]>
Commit | Line | Data |
---|---|---|
035dbe67 FG |
1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
2 | From: Tim Chen <tim.c.chen@linux.intel.com> | |
3 | Date: Tue, 14 Nov 2017 17:16:30 -0800 | |
4 | Subject: [PATCH] x86/entry: Stuff RSB for entry to kernel for non-SMEP | |
5 | platform | |
6 | MIME-Version: 1.0 | |
7 | Content-Type: text/plain; charset=UTF-8 | |
8 | Content-Transfer-Encoding: 8bit | |
9 | ||
10 | CVE-2017-5753 | |
11 | CVE-2017-5715 | |
12 | ||
13 | Stuff RSB to prevent RSB underflow on non-SMEP platform. | |
14 | ||
15 | Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> | |
16 | Signed-off-by: Andy Whitcroft <apw@canonical.com> | |
17 | Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> | |
18 | (cherry picked from commit b82785ac1d33ce219c77d72b7bd80a21e1441ac8) | |
19 | Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> | |
20 | --- | |
21 | arch/x86/include/asm/spec_ctrl.h | 71 ++++++++++++++++++++++++++++++++++++++++ | |
22 | arch/x86/entry/entry_64.S | 18 ++++++++-- | |
23 | arch/x86/entry/entry_64_compat.S | 4 +++ | |
24 | 3 files changed, 91 insertions(+), 2 deletions(-) | |
25 | ||
26 | diff --git a/arch/x86/include/asm/spec_ctrl.h b/arch/x86/include/asm/spec_ctrl.h | |
27 | index 7f8bb09b6acb..55ee1f36bda2 100644 | |
28 | --- a/arch/x86/include/asm/spec_ctrl.h | |
29 | +++ b/arch/x86/include/asm/spec_ctrl.h | |
30 | @@ -35,6 +35,73 @@ | |
31 | popq %rdx; \ | |
32 | popq %rcx; \ | |
33 | popq %rax | |
34 | +#define __ASM_STUFF_RSB \ | |
35 | + call 1f; \ | |
36 | + pause; \ | |
37 | +1: call 2f; \ | |
38 | + pause; \ | |
39 | +2: call 3f; \ | |
40 | + pause; \ | |
41 | +3: call 4f; \ | |
42 | + pause; \ | |
43 | +4: call 5f; \ | |
44 | + pause; \ | |
45 | +5: call 6f; \ | |
46 | + pause; \ | |
47 | +6: call 7f; \ | |
48 | + pause; \ | |
49 | +7: call 8f; \ | |
50 | + pause; \ | |
51 | +8: call 9f; \ | |
52 | + pause; \ | |
53 | +9: call 10f; \ | |
54 | + pause; \ | |
55 | +10: call 11f; \ | |
56 | + pause; \ | |
57 | +11: call 12f; \ | |
58 | + pause; \ | |
59 | +12: call 13f; \ | |
60 | + pause; \ | |
61 | +13: call 14f; \ | |
62 | + pause; \ | |
63 | +14: call 15f; \ | |
64 | + pause; \ | |
65 | +15: call 16f; \ | |
66 | + pause; \ | |
67 | +16: call 17f; \ | |
68 | + pause; \ | |
69 | +17: call 18f; \ | |
70 | + pause; \ | |
71 | +18: call 19f; \ | |
72 | + pause; \ | |
73 | +19: call 20f; \ | |
74 | + pause; \ | |
75 | +20: call 21f; \ | |
76 | + pause; \ | |
77 | +21: call 22f; \ | |
78 | + pause; \ | |
79 | +22: call 23f; \ | |
80 | + pause; \ | |
81 | +23: call 24f; \ | |
82 | + pause; \ | |
83 | +24: call 25f; \ | |
84 | + pause; \ | |
85 | +25: call 26f; \ | |
86 | + pause; \ | |
87 | +26: call 27f; \ | |
88 | + pause; \ | |
89 | +27: call 28f; \ | |
90 | + pause; \ | |
91 | +28: call 29f; \ | |
92 | + pause; \ | |
93 | +29: call 30f; \ | |
94 | + pause; \ | |
95 | +30: call 31f; \ | |
96 | + pause; \ | |
97 | +31: call 32f; \ | |
98 | + pause; \ | |
99 | +32: \ | |
100 | + add $(32*8), %rsp; | |
101 | ||
102 | .macro ENABLE_IBRS | |
103 | ALTERNATIVE "", __stringify(__ASM_ENABLE_IBRS), X86_FEATURE_SPEC_CTRL | |
104 | @@ -48,5 +115,9 @@ ALTERNATIVE "", __stringify(__ASM_ENABLE_IBRS_CLOBBER), X86_FEATURE_SPEC_CTRL | |
105 | ALTERNATIVE "", __stringify(__ASM_DISABLE_IBRS), X86_FEATURE_SPEC_CTRL | |
106 | .endm | |
107 | ||
108 | +.macro STUFF_RSB | |
109 | +ALTERNATIVE __stringify(__ASM_STUFF_RSB), "", X86_FEATURE_SMEP | |
110 | +.endm | |
111 | + | |
112 | #endif /* __ASSEMBLY__ */ | |
113 | #endif /* _ASM_X86_SPEC_CTRL_H */ | |
114 | diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S | |
115 | index 5f898c3c1dad..f6ec4ad5b114 100644 | |
116 | --- a/arch/x86/entry/entry_64.S | |
117 | +++ b/arch/x86/entry/entry_64.S | |
118 | @@ -214,8 +214,6 @@ ENTRY(entry_SYSCALL_64) | |
119 | movq %rsp, PER_CPU_VAR(rsp_scratch) | |
120 | movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp | |
121 | ||
122 | - TRACE_IRQS_OFF | |
123 | - | |
124 | /* Construct struct pt_regs on stack */ | |
125 | pushq $__USER_DS /* pt_regs->ss */ | |
126 | pushq PER_CPU_VAR(rsp_scratch) /* pt_regs->sp */ | |
127 | @@ -238,6 +236,10 @@ GLOBAL(entry_SYSCALL_64_after_hwframe) | |
128 | ||
129 | ENABLE_IBRS | |
130 | ||
131 | + STUFF_RSB | |
132 | + | |
133 | + TRACE_IRQS_OFF | |
134 | + | |
135 | /* | |
136 | * If we need to do entry work or if we guess we'll need to do | |
137 | * exit work, go straight to the slow path. | |
138 | @@ -658,6 +660,13 @@ END(irq_entries_start) | |
139 | ALLOC_PT_GPREGS_ON_STACK | |
140 | SAVE_C_REGS | |
141 | SAVE_EXTRA_REGS | |
142 | + | |
143 | + /* | |
144 | + * Have to do stuffing before encoding frame pointer. | |
145 | + * Could add some unnecessary RSB clearing if coming | |
146 | + * from kernel for non-SMEP platform. | |
147 | + */ | |
148 | + STUFF_RSB | |
149 | ENCODE_FRAME_POINTER | |
150 | ||
151 | testb $3, CS(%rsp) | |
152 | @@ -1276,6 +1285,10 @@ ENTRY(paranoid_entry) | |
153 | cld | |
154 | SAVE_C_REGS 8 | |
155 | SAVE_EXTRA_REGS 8 | |
156 | + /* | |
157 | + * Do the stuffing unconditionally from user/kernel to be safe | |
158 | + */ | |
159 | + STUFF_RSB | |
160 | ENCODE_FRAME_POINTER 8 | |
161 | movl $1, %ebx | |
162 | movl $MSR_GS_BASE, %ecx | |
163 | @@ -1329,6 +1342,7 @@ ENTRY(error_entry) | |
164 | cld | |
165 | SAVE_C_REGS 8 | |
166 | SAVE_EXTRA_REGS 8 | |
167 | + STUFF_RSB | |
168 | ENCODE_FRAME_POINTER 8 | |
169 | xorl %ebx, %ebx | |
170 | testb $3, CS+8(%rsp) | |
171 | diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S | |
172 | index ee4f3edb3c50..1480222bae02 100644 | |
173 | --- a/arch/x86/entry/entry_64_compat.S | |
174 | +++ b/arch/x86/entry/entry_64_compat.S | |
175 | @@ -97,6 +97,7 @@ ENTRY(entry_SYSENTER_compat) | |
176 | cld | |
177 | ||
178 | ENABLE_IBRS | |
179 | + STUFF_RSB | |
180 | ||
181 | /* | |
182 | * SYSENTER doesn't filter flags, so we need to clear NT and AC | |
183 | @@ -227,6 +228,8 @@ GLOBAL(entry_SYSCALL_compat_after_hwframe) | |
184 | pushq $0 /* pt_regs->r14 = 0 */ | |
185 | pushq $0 /* pt_regs->r15 = 0 */ | |
186 | ||
187 | + STUFF_RSB | |
188 | + | |
189 | /* | |
190 | * User mode is traced as though IRQs are on, and SYSENTER | |
191 | * turned them off. | |
192 | @@ -354,6 +357,7 @@ ENTRY(entry_INT80_compat) | |
193 | cld | |
194 | ||
195 | ENABLE_IBRS | |
196 | + STUFF_RSB | |
197 | ||
198 | /* | |
199 | * User mode is traced as though IRQs are on, and the interrupt | |
200 | -- | |
201 | 2.14.2 | |
202 |