[pve-kernel.git] / patches / kernel / 0288-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tim Chen <tim.c.chen@linux.intel.com>
Date: Tue, 19 Sep 2017 15:21:40 -0700
Subject: [PATCH] x86/syscall: Clear unused extra registers on syscall entrance
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2017-5753
CVE-2017-5715

To prevent the unused registers %r12-%r15, %rbp and %rbx from
being used speculatively, we clear them upon syscall entrance
for code hygiene.

Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
(cherry picked from commit 7b5ea16f42b5e4860cf9033897bcdfa3e1209033)
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 arch/x86/entry/calling.h  |  9 +++++++++
 arch/x86/entry/entry_64.S | 12 ++++++++----
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h
index 015e0a84bb99..d537818ad285 100644
--- a/arch/x86/entry/calling.h
+++ b/arch/x86/entry/calling.h
@@ -155,6 +155,15 @@ For 32-bit we have the following conventions - kernel is built with
 	popq %rbx
 	.endm
 
+	.macro CLEAR_EXTRA_REGS
+	xorq %r15, %r15
+	xorq %r14, %r14
+	xorq %r13, %r13
+	xorq %r12, %r12
+	xorq %rbp, %rbp
+	xorq %rbx, %rbx
+	.endm
+
 	.macro POP_C_REGS
 	popq %r11
 	popq %r10
diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
index f6ec4ad5b114..1118a6256c69 100644
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -231,10 +231,16 @@ GLOBAL(entry_SYSCALL_64_after_hwframe)
 	pushq	%r9				/* pt_regs->r9 */
 	pushq	%r10				/* pt_regs->r10 */
 	pushq	%r11				/* pt_regs->r11 */
-	sub	$(6*8), %rsp			/* pt_regs->bp, bx, r12-15 not saved */
+	sub	$(6*8), %rsp			/* pt_regs->bp, bx, r12-15 not used */
 	UNWIND_HINT_REGS extra=0
 
 	ENABLE_IBRS
+	/*
+	 * Clear the unused extra regs for code hygiene.
+	 * Will restore the callee saved extra regs at end of syscall.
+	 */
+	SAVE_EXTRA_REGS
+	CLEAR_EXTRA_REGS
 
 	STUFF_RSB
 
@@ -292,7 +298,7 @@ entry_SYSCALL_64_fastpath:
 	movq	RIP(%rsp), %rcx
 	movq	EFLAGS(%rsp), %r11
 	DISABLE_IBRS
-	addq	$6*8, %rsp	/* skip extra regs -- they were preserved */
+	POP_EXTRA_REGS
 	UNWIND_HINT_EMPTY
 	jmp	.Lpop_c_regs_except_rcx_r11_and_sysret
 
@@ -304,14 +310,12 @@ entry_SYSCALL_64_fastpath:
 	 */
 	TRACE_IRQS_ON
 	ENABLE_INTERRUPTS(CLBR_ANY)
-	SAVE_EXTRA_REGS
 	movq	%rsp, %rdi
 	call	syscall_return_slowpath	/* returns with IRQs disabled */
 	jmp	return_from_SYSCALL_64
 
 entry_SYSCALL64_slow_path:
 	/* IRQs are off. */
-	SAVE_EXTRA_REGS
 	movq	%rsp, %rdi
 	call	do_syscall_64		/* returns with IRQs disabled */
 
-- 
2.14.2
Commit	Line	Data
035dbe67 FG	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	2	From: Tim Chen <tim.c.chen@linux.intel.com>
	3	Date: Tue, 19 Sep 2017 15:21:40 -0700
	4	Subject: [PATCH] x86/syscall: Clear unused extra registers on syscall entrance
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	CVE-2017-5753
	10	CVE-2017-5715
	11
	12	To prevent the unused registers %r12-%r15, %rbp and %rbx from
	13	being used speculatively, we clear them upon syscall entrance
	14	for code hygiene.
	15
	16	Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
	17	Signed-off-by: Andy Whitcroft <apw@canonical.com>
	18	Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	19	(cherry picked from commit 7b5ea16f42b5e4860cf9033897bcdfa3e1209033)
	20	Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
	21	---
	22	arch/x86/entry/calling.h \| 9 +++++++++
	23	arch/x86/entry/entry_64.S \| 12 ++++++++----
	24	2 files changed, 17 insertions(+), 4 deletions(-)
	25
	26	diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h
	27	index 015e0a84bb99..d537818ad285 100644
	28	--- a/arch/x86/entry/calling.h
	29	+++ b/arch/x86/entry/calling.h
	30	@@ -155,6 +155,15 @@ For 32-bit we have the following conventions - kernel is built with
	31	popq %rbx
	32	.endm
	33
	34	+ .macro CLEAR_EXTRA_REGS
	35	+ xorq %r15, %r15
	36	+ xorq %r14, %r14
	37	+ xorq %r13, %r13
	38	+ xorq %r12, %r12
	39	+ xorq %rbp, %rbp
	40	+ xorq %rbx, %rbx
	41	+ .endm
	42	+
	43	.macro POP_C_REGS
	44	popq %r11
	45	popq %r10
	46	diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
	47	index f6ec4ad5b114..1118a6256c69 100644
	48	--- a/arch/x86/entry/entry_64.S
	49	+++ b/arch/x86/entry/entry_64.S
	50	@@ -231,10 +231,16 @@ GLOBAL(entry_SYSCALL_64_after_hwframe)
	51	pushq %r9 /* pt_regs->r9 */
	52	pushq %r10 /* pt_regs->r10 */
	53	pushq %r11 /* pt_regs->r11 */
	54	- sub $(68), %rsp / pt_regs->bp, bx, r12-15 not saved */
	55	+ sub $(68), %rsp / pt_regs->bp, bx, r12-15 not used */
	56	UNWIND_HINT_REGS extra=0
	57
	58	ENABLE_IBRS
	59	+ /*
	60	+ * Clear the unused extra regs for code hygiene.
	61	+ * Will restore the callee saved extra regs at end of syscall.
	62	+ */
	63	+ SAVE_EXTRA_REGS
	64	+ CLEAR_EXTRA_REGS
65
66	STUFF_RSB
67
68	@@ -292,7 +298,7 @@ entry_SYSCALL_64_fastpath:
69	movq RIP(%rsp), %rcx
70	movq EFLAGS(%rsp), %r11
71	DISABLE_IBRS
72	- addq $68, %rsp / skip extra regs -- they were preserved */
73	+ POP_EXTRA_REGS
74	UNWIND_HINT_EMPTY
75	jmp .Lpop_c_regs_except_rcx_r11_and_sysret
76
77	@@ -304,14 +310,12 @@ entry_SYSCALL_64_fastpath:
78	*/
79	TRACE_IRQS_ON
80	ENABLE_INTERRUPTS(CLBR_ANY)
81	- SAVE_EXTRA_REGS
82	movq %rsp, %rdi
83	call syscall_return_slowpath /* returns with IRQs disabled */
84	jmp return_from_SYSCALL_64
85
86	entry_SYSCALL64_slow_path:
87	/* IRQs are off. */
88	- SAVE_EXTRA_REGS
89	movq %rsp, %rdi
90	call do_syscall_64 /* returns with IRQs disabled */
91
92	--
93	2.14.2
94