVE-2017-5715 Spectre Variant 2 (branch target injection) - Linux mitigation check
# Sets: g_ibrs_can_tell, g_ibrs_supported, g_ibrs_enabled, g_ibrs_fw_enabled,
# g_ibpb_can_tell, g_ibpb_supported, g_ibpb_enabled, g_specex_knob_dir
check_CVE_2017_5715_linux() {
local status sys_interface_available msg dir bp_harden_can_tell bp_harden retpoline retpoline_compiler retpoline_compiler_reason retp_enabled rsb_filling explain_hypervisor
local status sys_interface_available msg dir bp_harden_can_tell bp_harden retpoline retpoline_compiler retpoline_compiler_reason retp_enabled rsb_filling
local v2_base_mode v2_stibp_status v2_pbrsb_status v2_bhi_status v2_ibpb_mode v2_vuln_module v2_is_autoibrs smt_enabled
status=UNK
sys_interface_available=0
msg=''
if sys_interface_check "$VULN_SYSFS_BASE/spectre_v2"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
status=$ret_sys_interface_check_status
#
# Complete sysfs message inventory for spectre_v2, traced via git blame
# on mainline (~/linux) and stable (~/linux-stable):
#
# all versions:
# "Not affected" (cpu_show_common, 61dc0f555b5c)
# "Vulnerable" (cpu_show_common fallthrough / spectre_v2_strings[NONE], 61dc0f555b5c)
#
# The output is a composite string: <base>[<ibpb>][<ibrs_fw>][<stibp>][<rsb>][<pbrsb>][<bhi>][<module>]
# where <base> comes from spectre_v2_strings[] (or an early-return override),
# and the remaining fields are appended by helper functions.
# Before v6.9-rc4 (0cd01ac5dcb1), fields were separated by ", ".
# From v6.9-rc4 onward, fields are separated by "; ".
#
# --- base string (spectre_v2_strings[]) ---
#
# da285121560e (v4.15, initial spectre_v2 sysfs):
# "Vulnerable"
# "Mitigation: None" (documented in spectre.rst 5ad3eb113245,
# not found in code but listed as a possible value; treat as vulnerable / sysfs override)
# "Vulnerable: Minimal generic ASM retpoline"
# "Vulnerable: Minimal AMD ASM retpoline"
# "Mitigation: Full generic retpoline"
# "Mitigation: Full AMD retpoline"
# 706d51681d63 (v4.19, added Enhanced IBRS):
# + "Mitigation: Enhanced IBRS"
# ef014aae8f1c (v4.20-rc5, removed minimal retpoline):
# - "Vulnerable: Minimal generic ASM retpoline"
# - "Vulnerable: Minimal AMD ASM retpoline"
# d45476d98324 (v5.17-rc8, renamed retpoline variants):
# "Mitigation: Full generic retpoline" -> "Mitigation: Retpolines"
# "Mitigation: Full AMD retpoline" -> "Mitigation: LFENCE" (in array)
# NOTE: "Mitigation: LFENCE" was the actual sysfs output for a brief window
# (between d45476d98324 and eafd987d4a82, both in v5.17-rc8) before the
# show_state override reclassified it as "Vulnerable: LFENCE". LFENCE alone
# is now considered an insufficient mitigation for Spectre v2. Any kernel
# reporting "Mitigation: LFENCE" is from this narrow window and should be
# treated as vulnerable.
# 1e19da8522c8 (v5.17-rc8, split Enhanced IBRS into 3 modes):
# "Mitigation: Enhanced IBRS" -> "Mitigation: Enhanced IBRS" (EIBRS alone)
# + "Mitigation: Enhanced IBRS + LFENCE"
# + "Mitigation: Enhanced IBRS + Retpolines"
# 7c693f54c873 (v5.19-rc7, added kernel IBRS):
# + "Mitigation: IBRS"
# e7862eda309e (v6.3-rc1, AMD Automatic IBRS):
# "Mitigation: Enhanced IBRS" -> "Mitigation: Enhanced / Automatic IBRS"
# "Mitigation: Enhanced IBRS + LFENCE" -> "Mitigation: Enhanced / Automatic IBRS + LFENCE"
# "Mitigation: Enhanced IBRS + Retpolines" -> "Mitigation: Enhanced / Automatic IBRS + Retpolines"
# d1cc1baef67a (v6.18-rc1, fixed LFENCE in array):
# "Mitigation: LFENCE" -> "Vulnerable: LFENCE" (in array, matching the
# show_state override that had been correcting the sysfs output since v5.17)
#
# --- early-return overrides in spectre_v2_show_state() ---
#
# These bypass the base string + suffix format entirely.
#
# eafd987d4a82 (v5.17-rc8, LFENCE override):
# "Vulnerable: LFENCE"
# (overrode the array's "Mitigation: LFENCE"; removed in v6.18-rc1 when the array
# was fixed to say "Vulnerable: LFENCE" directly)
# 44a3918c8245 (v5.17-rc8, created spectre_v2_show_state, eIBRS+eBPF):
# "Vulnerable: Unprivileged eBPF enabled"
# (immediately renamed below)
# 0de05d056afd (v5.17-rc8, renamed + added eIBRS+LFENCE case):
# "Vulnerable: Unprivileged eBPF enabled" -> "Vulnerable: eIBRS with unprivileged eBPF"
# + "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT"
#
# --- <ibpb> suffix (ibpb_state()) ---
#
# 20ffa1caecca (v4.16-rc1, initial IBPB):
# ", IBPB" (present/absent)
# a8f76ae41cd6 (v4.20-rc5, extracted ibpb_state()):
# ", IBPB: disabled" | ", IBPB: always-on"
# 7cc765a67d8e (v4.20-rc5, conditional IBPB):
# + ", IBPB: conditional"
# 0cd01ac5dcb1 (v6.9-rc4, separator change):
# ", IBPB: ..." -> "; IBPB: ..."
#
# --- <ibrs_fw> suffix ---
#
# dd84441a7971 (v4.16-rc4):
# ", IBRS_FW" (present/absent)
# 0cd01ac5dcb1 (v6.9-rc4, separator change):
# ", IBRS_FW" -> "; IBRS_FW"
#
# --- <stibp> suffix (stibp_state()) ---
#
# 53c613fe6349 (v4.20-rc1, initial STIBP):
# ", STIBP" (present/absent)
# a8f76ae41cd6 (v4.20-rc5, extracted stibp_state()):
# ", STIBP: disabled" | ", STIBP: forced"
# 9137bb27e60e (v4.20-rc5, added prctl):
# + ", STIBP: conditional" (when prctl/seccomp + switch_to_cond_stibp)
# 20c3a2c33e9f (v5.0-rc1, added always-on preferred):
# + ", STIBP: always-on"
# 34bce7c9690b (v4.20-rc5, eIBRS suppresses STIBP):
# returns "" when eIBRS is in use
# fd470a8beed8 (v6.5-rc4, AutoIBRS exception):
# returns "" only when eIBRS AND not AutoIBRS (AutoIBRS shows STIBP)
# 0cd01ac5dcb1 (v6.9-rc4, separator change):
# ", STIBP: ..." -> "; STIBP: ..."
#
# --- <rsb> suffix ---
#
# bb4b3b776273 (v4.20-rc1):
# ", RSB filling" (present/absent)
# 53c613fe6349 (v4.20-rc1, temporarily removed, re-added in a8f76ae41cd6)
# 0cd01ac5dcb1 (v6.9-rc4, separator change):
# ", RSB filling" -> "; RSB filling"
#
# --- <pbrsb> suffix (pbrsb_eibrs_state()) ---
#
# 2b1299322016 (v6.0-rc1):
# ", PBRSB-eIBRS: Not affected" | ", PBRSB-eIBRS: SW sequence" | ", PBRSB-eIBRS: Vulnerable"
# 0cd01ac5dcb1 (v6.9-rc4, separator change):
# ", PBRSB-eIBRS: ..." -> "; PBRSB-eIBRS: ..."
#
# --- <bhi> suffix (spectre_bhi_state()) ---
#
# ec9404e40e8f (v6.9-rc4):
# "; BHI: Not affected" | "; BHI: BHI_DIS_S" | "; BHI: SW loop, KVM: SW loop"
# | "; BHI: Retpoline" | "; BHI: Vulnerable"
# 95a6ccbdc719 (v6.9-rc4, KVM default):
# + "; BHI: Vulnerable, KVM: SW loop"
# 5f882f3b0a8b (v6.9-rc4, clarified syscall hardening):
# removed "; BHI: Vulnerable (Syscall hardening enabled)"
# removed "; BHI: Syscall hardening, KVM: SW loop"
# (both replaced by "; BHI: Vulnerable" / "; BHI: Vulnerable, KVM: SW loop")
#
# --- <module> suffix (spectre_v2_module_string()) ---
#
# caf7501a1b4e (v4.16-rc1):
# " - vulnerable module loaded" (present/absent)
#
# --- stable backports ---
#
# 3.2.y: old-style base strings ("Full generic/AMD retpoline", "Minimal generic/AMD
# ASM retpoline"). Suffixes: ", IBPB" only (no STIBP/IBRS_FW/RSB). Format: %s%s\n.
# Has "Mitigation: Enhanced IBRS" (no "/ Automatic") in later releases.
# 3.16.y, 4.4.y: old-style base strings. ibpb_state()/stibp_state()/IBRS_FW/RSB filling.
# 3.16.y lacks STIBP "always-on". Comma separators.
# Both have "Mitigation: Enhanced IBRS" (no "/ Automatic"). No LFENCE/EIBRS modes.
# 4.9.y: has spectre_v2_show_state() with LFENCE override ("Vulnerable: LFENCE"),
# eIBRS+eBPF overrides. "Mitigation: Enhanced IBRS" (no "/ Automatic").
# No SPECTRE_V2_IBRS. No pbrsb or BHI. Comma separators.
# 4.14.y: like 4.9.y but also has SPECTRE_V2_IBRS and pbrsb_eibrs_state().
# "Mitigation: Enhanced IBRS" (no "/ Automatic"). No BHI. Comma separators.
# 4.19.y: like 4.14.y but has "Enhanced / Automatic IBRS". No BHI. Comma separators.
# 5.4.y, 5.10.y: like 4.19.y. No BHI. Comma separators.
# 5.15.y, 6.1.y, 6.6.y, 6.12.y: match mainline (semicolons, BHI, all fields).
#
# --- Red Hat / CentOS / Rocky kernels ---
#
# Red Hat kernels carry their own spectre_v2 mitigation implementation that differs
# significantly from mainline. The following strings are unique to Red Hat kernels:
#
# centos6 (RHEL 6, kernel 2.6.32): base strings are a superset of mainline v4.15:
# "Vulnerable: Minimal ASM retpoline" (no "generic" qualifier)
# "Vulnerable: Minimal AMD ASM retpoline"
# "Vulnerable: Retpoline without IBPB"
# "Vulnerable: Retpoline on Skylake+" (removed in later centos6 releases)
# "Vulnerable: Retpoline with unsafe module(s)"
# "Mitigation: Full AMD retpoline"
# "Mitigation: Full retpoline" (no "generic" qualifier)
# "Mitigation: Full retpoline and IBRS (user space)"
# "Mitigation: IBRS (kernel)"
# "Mitigation: IBRS (kernel and user space)"
# "Mitigation: IBP disabled"
# Suffixes: ", IBPB" only. Format: %s%s\n.
#
# centos7 (RHEL 7, kernel 3.10): early releases have all centos6 strings plus
# "Vulnerable: Retpoline on Skylake+". Later releases removed Skylake+ and
# Minimal AMD, and changed AMD retpoline to:
# "Vulnerable: AMD retpoline (LFENCE/JMP)"
# Added "Mitigation: Enhanced IBRS". Suffixes: ibpb_state() + stibp_state()
# with simple ", IBPB" / ", STIBP" strings. No IBRS_FW/RSB/pbrsb/BHI.
#
# centos8 (RHEL 8, kernel 4.18): uses mainline v5.17+ style enum names
# (RETPOLINE/LFENCE/EIBRS) but retains RHEL-specific entries:
# "Mitigation: IBRS (kernel)" (SPECTRE_V2_IBRS)
# "Mitigation: Full retpoline and IBRS (user space)" (SPECTRE_V2_RETPOLINE_IBRS_USER)
# "Mitigation: IBRS (kernel and user space)" (SPECTRE_V2_IBRS_ALWAYS)
# "Mitigation: Enhanced IBRS" (no "/ Automatic"). spectre_v2_show_state() with
# LFENCE/eIBRS+eBPF overrides. Comma separators. No pbrsb/BHI.
#
# rocky9 (RHEL 9, kernel 5.14): matches mainline. Semicolons, BHI, all fields.
# rocky10 (RHEL 10, kernel 6.12): matches mainline.
#
# all messages start with either "Not affected", "Mitigation", or "Vulnerable"
fi
if [ "$opt_sysfs_only" != 1 ]; then
check_has_vmm
v2_base_mode=''
v2_stibp_status=''
v2_pbrsb_status=''
v2_bhi_status=''
v2_ibpb_mode=''
v2_vuln_module=''
v2_is_autoibrs=0
pr_info "* Mitigation 1"
g_ibrs_can_tell=0
@@ -397,6 +599,233 @@ check_CVE_2017_5715_linux() {
fi
fi
# Mitigation 3: derive structured mitigation variables for the verdict.
# These are set from sysfs fields (when available) with hardware fallbacks.
pr_info "* Mitigation 3 (sub-mitigations)"
# --- v2_base_mode: which base Spectre v2 mitigation is active ---
pr_info_nol " * Base Spectre v2 mitigation mode: "
if [ -n "$ret_sys_interface_check_fullmsg" ]; then
# Parse from sysfs (handle all mainline, stable, and RHEL variants)
case "$ret_sys_interface_check_fullmsg" in
*"Enhanced / Automatic IBRS + LFENCE"* | *"Enhanced IBRS + LFENCE"*) v2_base_mode=eibrs_lfence ;;
*"Enhanced / Automatic IBRS + Retpolines"* | *"Enhanced IBRS + Retpolines"*) v2_base_mode=eibrs_retpoline ;;
*"Enhanced / Automatic IBRS"* | *"Enhanced IBRS"*) v2_base_mode=eibrs ;;
*"Mitigation: IBRS (kernel and user space)"*) v2_base_mode=ibrs ;;
*"Mitigation: IBRS (kernel)"*) v2_base_mode=ibrs ;;
*"Mitigation: IBRS"*) v2_base_mode=ibrs ;;
*"Mitigation: Retpolines"* | *"Full generic retpoline"* | *"Full retpoline"* | *"Full AMD retpoline"*) v2_base_mode=retpoline ;;
*"Vulnerable: LFENCE"* | *"Mitigation: LFENCE"*) v2_base_mode=lfence ;;
*"Vulnerable"*) v2_base_mode=none ;;
*) v2_base_mode=unknown ;;
esac
fi
# Fallback to existing variables if sysfs didn't provide a base mode
if [ -z "$v2_base_mode" ] || [ "$v2_base_mode" = "unknown" ]; then
if [ "$g_ibrs_enabled" = 4 ]; then
v2_base_mode=eibrs
elif [ -n "$g_ibrs_enabled" ] && [ "$g_ibrs_enabled" -ge 1 ] 2>/dev/null; then
v2_base_mode=ibrs
elif [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ]; then
v2_base_mode=retpoline
elif [ "$retpoline" = 1 ]; then
v2_base_mode=retpoline
fi
fi
case "$v2_base_mode" in
eibrs) pstatus green "Enhanced / Automatic IBRS" ;;
eibrs_lfence) pstatus green "Enhanced / Automatic IBRS + LFENCE" ;;
eibrs_retpoline) pstatus green "Enhanced / Automatic IBRS + Retpolines" ;;
ibrs) pstatus green "IBRS" ;;
retpoline) pstatus green "Retpolines" ;;
lfence) pstatus red "LFENCE (insufficient)" ;;
none) pstatus yellow "None" ;;
*) pstatus yellow UNKNOWN ;;
esac
# --- v2_is_autoibrs: AMD AutoIBRS vs Intel eIBRS ---
case "$v2_base_mode" in
eibrs | eibrs_lfence | eibrs_retpoline)
if [ "$cap_autoibrs" = 1 ] || { (is_amd || is_hygon) && [ "$cap_ibrs_all" != 1 ]; }; then
v2_is_autoibrs=1
fi
;;
esac
# --- v2_ibpb_mode ---
pr_info_nol " * IBPB mode: "
if [ -n "$ret_sys_interface_check_fullmsg" ]; then
case "$ret_sys_interface_check_fullmsg" in
*"IBPB: always-on"*) v2_ibpb_mode=always-on ;;
*"IBPB: conditional"*) v2_ibpb_mode=conditional ;;
*"IBPB: disabled"*) v2_ibpb_mode=disabled ;;
*", IBPB"* | *"; IBPB"*) v2_ibpb_mode=conditional ;;
*) v2_ibpb_mode=disabled ;;
esac
elif [ "$opt_live" = 1 ]; then
case "$g_ibpb_enabled" in
2) v2_ibpb_mode=always-on ;;
1) v2_ibpb_mode=conditional ;;
0) v2_ibpb_mode=disabled ;;
*) v2_ibpb_mode=unknown ;;
esac
else
v2_ibpb_mode=unknown
fi
case "$v2_ibpb_mode" in
always-on) pstatus green YES "always-on" ;;
conditional) pstatus green YES "conditional" ;;
disabled) pstatus yellow NO "disabled" ;;
*) pstatus yellow UNKNOWN ;;
esac
# --- v2_stibp_status ---
pr_info_nol " * STIBP status: "
if [ -n "$ret_sys_interface_check_fullmsg" ]; then
case "$ret_sys_interface_check_fullmsg" in
*"STIBP: always-on"*) v2_stibp_status=always-on ;;
*"STIBP: forced"*) v2_stibp_status=forced ;;
*"STIBP: conditional"*) v2_stibp_status=conditional ;;
*"STIBP: disabled"*) v2_stibp_status=disabled ;;
*", STIBP"* | *"; STIBP"*) v2_stibp_status=forced ;;
*)
# No STIBP field: Intel eIBRS suppresses it (implicit cross-thread protection)
case "$v2_base_mode" in
eibrs | eibrs_lfence | eibrs_retpoline)
if [ "$v2_is_autoibrs" != 1 ]; then
v2_stibp_status=eibrs-implicit
else
v2_stibp_status=unknown
fi
;;
*) v2_stibp_status=unknown ;;
esac
;;
esac
else
# No sysfs: use hardware capability + context to infer STIBP status
if [ "$smt_enabled" != 0 ]; then
# SMT disabled or unknown: STIBP is not needed
v2_stibp_status=not-needed
else
case "$v2_base_mode" in
eibrs | eibrs_lfence | eibrs_retpoline)
if [ "$v2_is_autoibrs" != 1 ]; then
# Intel eIBRS provides implicit cross-thread protection
v2_stibp_status=eibrs-implicit
elif [ -n "$cap_stibp" ]; then
# AMD AutoIBRS: CPU supports STIBP but can't confirm runtime state
v2_stibp_status=unknown
else
# No STIBP support on this CPU
v2_stibp_status=unavailable
fi
;;
*)
if [ -n "$cap_stibp" ]; then
# CPU supports STIBP but can't confirm runtime state without sysfs
v2_stibp_status=unknown
else
# CPU does not support STIBP at all
v2_stibp_status=unavailable
fi
;;
esac
fi
fi
case "$v2_stibp_status" in
always-on) pstatus green YES "always-on" ;;
forced) pstatus green YES "forced" ;;
conditional) pstatus green YES "conditional" ;;
eibrs-implicit) pstatus green YES "implicit via eIBRS" ;;
not-needed) pstatus green YES "not needed (SMT disabled)" ;;
unavailable) pstatus red NO "CPU does not support STIBP" ;;
disabled) pstatus yellow NO "disabled" ;;
*) pstatus yellow UNKNOWN ;;
esac
# --- v2_pbrsb_status (only relevant for eIBRS) ---
case "$v2_base_mode" in
eibrs | eibrs_lfence | eibrs_retpoline)
pr_info_nol " * PBRSB-eIBRS mitigation: "
if [ -n "$ret_sys_interface_check_fullmsg" ]; then
case "$ret_sys_interface_check_fullmsg" in
*"PBRSB-eIBRS: Not affected"*) v2_pbrsb_status=not-affected ;;
*"PBRSB-eIBRS: SW sequence"*) v2_pbrsb_status=sw-sequence ;;
*"PBRSB-eIBRS: Vulnerable"*) v2_pbrsb_status=vulnerable ;;
*) v2_pbrsb_status=unknown ;;
esac
elif [ "$opt_live" != 1 ] && [ -n "$g_kernel" ]; then
if grep -q 'PBRSB-eIBRS' "$g_kernel" 2>/dev/null; then
v2_pbrsb_status=sw-sequence
else
v2_pbrsb_status=unknown
fi
else
v2_pbrsb_status=unknown
fi
case "$v2_pbrsb_status" in
not-affected) pstatus green "Not affected" ;;
sw-sequence) pstatus green "SW sequence" ;;
vulnerable) pstatus red "Vulnerable" ;;
*) pstatus yellow UNKNOWN ;;
esac
;;
*) v2_pbrsb_status=n/a ;;
esac
# --- v2_bhi_status ---
pr_info_nol " * BHI mitigation: "
if [ -n "$ret_sys_interface_check_fullmsg" ]; then
case "$ret_sys_interface_check_fullmsg" in
*"BHI: Not affected"*) v2_bhi_status=not-affected ;;
*"BHI: BHI_DIS_S"*) v2_bhi_status=bhi_dis_s ;;
*"BHI: SW loop"*) v2_bhi_status=sw-loop ;;
*"BHI: Retpoline"*) v2_bhi_status=retpoline ;;
*"BHI: Vulnerable, KVM: SW loop"*) v2_bhi_status=vuln-kvm-loop ;;
*"BHI: Vulnerable"*) v2_bhi_status=vulnerable ;;
*) v2_bhi_status=unknown ;;
esac
elif [ "$opt_live" != 1 ] && [ -n "$opt_config" ] && [ -r "$opt_config" ]; then
if grep -q '^CONFIG_\(MITIGATION_\)\?SPECTRE_BHI' "$opt_config"; then
if [ "$cap_bhi" = 1 ]; then
v2_bhi_status=bhi_dis_s
else
v2_bhi_status=sw-loop
fi
else
v2_bhi_status=unknown
fi
else
v2_bhi_status=unknown
fi
case "$v2_bhi_status" in
not-affected) pstatus green "Not affected" ;;
bhi_dis_s) pstatus green "BHI_DIS_S (hardware)" ;;
sw-loop) pstatus green "SW loop" ;;
retpoline) pstatus green "Retpoline" ;;
vuln-kvm-loop) pstatus yellow "Vulnerable (KVM: SW loop)" ;;
vulnerable) pstatus red "Vulnerable" ;;
*) pstatus yellow UNKNOWN ;;
esac
# --- v2_vuln_module ---
if [ "$opt_live" = 1 ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then
pr_info_nol " * Non-retpoline module loaded: "
if echo "$ret_sys_interface_check_fullmsg" | grep -q 'vulnerable module loaded'; then
v2_vuln_module=1
pstatus red YES
else
v2_vuln_module=0
pstatus green NO
fi
fi
# --- SMT state (used in verdict) ---
is_cpu_smt_enabled
smt_enabled=$?
# smt_enabled: 0=enabled, 1=disabled, 2=unknown
elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only!
msg="/sys vulnerability interface use forced, but it's not available!"
@@ -406,145 +835,310 @@ check_CVE_2017_5715_linux() {
if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
else
if [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ] && [ "$retp_enabled" != 0 ] && [ -n "$g_ibpb_enabled" ] && [ "$g_ibpb_enabled" -ge 1 ] && (! is_vulnerable_to_empty_rsb || [ "$rsb_filling" = 1 ]); then
pvulnstatus "$cve" OK "Full retpoline + IBPB are mitigating the vulnerability"
elif [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ] && [ "$retp_enabled" != 0 ] && [ "$opt_paranoid" = 0 ] && (! is_vulnerable_to_empty_rsb || [ "$rsb_filling" = 1 ]); then
pvulnstatus "$cve" OK "Full retpoline is mitigating the vulnerability"
if [ -n "$cap_ibpb" ]; then
pr_warn "You should enable IBPB to complete retpoline as a Variant 2 mitigation"
else
pr_warn "IBPB is considered as a good addition to retpoline for Variant 2 mitigation, but your CPU microcode doesn't support it"
fi
elif [ -n "$g_ibrs_enabled" ] && [ -n "$g_ibpb_enabled" ] && [ "$g_ibrs_enabled" -ge 1 ] && [ "$g_ibpb_enabled" -ge 1 ]; then
if [ "$g_ibrs_enabled" = 4 ]; then
pvulnstatus "$cve" OK "Enhanced IBRS + IBPB are mitigating the vulnerability"
else
pvulnstatus "$cve" OK "IBRS + IBPB are mitigating the vulnerability"
fi
elif [ "$g_ibpb_enabled" = 2 ] && ! is_cpu_smt_enabled; then
pvulnstatus "$cve" OK "Full IBPB is mitigating the vulnerability"
elif [ -n "$bp_harden" ]; then
pvulnstatus "$cve" OK "Branch predictor hardening mitigates the vulnerability"
elif [ -z "$bp_harden" ] && [ "$cpu_vendor" = ARM ]; then
pvulnstatus "$cve" VULN "Branch predictor hardening is needed to mitigate the vulnerability"
explain "Your kernel has not been compiled with the CONFIG_UNMAP_KERNEL_AT_EL0 option, recompile it with this option enabled."
elif [ "$opt_live" != 1 ]; then
if [ "$retpoline" = 1 ] && [ -n "$g_ibpb_supported" ]; then
pvulnstatus "$cve" OK "offline mode: kernel supports retpoline + IBPB to mitigate the vulnerability"
elif [ -n "$g_ibrs_supported" ] && [ -n "$g_ibpb_supported" ]; then
pvulnstatus "$cve" OK "offline mode: kernel supports IBRS + IBPB to mitigate the vulnerability"
elif [ "$g_ibrs_can_tell" != 1 ]; then
pvulnstatus "$cve" UNK "offline mode: not enough information"
explain "Re-run this script with root privileges, and give it the kernel image (--kernel), the kernel configuration (--config) and the System.map file (--map) corresponding to the kernel you would like to inspect."
fi
fi
elif [ -z "$msg" ]; then
if [ "$opt_sysfs_only" != 1 ]; then
# --- own logic using Phase 2 variables ---
# Helper: collect caveats for the verdict message
_v2_caveats=''
_v2_add_caveat() { _v2_caveats="${_v2_caveats:+$_v2_caveats; }$1"; }
# if we arrive here and didn't already call pvulnstatus, then it's VULN, let's explain why
if [ "$g_pvulnstatus_last_cve" != "$cve" ]; then
# explain what's needed for this CPU
if is_vulnerable_to_empty_rsb; then
pvulnstatus "$cve" VULN "IBRS+IBPB or retpoline+IBPB+RSB filling, is needed to mitigate the vulnerability"
explain "To mitigate this vulnerability, you need either IBRS + IBPB, both requiring hardware support from your CPU microcode in addition to kernel support, or a kernel compiled with retpoline and IBPB, with retpoline requiring a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware) and IBPB requiring hardware support from your CPU microcode. You also need a recent-enough kernel that supports RSB filling if you plan to use retpoline. For Skylake+ CPUs, the IBRS + IBPB approach is generally preferred as it guarantees complete protection, and the performance impact is not as high as with older CPUs in comparison with retpoline. More information about how to enable the missing bits for those two possible mitigations on your system follow. You only need to take one of the two approaches."
elif is_zen_cpu || is_moksha_cpu; then
pvulnstatus "$cve" VULN "retpoline+IBPB is needed to mitigate the vulnerability"
explain "To mitigate this vulnerability, You need a kernel compiled with retpoline + IBPB support, with retpoline requiring a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware) and IBPB requiring hardware support from your CPU microcode."
elif is_intel || is_amd || is_hygon; then
pvulnstatus "$cve" VULN "IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability"
explain "To mitigate this vulnerability, you need either IBRS + IBPB, both requiring hardware support from your CPU microcode in addition to kernel support, or a kernel compiled with retpoline and IBPB, with retpoline requiring a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware) and IBPB requiring hardware support from your CPU microcode. The retpoline + IBPB approach is generally preferred as the performance impact is lower. More information about how to enable the missing bits for those two possible mitigations on your system follow. You only need to take one of the two approaches."
else
# in that case, we might want to trust sysfs if it's there
if [ -n "$msg" ]; then
[ "$msg" = Vulnerable ] && msg="no known mitigation exists for your CPU vendor ($cpu_vendor)"
pvulnstatus "$cve" "$status" "$msg"
else
pvulnstatus "$cve" VULN "no known mitigation exists for your CPU vendor ($cpu_vendor)"
fi
fi
fi
# ARM branch predictor hardening (unchanged)
if [ -n "$bp_harden" ]; then
pvulnstatus "$cve" OK "Branch predictor hardening mitigates the vulnerability"
elif [ -z "$bp_harden" ] && [ "$cpu_vendor" = ARM ]; then
pvulnstatus "$cve" VULN "Branch predictor hardening is needed to mitigate the vulnerability"
explain "Your kernel has not been compiled with the CONFIG_UNMAP_KERNEL_AT_EL0 option, recompile it with this option enabled."
# if we are in live mode, we can check for a lot more stuff and explain further
if [ "$opt_live" = 1 ] && [ "$vulnstatus" != "OK" ]; then
explain_hypervisor="An updated CPU microcode will have IBRS/IBPB capabilities indicated in the Hardware Check section above. If you're running under a hypervisor (KVM, Xen, VirtualBox, VMware, ...), the hypervisor needs to be up to date to be able to export the new host CPU flags to the guest. You can run this script on the host to check if the host CPU is IBRS/IBPB. If it is, and it doesn't show up in the guest, upgrade the hypervisor. You may need to reconfigure your VM to use a CPU model that has IBRS capability; in Libvirt, such CPUs are listed with an IBRS suffix."
# IBPB (amd & intel)
if { [ -z "$g_ibpb_enabled" ] || [ "$g_ibpb_enabled" = 0 ]; } && { is_intel || is_amd || is_hygon; }; then
if [ -z "$cap_ibpb" ]; then
explain "The microcode of your CPU needs to be upgraded to be able to use IBPB. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). $explain_hypervisor"
# LFENCE-only is always VULN (reclassified in v5.17)
elif [ "$v2_base_mode" = "lfence" ]; then
pvulnstatus "$cve" VULN "LFENCE alone is not a sufficient Spectre v2 mitigation"
explain "LFENCE-based indirect branch mitigation was reclassified as vulnerable starting with Linux v5.17. Use retpoline (spectre_v2=retpoline) or IBRS-based mitigations (spectre_v2=eibrs or spectre_v2=ibrs) instead. If your CPU supports Enhanced IBRS, that is the preferred option."
# eIBRS paths (eibrs / eibrs_lfence / eibrs_retpoline)
elif [ "$v2_base_mode" = "eibrs" ] || [ "$v2_base_mode" = "eibrs_lfence" ] || [ "$v2_base_mode" = "eibrs_retpoline" ]; then
_v2_caveats=''
_v2_ok=1
# BHI check: eIBRS alone doesn't protect against BHI
if [ "$v2_bhi_status" = "vulnerable" ]; then
_v2_ok=0
_v2_add_caveat "BHI vulnerable"
elif [ "$v2_bhi_status" = "unknown" ] && is_intel; then
if [ "$cap_bhi" = 0 ]; then
_v2_ok=0
_v2_add_caveat "BHI vulnerable (no BHI_DIS_S hardware support, no kernel mitigation detected)"
elif [ "$cap_rrsba" != 0 ]; then
_v2_add_caveat "BHI status unknown (kernel may lack BHI mitigation)"
fi
fi
if [ -z "$g_ibpb_supported" ]; then
explain "Your kernel doesn't have IBPB support, so you need to either upgrade your kernel (if you're using a distro) or recompiling a more recent kernel."
# PBRSB check (only matters for VMM hosts)
if [ "$v2_pbrsb_status" = "vulnerable" ]; then
if [ "$g_has_vmm" != 0 ] || [ "$opt_paranoid" = 1 ]; then
_v2_ok=0
_v2_add_caveat "PBRSB-eIBRS vulnerable"
fi
fi
if [ -n "$cap_ibpb" ] && [ -n "$g_ibpb_supported" ]; then
if [ -e "$g_specex_knob_dir/g_ibpb_enabled" ]; then
# newer (April 2018) Red Hat kernels have g_ibpb_enabled as ro, and automatically enables it with retpoline
if [ ! -w "$g_specex_knob_dir/g_ibpb_enabled" ] && [ -e "$g_specex_knob_dir/retp_enabled" ]; then
explain "Both your CPU and your kernel have IBPB support, but it is currently disabled. You kernel should enable IBPB automatically if you enable retpoline. You may enable it with \`echo 1 > $g_specex_knob_dir/retp_enabled\`."
# AutoIBRS: needs explicit STIBP (does NOT provide implicit cross-thread protection)
if [ "$v2_is_autoibrs" = 1 ] && [ "$smt_enabled" = 0 ]; then
if [ "$v2_stibp_status" = "disabled" ] || [ "$v2_stibp_status" = "unavailable" ]; then
_v2_ok=0
_v2_add_caveat "STIBP not active with SMT on AMD AutoIBRS"
fi
fi
# Vulnerable module check
if [ "$v2_vuln_module" = 1 ]; then
_v2_add_caveat "non-retpoline module loaded"
fi
# Paranoid mode
if [ "$opt_paranoid" = 1 ]; then
if [ "$v2_ibpb_mode" != "always-on" ]; then
_v2_ok=0
_v2_add_caveat "IBPB not always-on"
fi
if [ "$smt_enabled" = 0 ]; then
_v2_ok=0
_v2_add_caveat "SMT enabled"
fi
fi
# eBPF caveat: eIBRS without retpoline is insufficient when unprivileged eBPF is enabled
_ebpf_disabled=''
if [ "$v2_base_mode" = "eibrs" ] || [ "$v2_base_mode" = "eibrs_lfence" ]; then
# shellcheck disable=SC2154
if [ -n "${SMC_MOCK_UNPRIVILEGED_BPF_DISABLED:-}" ]; then
_ebpf_disabled="$SMC_MOCK_UNPRIVILEGED_BPF_DISABLED"
g_mocked=1
elif [ "$opt_live" = 1 ] && [ -r "$g_procfs/sys/kernel/unprivileged_bpf_disabled" ]; then
_ebpf_disabled=$(cat "$g_procfs/sys/kernel/unprivileged_bpf_disabled" 2>/dev/null)
g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_UNPRIVILEGED_BPF_DISABLED='$_ebpf_disabled'")
fi
# In paranoid mode, enabled unprivileged eBPF makes eIBRS insufficient
if [ "$_v2_ok" = 1 ] && [ "$_ebpf_disabled" = 0 ] && [ "$opt_paranoid" = 1 ]; then
_v2_ok=0
_v2_add_caveat "unprivileged eBPF enabled (eIBRS insufficient)"
fi
fi
# Build the base description
case "$v2_base_mode" in
eibrs) _v2_desc="Enhanced / Automatic IBRS" ;;
eibrs_lfence) _v2_desc="Enhanced / Automatic IBRS + LFENCE" ;;
eibrs_retpoline) _v2_desc="Enhanced / Automatic IBRS + Retpolines" ;;
esac
if [ "$_v2_ok" = 1 ]; then
if [ -n "$_v2_caveats" ]; then
pvulnstatus "$cve" OK "$_v2_desc mitigates the vulnerability ($_v2_caveats)"
else
pvulnstatus "$cve" OK "$_v2_desc mitigates the vulnerability"
fi
if [ "$v2_base_mode" = "eibrs" ] || [ "$v2_base_mode" = "eibrs_lfence" ]; then
pr_info " NOTE: eIBRS is considered vulnerable by the kernel when unprivileged eBPF is enabled."
if [ "$_ebpf_disabled" = 0 ]; then
pr_info " Unprivileged eBPF is currently ENABLED (kernel.unprivileged_bpf_disabled=0): this system may be vulnerable!"
elif [ "$_ebpf_disabled" = 1 ] || [ "$_ebpf_disabled" = 2 ]; then
pr_info " Unprivileged eBPF is currently disabled (kernel.unprivileged_bpf_disabled=$_ebpf_disabled): eIBRS is sufficient."
else
explain "Both your CPU and your kernel have IBPB support, but it is currently disabled. You may enable it with \`echo 1 > $g_specex_knob_dir/g_ibpb_enabled\`."
pr_info " Could not read kernel.unprivileged_bpf_disabled, check it manually with \`sysctl kernel.unprivileged_bpf_disabled\`."
fi
fi
else
pvulnstatus "$cve" VULN "$_v2_desc active but insufficient: $_v2_caveats"
explain "Your system uses $_v2_desc but has gaps in sub-mitigations: $_v2_caveats. Update your kernel and microcode to the latest versions. If BHI is vulnerable, a kernel with CONFIG_MITIGATION_SPECTRE_BHI or BHI_DIS_S microcode support is needed. If PBRSB-eIBRS is vulnerable, update the kernel for RSB VM exit mitigation. If STIBP is disabled on AMD AutoIBRS with SMT, add \`spectre_v2_user=on\` or disable SMT with \`nosmt\`. If unprivileged eBPF is enabled, disable it with \`sysctl -w kernel.unprivileged_bpf_disabled=1\`. In paranoid mode, disable SMT with \`nosmt\` and set \`spectre_v2_user=on\` for IBPB always-on."
fi
# Kernel IBRS path
elif [ "$v2_base_mode" = "ibrs" ]; then
_v2_caveats=''
_v2_ok=1
# IBRS needs IBPB for cross-process protection
if [ "$v2_ibpb_mode" = "disabled" ]; then
_v2_ok=0
_v2_add_caveat "IBPB disabled"
fi
# IBRS needs STIBP or SMT-off for cross-thread protection
if [ "$smt_enabled" = 0 ] && { [ "$v2_stibp_status" = "disabled" ] || [ "$v2_stibp_status" = "unavailable" ]; }; then
_v2_ok=0
_v2_add_caveat "STIBP not active with SMT enabled"
fi
# RSB filling on Skylake+
if is_vulnerable_to_empty_rsb && [ "$rsb_filling" != 1 ]; then
_v2_ok=0
_v2_add_caveat "RSB filling missing on Skylake+"
fi
# BHI check
if [ "$v2_bhi_status" = "vulnerable" ]; then
_v2_ok=0
_v2_add_caveat "BHI vulnerable"
elif [ "$v2_bhi_status" = "unknown" ] && is_intel && [ "$cap_bhi" = 0 ]; then
_v2_ok=0
_v2_add_caveat "BHI vulnerable (no BHI_DIS_S hardware support, no kernel mitigation detected)"
fi
# Vulnerable module check
if [ "$v2_vuln_module" = 1 ]; then
_v2_add_caveat "non-retpoline module loaded"
fi
# Paranoid mode
if [ "$opt_paranoid" = 1 ]; then
if [ "$v2_ibpb_mode" != "always-on" ]; then
_v2_ok=0
_v2_add_caveat "IBPB not always-on"
fi
if [ "$smt_enabled" = 0 ]; then
_v2_ok=0
_v2_add_caveat "SMT enabled"
fi
fi
if [ "$_v2_ok" = 1 ]; then
pvulnstatus "$cve" OK "IBRS mitigates the vulnerability"
else
pvulnstatus "$cve" VULN "IBRS active but insufficient: $_v2_caveats"
explain "Your system uses kernel IBRS but has gaps: $_v2_caveats. Ensure IBPB is enabled (spectre_v2_user=on or spectre_v2_user=prctl,ibpb). If STIBP is disabled with SMT, add spectre_v2_user=on or disable SMT with \`nosmt\`. If RSB filling is missing, update the kernel. If BHI is vulnerable, update kernel/microcode for BHI mitigation."
fi
# Retpoline path
elif [ "$v2_base_mode" = "retpoline" ]; then
_v2_caveats=''
_v2_ok=1
# Retpoline compiler check
if [ "$retpoline_compiler" = 0 ]; then
_v2_ok=0
_v2_add_caveat "not compiled with retpoline-aware compiler"
fi
# Red Hat runtime disable check
if [ "$retp_enabled" = 0 ]; then
_v2_ok=0
_v2_add_caveat "retpoline disabled at runtime"
fi
# RSB filling on Skylake+ (empty RSB falls back to BTB)
if is_vulnerable_to_empty_rsb && [ "$rsb_filling" != 1 ]; then
_v2_ok=0
_v2_add_caveat "RSB filling missing on Skylake+"
fi
# BHI: retpoline only mitigates BHI if RRSBA is disabled
if [ "$v2_bhi_status" = "vulnerable" ]; then
_v2_ok=0
_v2_add_caveat "BHI vulnerable"
elif [ "$v2_bhi_status" = "unknown" ] && is_intel; then
if [ "$cap_bhi" = 0 ] && [ "$cap_rrsba" = 1 ]; then
_v2_ok=0
_v2_add_caveat "BHI vulnerable (no BHI_DIS_S hardware support, RRSBA bypasses retpoline)"
elif [ "$cap_rrsba" = 1 ]; then
_v2_add_caveat "BHI status unknown with RRSBA"
fi
fi
# Vulnerable module
if [ "$v2_vuln_module" = 1 ]; then
_v2_ok=0
_v2_add_caveat "non-retpoline module loaded"
fi
# IBPB check: retpoline without IBPB is weaker
if [ "$v2_ibpb_mode" = "disabled" ] || { [ -z "$g_ibpb_enabled" ] || [ "$g_ibpb_enabled" = 0 ]; }; then
if [ "$opt_paranoid" = 1 ]; then
_v2_ok=0
_v2_add_caveat "IBPB disabled"
else
_v2_add_caveat "IBPB disabled (recommended)"
fi
fi
# Paranoid mode: require SMT off, IBPB always-on
if [ "$opt_paranoid" = 1 ]; then
if [ "$v2_ibpb_mode" != "always-on" ] && [ "$v2_ibpb_mode" != "disabled" ]; then
_v2_ok=0
_v2_add_caveat "IBPB not always-on"
fi
if [ "$smt_enabled" = 0 ]; then
_v2_ok=0
_v2_add_caveat "SMT enabled"
fi
fi
if [ "$_v2_ok" = 1 ]; then
if [ -n "$_v2_caveats" ]; then
pvulnstatus "$cve" OK "Retpolines mitigate the vulnerability ($_v2_caveats)"
if echo "$_v2_caveats" | grep -q 'IBPB'; then
if [ -n "$cap_ibpb" ]; then
pr_warn "You should enable IBPB to complete retpoline as a Variant 2 mitigation"
else
pr_warn "IBPB is considered as a good addition to retpoline for Variant 2 mitigation, but your CPU microcode doesn't support it"
fi
fi
else
explain "Both your CPU and your kernel have IBPB support, but it is currently disabled. You may enable it. Check in your distro's documentation on how to do this."
pvulnstatus "$cve" OK "Retpolines + IBPB mitigate the vulnerability"
fi
else
pvulnstatus "$cve" VULN "Retpoline active but insufficient: $_v2_caveats"
explain "Your system uses retpoline but has gaps: $_v2_caveats. Ensure the kernel was compiled with a retpoline-aware compiler. Enable IBPB (spectre_v2_user=on). If RSB filling is missing on Skylake+, update the kernel. If BHI is vulnerable, update kernel/microcode. In paranoid mode, disable SMT with \`nosmt\` and set \`spectre_v2_user=on\`."
fi
elif [ "$g_ibpb_enabled" = 2 ] && is_cpu_smt_enabled; then
explain "You have g_ibpb_enabled set to 2, but it only offers sufficient protection when simultaneous multi-threading (aka SMT or HyperThreading) is disabled. You should reboot your system with the kernel parameter \`nosmt\`."
fi
# /IBPB
# IBRS (amd & intel)
if { [ -z "$g_ibrs_enabled" ] || [ "$g_ibrs_enabled" = 0 ]; } && { is_intel || is_amd || is_hygon; }; then
if [ -z "$cap_ibrs" ]; then
explain "The microcode of your CPU needs to be upgraded to be able to use IBRS. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). $explain_hypervisor"
# Legacy fallback: IBRS+IBPB from debugfs on old systems without sysfs
elif [ -n "$g_ibrs_enabled" ] && [ "$g_ibrs_enabled" -ge 1 ] 2>/dev/null && [ -n "$g_ibpb_enabled" ] && [ "$g_ibpb_enabled" -ge 1 ] 2>/dev/null; then
if [ "$g_ibrs_enabled" = 4 ]; then
pvulnstatus "$cve" OK "Enhanced IBRS + IBPB are mitigating the vulnerability"
else
pvulnstatus "$cve" OK "IBRS + IBPB are mitigating the vulnerability"
fi
if [ -z "$g_ibrs_supported" ]; then
explain "Your kernel doesn't have IBRS support, so you need to either upgrade your kernel (if you're using a distro) or recompiling a more recent kernel."
elif [ "$g_ibpb_enabled" = 2 ] && [ "$smt_enabled" != 0 ]; then
pvulnstatus "$cve" OK "Full IBPB is mitigating the vulnerability"
# Offline mode fallback
elif [ "$opt_live" != 1 ]; then
if [ "$retpoline" = 1 ] && [ -n "$g_ibpb_supported" ]; then
pvulnstatus "$cve" OK "offline mode: kernel supports retpoline + IBPB to mitigate the vulnerability"
elif [ -n "$g_ibrs_supported" ] && [ -n "$g_ibpb_supported" ]; then
pvulnstatus "$cve" OK "offline mode: kernel supports IBRS + IBPB to mitigate the vulnerability"
elif [ "$cap_ibrs_all" = 1 ] || [ "$cap_autoibrs" = 1 ]; then
pvulnstatus "$cve" OK "offline mode: CPU supports Enhanced / Automatic IBRS"
elif [ "$g_ibrs_can_tell" != 1 ]; then
pvulnstatus "$cve" UNK "offline mode: not enough information"
explain "Re-run this script with root privileges, and give it the kernel image (--kernel), the kernel configuration (--config) and the System.map file (--map) corresponding to the kernel you would like to inspect."
fi
if [ -n "$cap_ibrs" ] && [ -n "$g_ibrs_supported" ]; then
if [ -e "$g_specex_knob_dir/g_ibrs_enabled" ]; then
explain "Both your CPU and your kernel have IBRS support, but it is currently disabled. You may enable it with \`echo 1 > $g_specex_knob_dir/g_ibrs_enabled\`."
fi
# Catch-all: if no verdict was reached above, it's VULN
if [ "$g_pvulnstatus_last_cve" != "$cve" ]; then
if is_intel || is_amd || is_hygon; then
pvulnstatus "$cve" VULN "Your CPU is affected and no sufficient mitigation was detected"
explain "To mitigate this vulnerability, you need one of: (1) Enhanced IBRS / Automatic IBRS (eIBRS) -- requires CPU microcode support; preferred for modern CPUs. (2) Kernel IBRS (spectre_v2=ibrs) + IBPB -- requires IBRS-capable microcode. (3) Retpoline (spectre_v2=retpoline) + IBPB -- requires a retpoline-aware compiler and IBPB-capable microcode. For Skylake+ CPUs, options 1 or 2 are preferred as retpoline needs RSB filling. Update your kernel and CPU microcode to the latest versions."
else
if [ "$sys_interface_available" = 1 ]; then
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
else
explain "Both your CPU and your kernel have IBRS support, but it is currently disabled. You may enable it. Check in your distro's documentation on how to do this."
pvulnstatus "$cve" VULN "no known mitigation exists for your CPU vendor ($cpu_vendor)"
fi
fi
fi
# /IBRS
unset explain_hypervisor
# RETPOLINE (amd & intel &hygon )
if is_amd || is_intel || is_hygon; then
if [ "$retpoline" = 0 ]; then
explain "Your kernel is not compiled with retpoline support, so you need to either upgrade your kernel (if you're using a distro) or recompile your kernel with the CONFIG_MITIGATION_RETPOLINE option enabled (was named CONFIG_RETPOLINE before kernel 6.9-rc1). You also need to compile your kernel with a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware)."
elif [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 0 ]; then
explain "Your kernel is compiled with retpoline, but without a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware)."
elif [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ] && [ "$retp_enabled" = 0 ]; then
explain "Your kernel has retpoline support and has been compiled with a retpoline-aware compiler, but retpoline is disabled. You should enable it with \`echo 1 > $g_specex_knob_dir/retp_enabled\`."
fi
fi
# /RETPOLINE
else
# --sysfs-only: Phase 2 variables are unset, fall back to the
# raw sysfs result (status + fullmsg were set in Phase 1).
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
fi
else
# msg was explicitly set by the "sysfs not available" elif above.
pvulnstatus "$cve" "$status" "$msg"
fi
# sysfs msgs:
#1 "Vulnerable"
#2 "Vulnerable: Minimal generic ASM retpoline"
#2 "Vulnerable: Minimal AMD ASM retpoline"
# "Mitigation: Full generic retpoline"
# "Mitigation: Full AMD retpoline"
# $MITIGATION + ", IBPB"
# $MITIGATION + ", IBRS_FW"
#5 $MITIGATION + " - vulnerable module loaded"
# Red Hat only:
#2 "Vulnerable: Minimal ASM retpoline",
#3 "Vulnerable: Retpoline without IBPB",
#4 "Vulnerable: Retpoline on Skylake+",
#5 "Vulnerable: Retpoline with unsafe module(s)",
# "Mitigation: Full retpoline",
# "Mitigation: Full retpoline and IBRS (user space)",
# "Mitigation: IBRS (kernel)",
# "Mitigation: IBRS (kernel and user space)",
# "Mitigation: IBP disabled",
}
# CVE-2017-5715 Spectre Variant 2 (branch target injection) - BSD mitigation check
# Sets: vulnstatus
check_CVE_2017_5715_bsd() {
local ibrs_disabled ibrs_active retpoline nb_thunks
pr_info "* Mitigation 1"

20
src/vulns/CVE-2018-12207.sh
View File

@@ -64,17 +64,23 @@ check_CVE_2018_12207_linux() {
pvulnstatus "$cve" OK "this system is not running a hypervisor"
elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_live" = 1 ]; then
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it"
else
if [ -n "$kernel_itlbmh" ]; then
pvulnstatus "$cve" OK "Your kernel supports iTLB Multihit mitigation"
else
if [ "$opt_sysfs_only" != 1 ]; then
if [ "$opt_live" = 1 ]; then
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it"
else
if [ -n "$kernel_itlbmh" ]; then
pvulnstatus "$cve" OK "Your kernel supports iTLB Multihit mitigation"
else
pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it"
fi
fi
else
# --sysfs-only: sysfs was available (otherwise msg would be set), use its result
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
fi
else
# msg was set explicitly: either sysfs-not-available error, or a sysfs override
pvulnstatus "$cve" "$status" "$msg"
fi
}

16
src/vulns/CVE-2018-3620.sh
View File

@@ -63,16 +63,22 @@ check_CVE_2018_3620_linux() {
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$pteinv_supported" = 1 ]; then
if [ "$pteinv_active" = 1 ] || [ "$opt_live" != 1 ]; then
pvulnstatus "$cve" OK "PTE inversion mitigates the vulnerability"
if [ "$opt_sysfs_only" != 1 ]; then
if [ "$pteinv_supported" = 1 ]; then
if [ "$pteinv_active" = 1 ] || [ "$opt_live" != 1 ]; then
pvulnstatus "$cve" OK "PTE inversion mitigates the vulnerability"
else
pvulnstatus "$cve" VULN "Your kernel supports PTE inversion but it doesn't seem to be enabled"
fi
else
pvulnstatus "$cve" VULN "Your kernel supports PTE inversion but it doesn't seem to be enabled"
pvulnstatus "$cve" VULN "Your kernel doesn't support PTE inversion, update it"
fi
else
pvulnstatus "$cve" VULN "Your kernel doesn't support PTE inversion, update it"
# --sysfs-only: sysfs was available (otherwise msg would be set), use its result
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
fi
else
# msg was set explicitly: either sysfs-not-available error, or a sysfs override
pvulnstatus "$cve" "$status" "$msg"
fi
}

115
src/vulns/CVE-2018-3646.sh
View File

@@ -13,6 +13,53 @@ check_CVE_2018_3646_linux() {
if sys_interface_check "$VULN_SYSFS_BASE/l1tf" '.*' quiet; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
# quiet mode doesn't set ret_sys_interface_check_status, derive it ourselves.
#
# Complete sysfs message inventory for l1tf, traced via git blame
# on mainline (~/linux) and stable (~/linux-stable):
#
# all versions:
# "Not affected" (cpu_show_common, d1059518b4789)
# "Vulnerable" (cpu_show_common fallthrough, d1059518b4789)
#
# --- mainline ---
# 17dbca119312 (v4.18-rc1, initial l1tf sysfs):
# "Mitigation: Page Table Inversion"
# 72c6d2db64fa (v4.18-rc1, renamed + added VMX reporting):
# "Mitigation: PTE Inversion" (no KVM_INTEL, or VMX=AUTO)
# "Mitigation: PTE Inversion; VMX: SMT <smt>, L1D <flush>" (KVM_INTEL enabled)
# <flush>: auto | vulnerable | conditional cache flushes | cache flushes
# a7b9020b06ec (v4.18-rc1, added EPT disabled state):
# <flush>: + EPT disabled
# ea156d192f52 (v4.18-rc7, reordered VMX/SMT fields):
# "Mitigation: PTE Inversion; VMX: EPT disabled" (no SMT part)
# "Mitigation: PTE Inversion; VMX: vulnerable" (NEVER + SMT active, no SMT part)
# "Mitigation: PTE Inversion; VMX: <flush>, SMT <smt>" (all other cases)
# 8e0b2b916662 (v4.18, added flush not necessary):
# <flush>: + flush not necessary
# 130d6f946f6f (v4.20-rc4, no string change):
# SMT detection changed from cpu_smt_control to sched_smt_active()
#
# --- stable backports ---
# 4.4.y: no VMX reporting (only "PTE Inversion" / "Vulnerable" / "Not affected").
# initially backported as "Page Table Inversion" (bf0cca01b873),
# renamed to "PTE Inversion" in stable-only commit 6db8c0882912 (May 2019).
# 4.9.y, 4.14.y: full VMX reporting, post-reorder format.
# the pre-reorder format ("SMT <smt>, L1D <flush>") and the post-reorder
# format ("VMX: <flush>, SMT <smt>") landed in the same stable release
# (4.9.120, 4.14.63), so no stable release ever shipped the pre-reorder format.
# sched_smt_active() backported (same strings, different runtime behavior).
# 4.17.y, 4.18.y: full VMX reporting, post-reorder format.
# still uses cpu_smt_control (sched_smt_active() not backported to these EOL branches).
#
# <smt> is one of: vulnerable | disabled
#
# all messages start with either "Not affected", "Mitigation", or "Vulnerable"
if echo "$ret_sys_interface_check_fullmsg" | grep -qEi '^(Not affected|Mitigation)'; then
status=OK
elif echo "$ret_sys_interface_check_fullmsg" | grep -qi '^Vulnerable'; then
status=VULN
fi
fi
l1d_mode=-1
if [ "$opt_sysfs_only" != 1 ]; then
@@ -142,40 +189,48 @@ check_CVE_2018_3646_linux() {
elif [ "$ret_sys_interface_check_fullmsg" = "Not affected" ]; then
# just in case a very recent kernel knows better than we do
pvulnstatus "$cve" OK "your kernel reported your CPU model as not affected"
elif [ "$g_has_vmm" = 0 ]; then
pvulnstatus "$cve" OK "this system is not running a hypervisor"
else
if [ "$ept_disabled" = 1 ]; then
pvulnstatus "$cve" OK "EPT is disabled which mitigates the vulnerability"
elif [ "$opt_paranoid" = 0 ]; then
if [ "$l1d_mode" -ge 1 ]; then
pvulnstatus "$cve" OK "L1D flushing is enabled and mitigates the vulnerability"
elif [ -z "$msg" ]; then
if [ "$opt_sysfs_only" != 1 ]; then
if [ "$g_has_vmm" = 0 ]; then
pvulnstatus "$cve" OK "this system is not running a hypervisor"
elif [ "$ept_disabled" = 1 ]; then
pvulnstatus "$cve" OK "EPT is disabled which mitigates the vulnerability"
elif [ "$opt_paranoid" = 0 ]; then
if [ "$l1d_mode" -ge 1 ]; then
pvulnstatus "$cve" OK "L1D flushing is enabled and mitigates the vulnerability"
else
pvulnstatus "$cve" VULN "disable EPT or enable L1D flushing to mitigate the vulnerability"
fi
else
pvulnstatus "$cve" VULN "disable EPT or enable L1D flushing to mitigate the vulnerability"
if [ "$l1d_mode" -ge 2 ]; then
if [ "$smt_enabled" = 1 ]; then
pvulnstatus "$cve" OK "L1D unconditional flushing and Hyper-Threading disabled are mitigating the vulnerability"
else
pvulnstatus "$cve" VULN "Hyper-Threading must be disabled to fully mitigate the vulnerability"
fi
else
if [ "$smt_enabled" = 1 ]; then
pvulnstatus "$cve" VULN "L1D unconditional flushing should be enabled to fully mitigate the vulnerability"
else
pvulnstatus "$cve" VULN "enable L1D unconditional flushing and disable Hyper-Threading to fully mitigate the vulnerability"
fi
fi
fi
if [ "$l1d_mode" -gt 3 ]; then
pr_warn
pr_warn "This host is a Xen Dom0. Please make sure that you are running your DomUs"
pr_warn "with a kernel which contains CVE-2018-3646 mitigations."
pr_warn
pr_warn "See https://www.suse.com/support/kb/doc/?id=7023078 and XSA-273 for details."
fi
else
if [ "$l1d_mode" -ge 2 ]; then
if [ "$smt_enabled" = 1 ]; then
pvulnstatus "$cve" OK "L1D unconditional flushing and Hyper-Threading disabled are mitigating the vulnerability"
else
pvulnstatus "$cve" VULN "Hyper-Threading must be disabled to fully mitigate the vulnerability"
fi
else
if [ "$smt_enabled" = 1 ]; then
pvulnstatus "$cve" VULN "L1D unconditional flushing should be enabled to fully mitigate the vulnerability"
else
pvulnstatus "$cve" VULN "enable L1D unconditional flushing and disable Hyper-Threading to fully mitigate the vulnerability"
fi
fi
fi
if [ "$l1d_mode" -gt 3 ]; then
pr_warn
pr_warn "This host is a Xen Dom0. Please make sure that you are running your DomUs"
pr_warn "with a kernel which contains CVE-2018-3646 mitigations."
pr_warn
pr_warn "See https://www.suse.com/support/kb/doc/?id=7023078 and XSA-273 for details."
# --sysfs-only: sysfs was available (otherwise msg would be set), use its result
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
fi
else
# msg was set explicitly: either sysfs-not-available error, or a sysfs override
pvulnstatus "$cve" "$status" "$msg"
fi
}

55
src/vulns/CVE-2019-11135.sh
View File

@@ -87,10 +87,57 @@ check_CVE_2019_11135_linux() {
# CVE-2019-11135 TAA (TSX asynchronous abort) - BSD mitigation check
check_CVE_2019_11135_bsd() {
if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
local taa_enable taa_state mds_disable kernel_taa kernel_mds
pr_info_nol "* Kernel supports TAA mitigation (machdep.mitigations.taa.enable): "
taa_enable=$(sysctl -n machdep.mitigations.taa.enable 2>/dev/null)
if [ -n "$taa_enable" ]; then
kernel_taa=1
case "$taa_enable" in
0) pstatus yellow YES "disabled" ;;
1) pstatus green YES "TSX disabled via MSR" ;;
2) pstatus green YES "VERW mitigation" ;;
3) pstatus green YES "auto" ;;
*) pstatus yellow YES "unknown value: $taa_enable" ;;
esac
else
pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
kernel_taa=0
pstatus yellow NO
fi
pr_info_nol "* TAA mitigation state: "
taa_state=$(sysctl -n machdep.mitigations.taa.state 2>/dev/null)
if [ -n "$taa_state" ]; then
if echo "$taa_state" | grep -qi 'not.affected\|mitigation'; then
pstatus green YES "$taa_state"
else
pstatus yellow NO "$taa_state"
fi
else
# fallback: TAA is also mitigated by MDS VERW if enabled
mds_disable=$(sysctl -n hw.mds_disable 2>/dev/null)
if [ -z "$mds_disable" ]; then
mds_disable=$(sysctl -n machdep.mitigations.mds.disable 2>/dev/null)
fi
if [ -n "$mds_disable" ] && [ "$mds_disable" != 0 ]; then
kernel_mds=1
pstatus green YES "MDS VERW mitigation active (also covers TAA)"
else
kernel_mds=0
pstatus yellow NO "no TAA or MDS sysctl found"
fi
fi
if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ "$kernel_taa" = 1 ] && [ "$taa_enable" != 0 ]; then
pvulnstatus "$cve" OK "TAA mitigation is enabled"
elif [ "$kernel_mds" = 1 ]; then
pvulnstatus "$cve" OK "MDS VERW mitigation is active and also covers TAA"
elif [ "$kernel_taa" = 1 ] && [ "$taa_enable" = 0 ]; then
pvulnstatus "$cve" VULN "TAA mitigation is supported but disabled"
explain "To enable TAA mitigation, run \`sysctl machdep.mitigations.taa.enable=3' for auto mode.\n " \
"To make this persistent, add 'machdep.mitigations.taa.enable=3' to /etc/sysctl.conf."
else
pvulnstatus "$cve" VULN "your kernel doesn't support TAA mitigation, update it"
fi
}

41
src/vulns/CVE-2020-0543.sh
View File

@@ -105,11 +105,44 @@ check_CVE_2020_0543_linux() {
}
# CVE-2020-0543 SRBDS (special register buffer data sampling) - BSD mitigation check
# FreeBSD uses the name "rngds" (Random Number Generator Data Sampling) for SRBDS
check_CVE_2020_0543_bsd() {
if ! is_cpu_affected "$cve"; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
local rngds_enable rngds_state kernel_rngds
pr_info_nol "* Kernel supports SRBDS mitigation (machdep.mitigations.rngds.enable): "
rngds_enable=$(sysctl -n machdep.mitigations.rngds.enable 2>/dev/null)
if [ -n "$rngds_enable" ]; then
kernel_rngds=1
case "$rngds_enable" in
0) pstatus yellow YES "optimized (RDRAND/RDSEED not locked, faster but vulnerable)" ;;
1) pstatus green YES "mitigated" ;;
*) pstatus yellow YES "unknown value: $rngds_enable" ;;
esac
else
pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
kernel_rngds=0
pstatus yellow NO
fi
pr_info_nol "* SRBDS mitigation state: "
rngds_state=$(sysctl -n machdep.mitigations.rngds.state 2>/dev/null)
if [ -n "$rngds_state" ]; then
if echo "$rngds_state" | grep -qi 'not.affected\|mitigat'; then
pstatus green YES "$rngds_state"
else
pstatus yellow NO "$rngds_state"
fi
else
pstatus yellow NO "sysctl not available"
fi
if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ "$kernel_rngds" = 1 ] && [ "$rngds_enable" = 1 ]; then
pvulnstatus "$cve" OK "SRBDS mitigation is enabled"
elif [ "$kernel_rngds" = 1 ] && [ "$rngds_enable" = 0 ]; then
pvulnstatus "$cve" VULN "SRBDS mitigation is supported but set to optimized mode (disabled for RDRAND/RDSEED)"
explain "To enable full SRBDS mitigation, run \`sysctl machdep.mitigations.rngds.enable=1'.\n " \
"To make this persistent, add 'machdep.mitigations.rngds.enable=1' to /etc/sysctl.conf."
else
pvulnstatus "$cve" VULN "your kernel doesn't support SRBDS mitigation, update it"
fi
}

9
src/vulns/CVE-2022-40982.sh
View File

@@ -97,3 +97,12 @@ check_CVE_2022_40982_linux() {
pvulnstatus "$cve" "$status" "$msg"
fi
}
# CVE-2022-40982 Downfall (gather data sampling) - BSD mitigation check
check_CVE_2022_40982_bsd() {
if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
else
pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
fi
}

106
src/vulns/CVE-2023-20569.sh
View File

@@ -18,6 +18,15 @@ check_CVE_2023_20569_linux() {
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
status=$ret_sys_interface_check_status
# kernels before the fix from dc6306ad5b0d (v6.6-rc6, backported to v6.5.6)
# incorrectly reported "Mitigation: safe RET, no microcode" as mitigated,
# when in fact userspace is still vulnerable because IBPB doesn't flush
# branch type predictions without the extending microcode.
# override the sysfs status in that case.
if echo "$ret_sys_interface_check_fullmsg" | grep -qi 'Mitigation:.*safe RET.*no microcode'; then
status=VULN
msg="Vulnerable: Safe RET, no microcode (your kernel incorrectly reports this as mitigated, it was fixed in more recent kernels)"
fi
fi
if [ "$opt_sysfs_only" != 1 ]; then
@@ -54,9 +63,9 @@ check_CVE_2023_20569_linux() {
# if it's present, then SRSO is NOT compiled in
pstatus yellow NO "kernel not compiled with (CPU|MITIGATION)_SRSO"
else
# if it's not present, then SRSO is compiled in IF kernel_sro==1, otherwise we're just
# if it's not present, then SRSO is compiled in IF kernel_sro is set, otherwise we're just
# in front of an old kernel that doesn't have the mitigation logic at all
if [ "$kernel_sro" = 1 ]; then
if [ -n "$kernel_sro" ]; then
kernel_srso="SRSO mitigation logic is compiled in the kernel"
pstatus green OK "$kernel_srso"
else
@@ -65,6 +74,21 @@ check_CVE_2023_20569_linux() {
fi
fi
# check whether the running kernel has the corrected SRSO reporting
# (dc6306ad5b0d, v6.6-rc6, backported to v6.5.6): kernels with the fix
# contain the string "Vulnerable: Safe RET, no microcode" in their image,
# while older kernels only have "safe RET" (and append ", no microcode" dynamically).
pr_info_nol "* Kernel has accurate SRSO reporting: "
if [ -n "$g_kernel_err" ]; then
pstatus yellow UNKNOWN "$g_kernel_err"
elif grep -q 'Vulnerable: Safe RET, no microcode' "$g_kernel"; then
pstatus green YES
elif [ -n "$kernel_sro" ]; then
pstatus yellow NO "your kernel reports partial SRSO mitigations as fully mitigated, upgrade recommended"
else
pstatus yellow NO "your kernel is too old and doesn't have the SRSO mitigation logic"
fi
pr_info_nol "* Kernel compiled with IBPB_ENTRY support: "
if [ -r "$opt_config" ]; then
# CONFIG_CPU_IBPB_ENTRY: Linux < 6.9
@@ -84,9 +108,9 @@ check_CVE_2023_20569_linux() {
# if it's present, then IBPB_ENTRY is NOT compiled in
pstatus yellow NO "kernel not compiled with (CPU|MITIGATION)_IBPB_ENTRY"
else
# if it's not present, then IBPB_ENTRY is compiled in IF kernel_sro==1, otherwise we're just
# if it's not present, then IBPB_ENTRY is compiled in IF kernel_sro is set, otherwise we're just
# in front of an old kernel that doesn't have the mitigation logic at all
if [ "$kernel_sro" = 1 ]; then
if [ -n "$kernel_sro" ]; then
kernel_ibpb_entry="IBPB_ENTRY mitigation logic is compiled in the kernel"
pstatus green OK "$kernel_ibpb_entry"
else
@@ -134,37 +158,59 @@ check_CVE_2023_20569_linux() {
# override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, so we rely on our own logic
# Zen/Zen2
if [ "$cpu_family" = $((0x17)) ]; then
if [ "$smt_enabled" = 0 ]; then
pvulnstatus "$cve" VULN "SMT is enabled on your Zen/Zen2 CPU, which makes mitigation ineffective"
explain "For Zen/Zen2 CPUs, proper mitigation needs an up to date microcode, and SMT needs to be disabled (this can be done by adding \`nosmt\` to your kernel command line)"
elif [ -z "$kernel_sro" ]; then
pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the SRSO mitigation logic"
elif [ -n "$cap_ibpb" ]; then
pvulnstatus "$cve" OK "SMT is disabled and both your kernel and microcode support mitigation"
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_sysfs_only" != 1 ]; then
# Zen/Zen2
if [ "$cpu_family" = $((0x17)) ]; then
if [ "$smt_enabled" = 0 ]; then
pvulnstatus "$cve" VULN "SMT is enabled on your Zen/Zen2 CPU, which makes mitigation ineffective"
explain "For Zen/Zen2 CPUs, proper mitigation needs an up to date microcode, and SMT needs to be disabled (this can be done by adding \`nosmt\` to your kernel command line)"
elif [ -z "$kernel_sro" ]; then
pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the SRSO mitigation logic"
elif [ -n "$cap_ibpb" ]; then
pvulnstatus "$cve" OK "SMT is disabled and both your kernel and microcode support mitigation"
else
pvulnstatus "$cve" VULN "Your microcode is too old"
fi
# Zen3/Zen4
elif [ "$cpu_family" = $((0x19)) ]; then
if [ -z "$kernel_sro" ]; then
pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the SRSO mitigation logic"
elif [ -z "$kernel_srso" ] && [ -z "$kernel_ibpb_entry" ]; then
pvulnstatus "$cve" VULN "Your kernel doesn't have either SRSO or IBPB_ENTRY compiled-in"
elif [ "$cap_sbpb" = 3 ]; then
pvulnstatus "$cve" UNK "Couldn't verify if your microcode supports IBPB (rerun with --allow-msr-write)"
elif [ "$cap_sbpb" = 2 ]; then
pvulnstatus "$cve" VULN "Your microcode doesn't support SBPB"
else
pvulnstatus "$cve" OK "Your kernel and microcode both support mitigation"
fi
else
pvulnstatus "$cve" VULN "Your microcode is too old"
fi
# Zen3/Zen4
elif [ "$cpu_family" = $((0x19)) ]; then
if [ -z "$kernel_sro" ]; then
pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the SRSO mitigation logic"
elif [ -z "$kernel_srso" ] && [ -z "$kernel_ibpb_entry" ]; then
pvulnstatus "$cve" VULN "Your kernel doesn't have either SRSO or IBPB_ENTRY compiled-in"
elif [ "$cap_sbpb" = 3 ]; then
pvulnstatus "$cve" UNK "Couldn't verify if your microcode supports IBPB (rerun with --allow-msr-write)"
elif [ "$cap_sbpb" = 2 ]; then
pvulnstatus "$cve" VULN "Your microcode doesn't support SBPB"
else
pvulnstatus "$cve" OK "Your kernel and microcode both support mitigation"
# not supposed to happen, as normally this CPU should not be affected and not run this code
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
fi
else
# not supposed to happen, as normally this CPU should not be affected and not run this code
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
fi
else
pvulnstatus "$cve" "$status" "$msg"
if echo "$msg" | grep -qi 'your kernel incorrectly reports this as mitigated'; then
explain "Your kernel's /sys interface reports 'Mitigation: safe RET, no microcode' for the SRSO vulnerability.\n" \
"This was a bug in the kernel's reporting (fixed in v6.5.6/v6.6-rc6, commit dc6306ad5b0d):\n" \
"the Safe RET mitigation alone only protects the kernel from userspace attacks, but without\n" \
"the IBPB-extending microcode, userspace itself remains vulnerable because IBPB doesn't flush\n" \
"branch type predictions. Newer kernels correctly report this as 'Vulnerable: Safe RET, no microcode'.\n" \
"To fully mitigate, you need both the Safe RET kernel support AND an updated CPU microcode.\n" \
"Updating your kernel to v6.5.6+ or v6.6+ will also give you accurate vulnerability reporting."
fi
fi
}
# CVE-2023-20569 Inception (SRSO, speculative return stack overflow) - BSD mitigation check
check_CVE_2023_20569_bsd() {
if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
else
pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
fi
}

54
src/vulns/CVE-2023-20593.sh
View File

@@ -118,3 +118,57 @@ check_CVE_2023_20593_linux() {
pvulnstatus "$cve" "$status" "$msg"
fi
}
# CVE-2023-20593 Zenbleed (cross-process information leak via AVX2) - BSD mitigation check
check_CVE_2023_20593_bsd() {
local zenbleed_enable zenbleed_state kernel_zenbleed
pr_info_nol "* Kernel supports Zenbleed mitigation (machdep.mitigations.zenbleed.enable): "
zenbleed_enable=$(sysctl -n machdep.mitigations.zenbleed.enable 2>/dev/null)
if [ -n "$zenbleed_enable" ]; then
kernel_zenbleed=1
case "$zenbleed_enable" in
0) pstatus yellow YES "force disabled" ;;
1) pstatus green YES "force enabled" ;;
2) pstatus green YES "automatic (default)" ;;
*) pstatus yellow YES "unknown value: $zenbleed_enable" ;;
esac
else
kernel_zenbleed=0
pstatus yellow NO
fi
pr_info_nol "* Zenbleed mitigation state: "
zenbleed_state=$(sysctl -n machdep.mitigations.zenbleed.state 2>/dev/null)
if [ -n "$zenbleed_state" ]; then
if echo "$zenbleed_state" | grep -qi 'not.applicable\|mitigation.enabled'; then
pstatus green YES "$zenbleed_state"
elif echo "$zenbleed_state" | grep -qi 'mitigation.disabled'; then
pstatus yellow NO "$zenbleed_state"
else
pstatus yellow UNKNOWN "$zenbleed_state"
fi
else
pstatus yellow NO "sysctl not available"
fi
if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ "$kernel_zenbleed" = 1 ] && [ "$zenbleed_enable" != 0 ]; then
if [ -n "$zenbleed_state" ] && echo "$zenbleed_state" | grep -qi 'mitigation.enabled'; then
pvulnstatus "$cve" OK "Zenbleed mitigation is enabled ($zenbleed_state)"
elif [ -n "$zenbleed_state" ] && echo "$zenbleed_state" | grep -qi 'not.applicable'; then
pvulnstatus "$cve" OK "Zenbleed mitigation not applicable to this CPU ($zenbleed_state)"
else
pvulnstatus "$cve" OK "Zenbleed mitigation is enabled"
fi
elif [ "$kernel_zenbleed" = 1 ] && [ "$zenbleed_enable" = 0 ]; then
pvulnstatus "$cve" VULN "Zenbleed mitigation is supported but force disabled"
explain "To re-enable Zenbleed mitigation, run \`sysctl machdep.mitigations.zenbleed.enable=2' for automatic mode.\n " \
"To make this persistent, add 'machdep.mitigations.zenbleed.enable=2' to /etc/sysctl.conf."
else
pvulnstatus "$cve" VULN "your kernel doesn't support Zenbleed mitigation, update it"
explain "Your CPU vendor may also have a new microcode for your CPU model that mitigates this issue.\n " \
"Updating to FreeBSD 14.0 or later will provide kernel-level Zenbleed mitigation via the\n " \
"machdep.mitigations.zenbleed sysctl."
fi
}

9
src/vulns/CVE-2023-23583.sh
View File

@@ -30,3 +30,12 @@ check_CVE_2023_23583_linux() {
fi
fi
}
# CVE-2023-23583 Reptar (redundant prefix issue) - BSD mitigation check
check_CVE_2023_23583_bsd() {
if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
else
pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
fi
}

67
src/vulns/CVE-2024-36350.sh
View File

@@ -9,7 +9,7 @@ check_CVE_2024_36350() {
# CVE-2024-36350 TSA-SQ (transient scheduler attack - store queue) - Linux mitigation check
check_CVE_2024_36350_linux() {
local status sys_interface_available msg kernel_tsa kernel_tsa_err smt_enabled ret
local status sys_interface_available msg kernel_tsa kernel_tsa_err smt_enabled
status=UNK
sys_interface_available=0
msg=''
@@ -17,10 +17,57 @@ check_CVE_2024_36350_linux() {
if sys_interface_check "$VULN_SYSFS_BASE/tsa"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
#
# Complete sysfs message inventory for tsa
#
# all versions:
# "Not affected" (cpu_show_common, pre-existing)
#
# --- mainline ---
# d8010d4ba43e (v6.16-rc6, initial TSA sysfs):
# "Vulnerable" (TSA_MITIGATION_NONE)
# "Vulnerable: No microcode" (TSA_MITIGATION_UCODE_NEEDED)
# "Mitigation: Clear CPU buffers: user/kernel boundary" (TSA_MITIGATION_USER_KERNEL)
# "Mitigation: Clear CPU buffers: VM" (TSA_MITIGATION_VM)
# "Mitigation: Clear CPU buffers" (TSA_MITIGATION_FULL)
# 6b21d2f0dc73 (v6.17-rc1, attack vector controls):
# no string changes; only mitigation selection logic changed
# (AUTO can now resolve to USER_KERNEL or VM based on attack vector config)
#
# --- stable backports ---
# 6.16.y: d8010d4ba43e (same as mainline), same strings.
# 6.17.y: has 6b21d2f0dc73 (attack vector controls), same strings.
# 5.10.y (78192f511f40), 5.15.y (f2b75f1368af), 6.1.y (d12145e8454f),
# 6.6.y (90293047df18), 6.12.y (7a0395f6607a), 6.15.y (ab0f6573b211):
# different UCODE_NEEDED string:
# "Vulnerable: Clear CPU buffers attempted, no microcode" (TSA_MITIGATION_UCODE_NEEDED)
# all other strings identical to mainline.
# default is FULL (no AUTO enum); USER_KERNEL/VM only via cmdline tsa=user/tsa=vm.
# VM-forced mitigation: when UCODE_NEEDED and running in a VM, forces FULL
# (stable-only logic, not in mainline).
#
# --- RHEL/CentOS ---
# rocky9 (5.14-based), rocky10 (6.12-based): same strings as mainline.
# "Vulnerable: No microcode" for UCODE_NEEDED (matches mainline, NOT the stable variant).
# rocky8 (4.18-based), centos7 (3.10-based): no TSA support.
#
# all messages start with either "Not affected", "Mitigation", or "Vulnerable"
status=$ret_sys_interface_check_status
fi
if [ "$opt_sysfs_only" != 1 ]; then
check_has_vmm
# Override: when running as a hypervisor, "user/kernel boundary" mode
# (tsa=user) leaves the VM exit boundary uncovered — guests can exploit
# TSA to leak host data. The kernel correctly reports its own mode, but
# the script must flag this as insufficient for a VMM host.
if [ "$sys_interface_available" = 1 ] && [ "$g_has_vmm" != 0 ]; then
if echo "$ret_sys_interface_check_fullmsg" | grep -q 'user/kernel boundary'; then
status=VULN
msg="Vulnerable: TSA mitigation limited to user/kernel boundary (tsa=user), VM exit boundary is not covered"
fi
fi
pr_info_nol "* Kernel supports TSA mitigation: "
kernel_tsa=''
kernel_tsa_err=''
@@ -35,8 +82,8 @@ check_CVE_2024_36350_linux() {
kernel_tsa="CONFIG_MITIGATION_TSA=y found in kernel config"
fi
fi
if [ -z "$kernel_tsa" ] && [ -n "$g_kernel_map" ]; then
if grep -q 'tsa_select_mitigation' "$g_kernel_map"; then
if [ -z "$kernel_tsa" ] && [ -n "$opt_map" ]; then
if grep -q 'tsa_select_mitigation' "$opt_map"; then
kernel_tsa="found tsa_select_mitigation in System.map"
fi
fi
@@ -112,5 +159,19 @@ check_CVE_2024_36350_linux() {
fi
else
pvulnstatus "$cve" "$status" "$msg"
if echo "$msg" | grep -q 'VM exit boundary'; then
explain "This system runs a hypervisor but TSA mitigation only clears CPU buffers at\n " \
"user/kernel transitions (tsa=user). Guests can exploit TSA to leak host data\n " \
"across VM exit. Use \`tsa=on\` (or remove \`tsa=user\`) to cover both boundaries."
fi
fi
}
# CVE-2024-36350 TSA-SQ (transient scheduler attack - store queue) - BSD mitigation check
check_CVE_2024_36350_bsd() {
if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
else
pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
fi
}

74
src/vulns/CVE-2024-36357.sh
View File

@@ -9,7 +9,7 @@ check_CVE_2024_36357() {
# CVE-2024-36357 TSA-L1 (transient scheduler attack - L1 cache) - Linux mitigation check
check_CVE_2024_36357_linux() {
local status sys_interface_available msg kernel_tsa kernel_tsa_err ret
local status sys_interface_available msg kernel_tsa kernel_tsa_err
status=UNK
sys_interface_available=0
msg=''
@@ -17,10 +17,57 @@ check_CVE_2024_36357_linux() {
if sys_interface_check "$VULN_SYSFS_BASE/tsa"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
#
# Complete sysfs message inventory for tsa
#
# all versions:
# "Not affected" (cpu_show_common, pre-existing)
#
# --- mainline ---
# d8010d4ba43e (v6.16-rc6, initial TSA sysfs):
# "Vulnerable" (TSA_MITIGATION_NONE)
# "Vulnerable: No microcode" (TSA_MITIGATION_UCODE_NEEDED)
# "Mitigation: Clear CPU buffers: user/kernel boundary" (TSA_MITIGATION_USER_KERNEL)
# "Mitigation: Clear CPU buffers: VM" (TSA_MITIGATION_VM)
# "Mitigation: Clear CPU buffers" (TSA_MITIGATION_FULL)
# 6b21d2f0dc73 (v6.17-rc1, attack vector controls):
# no string changes; only mitigation selection logic changed
# (AUTO can now resolve to USER_KERNEL or VM based on attack vector config)
#
# --- stable backports ---
# 6.16.y: d8010d4ba43e (same as mainline), same strings.
# 6.17.y: has 6b21d2f0dc73 (attack vector controls), same strings.
# 5.10.y (78192f511f40), 5.15.y (f2b75f1368af), 6.1.y (d12145e8454f),
# 6.6.y (90293047df18), 6.12.y (7a0395f6607a), 6.15.y (ab0f6573b211):
# different UCODE_NEEDED string:
# "Vulnerable: Clear CPU buffers attempted, no microcode" (TSA_MITIGATION_UCODE_NEEDED)
# all other strings identical to mainline.
# default is FULL (no AUTO enum); USER_KERNEL/VM only via cmdline tsa=user/tsa=vm.
# VM-forced mitigation: when UCODE_NEEDED and running in a VM, forces FULL
# (stable-only logic, not in mainline).
#
# --- RHEL/CentOS ---
# rocky9 (5.14-based), rocky10 (6.12-based): same strings as mainline.
# "Vulnerable: No microcode" for UCODE_NEEDED (matches mainline, NOT the stable variant).
# rocky8 (4.18-based), centos7 (3.10-based): no TSA support.
#
# all messages start with either "Not affected", "Mitigation", or "Vulnerable"
status=$ret_sys_interface_check_status
fi
if [ "$opt_sysfs_only" != 1 ]; then
check_has_vmm
# Override: when running as a hypervisor, "user/kernel boundary" mode
# (tsa=user) leaves the VM exit boundary uncovered — guests can exploit
# TSA to leak host data. The kernel correctly reports its own mode, but
# the script must flag this as insufficient for a VMM host.
if [ "$sys_interface_available" = 1 ] && [ "$g_has_vmm" != 0 ]; then
if echo "$ret_sys_interface_check_fullmsg" | grep -q 'user/kernel boundary'; then
status=VULN
msg="Vulnerable: TSA mitigation limited to user/kernel boundary (tsa=user), VM exit boundary is not covered"
fi
fi
pr_info_nol "* Kernel supports TSA mitigation: "
kernel_tsa=''
kernel_tsa_err=''
@@ -35,8 +82,8 @@ check_CVE_2024_36357_linux() {
kernel_tsa="CONFIG_MITIGATION_TSA=y found in kernel config"
fi
fi
if [ -z "$kernel_tsa" ] && [ -n "$g_kernel_map" ]; then
if grep -q 'tsa_select_mitigation' "$g_kernel_map"; then
if [ -z "$kernel_tsa" ] && [ -n "$opt_map" ]; then
if grep -q 'tsa_select_mitigation' "$opt_map"; then
kernel_tsa="found tsa_select_mitigation in System.map"
fi
fi
@@ -78,6 +125,13 @@ check_CVE_2024_36357_linux() {
elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_sysfs_only" != 1 ]; then
# No --paranoid SMT check here, unlike TSA-SQ (CVE-2024-36350).
# The kernel's cpu_bugs_smt_update() enables cpu_buf_idle_clear
# (VERW before idle) specifically for TSA-SQ cross-thread leakage,
# with the comment "TSA-SQ can potentially lead to info leakage
# between SMT threads" — TSA-L1 is not mentioned. Until the kernel
# flags TSA-L1 as having cross-thread SMT exposure, we follow its
# assessment and do not require SMT disabled in paranoid mode.
if [ "$cap_verw_clear" = 1 ] && [ -n "$kernel_tsa" ]; then
pvulnstatus "$cve" OK "Both kernel and microcode mitigate the vulnerability"
elif [ "$cap_verw_clear" = 1 ]; then
@@ -98,5 +152,19 @@ check_CVE_2024_36357_linux() {
fi
else
pvulnstatus "$cve" "$status" "$msg"
if echo "$msg" | grep -q 'VM exit boundary'; then
explain "This system runs a hypervisor but TSA mitigation only clears CPU buffers at\n " \
"user/kernel transitions (tsa=user). Guests can exploit TSA to leak host data\n " \
"across VM exit. Use \`tsa=on\` (or remove \`tsa=user\`) to cover both boundaries."
fi
fi
}
# CVE-2024-36357 TSA-L1 (transient scheduler attack - L1 cache) - BSD mitigation check
check_CVE_2024_36357_bsd() {
if ! is_cpu_affected "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
else
pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
fi
}