]>
Commit | Line | Data |
---|---|---|
16fb26e7 TL |
1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
2 | From: Jiri Kosina <jkosina@suse.cz> | |
3 | Date: Wed, 29 Aug 2018 19:17:40 +0000 | |
4 | Subject: [PATCH] x86/speculation: Protect against userspace-userspace | |
5 | spectreRSB | |
6 | ||
7 | The article "Spectre Returns! Speculation Attacks using the Return Stack | |
8 | Buffer" [1] describes two new (sub-)variants of spectrev2-like attacks, | |
9 | making use solely of the RSB contents even on CPUs that don't fallback to | |
10 | BTB on RSB underflow (Skylake+). | |
11 | ||
12 | Mitigate userspace-userspace attacks by always unconditionally filling RSB on | |
13 | context switch when the generic spectrev2 mitigation has been enabled. | |
14 | ||
15 | [1] https://arxiv.org/pdf/1807.07940.pdf | |
16 | ||
17 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | |
18 | Signed-off-by: Thomas Gleixner <tglx@linutronix.de> | |
19 | Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com> | |
20 | Acked-by: Tim Chen <tim.c.chen@linux.intel.com> | |
21 | Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> | |
22 | Cc: Borislav Petkov <bp@suse.de> | |
23 | Cc: David Woodhouse <dwmw@amazon.co.uk> | |
24 | Cc: Peter Zijlstra <peterz@infradead.org> | |
25 | Cc: Linus Torvalds <torvalds@linux-foundation.org> | |
26 | Cc: stable@vger.kernel.org | |
27 | Link: https://lkml.kernel.org/r/nycvar.YFH.7.76.1807261308190.997@cbobk.fhfr.pm | |
28 | ||
29 | CVE-2017-5715 (SpectreRSB sub-variant) | |
30 | ||
31 | (cherry picked from commit fdf82a7856b32d905c39afc85e34364491e46346) | |
32 | Signed-off-by: Tyler Hicks <tyhicks@canonical.com> | |
33 | Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> | |
34 | --- | |
35 | arch/x86/kernel/cpu/bugs.c | 38 +++++++------------------------------- | |
36 | 1 file changed, 7 insertions(+), 31 deletions(-) | |
37 | ||
38 | diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c | |
39 | index 700b4c0a93a2..edfc64a8a154 100644 | |
40 | --- a/arch/x86/kernel/cpu/bugs.c | |
41 | +++ b/arch/x86/kernel/cpu/bugs.c | |
42 | @@ -322,23 +322,6 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) | |
43 | return cmd; | |
44 | } | |
45 | ||
46 | -/* Check for Skylake-like CPUs (for RSB handling) */ | |
47 | -static bool __init is_skylake_era(void) | |
48 | -{ | |
49 | - if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL && | |
50 | - boot_cpu_data.x86 == 6) { | |
51 | - switch (boot_cpu_data.x86_model) { | |
52 | - case INTEL_FAM6_SKYLAKE_MOBILE: | |
53 | - case INTEL_FAM6_SKYLAKE_DESKTOP: | |
54 | - case INTEL_FAM6_SKYLAKE_X: | |
55 | - case INTEL_FAM6_KABYLAKE_MOBILE: | |
56 | - case INTEL_FAM6_KABYLAKE_DESKTOP: | |
57 | - return true; | |
58 | - } | |
59 | - } | |
60 | - return false; | |
61 | -} | |
62 | - | |
63 | static void __init spectre_v2_select_mitigation(void) | |
64 | { | |
65 | enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); | |
66 | @@ -399,22 +382,15 @@ static void __init spectre_v2_select_mitigation(void) | |
67 | pr_info("%s\n", spectre_v2_strings[mode]); | |
68 | ||
69 | /* | |
70 | - * If neither SMEP nor PTI are available, there is a risk of | |
71 | - * hitting userspace addresses in the RSB after a context switch | |
72 | - * from a shallow call stack to a deeper one. To prevent this fill | |
73 | - * the entire RSB, even when using IBRS. | |
74 | + * If spectre v2 protection has been enabled, unconditionally fill | |
75 | + * RSB during a context switch; this protects against two independent | |
76 | + * issues: | |
77 | * | |
78 | - * Skylake era CPUs have a separate issue with *underflow* of the | |
79 | - * RSB, when they will predict 'ret' targets from the generic BTB. | |
80 | - * The proper mitigation for this is IBRS. If IBRS is not supported | |
81 | - * or deactivated in favour of retpolines the RSB fill on context | |
82 | - * switch is required. | |
83 | + * - RSB underflow (and switch to BTB) on Skylake+ | |
84 | + * - SpectreRSB variant of spectre v2 on X86_BUG_SPECTRE_V2 CPUs | |
85 | */ | |
86 | - if ((!boot_cpu_has(X86_FEATURE_PTI) && | |
87 | - !boot_cpu_has(X86_FEATURE_SMEP)) || is_skylake_era()) { | |
88 | - setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); | |
89 | - pr_info("Spectre v2 mitigation: Filling RSB on context switch\n"); | |
90 | - } | |
91 | + setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); | |
92 | + pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n"); | |
93 | ||
94 | /* Initialize Indirect Branch Prediction Barrier if supported */ | |
95 | if (boot_cpu_has(X86_FEATURE_IBPB)) { |