[pve-kernel.git] / patches / kernel / 0279-x86-entry-Stuff-RSB-for-entry-to-kernel-for-non-SMEP.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tim Chen <tim.c.chen@linux.intel.com>
Date: Tue, 14 Nov 2017 17:16:30 -0800
Subject: [PATCH] x86/entry: Stuff RSB for entry to kernel for non-SMEP
 platform
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2017-5753
CVE-2017-5715

Stuff RSB to prevent RSB underflow on non-SMEP platform.

Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
(cherry picked from commit b82785ac1d33ce219c77d72b7bd80a21e1441ac8)
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 arch/x86/include/asm/spec_ctrl.h | 71 ++++++++++++++++++++++++++++++++++++++++
 arch/x86/entry/entry_64.S        | 18 ++++++++--
 arch/x86/entry/entry_64_compat.S |  4 +++
 3 files changed, 91 insertions(+), 2 deletions(-)

diff --git a/arch/x86/include/asm/spec_ctrl.h b/arch/x86/include/asm/spec_ctrl.h
index 7f8bb09b6acb..55ee1f36bda2 100644
--- a/arch/x86/include/asm/spec_ctrl.h
+++ b/arch/x86/include/asm/spec_ctrl.h
@@ -35,6 +35,73 @@
 	popq %rdx;				\
 	popq %rcx;				\
 	popq %rax
+#define __ASM_STUFF_RSB				\
+	call	1f;				\
+	pause;					\
+1:	call	2f;				\
+	pause;					\
+2:	call	3f;				\
+	pause;					\
+3:	call	4f;				\
+	pause;					\
+4:	call	5f;				\
+	pause;					\
+5:	call	6f;				\
+	pause;					\
+6:	call	7f;				\
+	pause;					\
+7:	call	8f;				\
+	pause;					\
+8:	call	9f;				\
+	pause;					\
+9:	call	10f;				\
+	pause;					\
+10:	call	11f;				\
+	pause;					\
+11:	call	12f;				\
+	pause;					\
+12:	call	13f;				\
+	pause;					\
+13:	call	14f;				\
+	pause;					\
+14:	call	15f;				\
+	pause;					\
+15:	call	16f;				\
+	pause;					\
+16:	call	17f;				\
+	pause;					\
+17:	call	18f;				\
+	pause;					\
+18:	call	19f;				\
+	pause;					\
+19:	call	20f;				\
+	pause;					\
+20:	call	21f;				\
+	pause;					\
+21:	call	22f;				\
+	pause;					\
+22:	call	23f;				\
+	pause;					\
+23:	call	24f;				\
+	pause;					\
+24:	call	25f;				\
+	pause;					\
+25:	call	26f;				\
+	pause;					\
+26:	call	27f;				\
+	pause;					\
+27:	call	28f;				\
+	pause;					\
+28:	call	29f;				\
+	pause;					\
+29:	call	30f;				\
+	pause;					\
+30:	call	31f;				\
+	pause;					\
+31:	call	32f;				\
+	pause;					\
+32:						\
+	add $(32*8), %rsp;
 
 .macro ENABLE_IBRS
 ALTERNATIVE "", __stringify(__ASM_ENABLE_IBRS), X86_FEATURE_SPEC_CTRL
@@ -48,5 +115,9 @@ ALTERNATIVE "", __stringify(__ASM_ENABLE_IBRS_CLOBBER), X86_FEATURE_SPEC_CTRL
 ALTERNATIVE "", __stringify(__ASM_DISABLE_IBRS), X86_FEATURE_SPEC_CTRL
 .endm
 
+.macro STUFF_RSB
+ALTERNATIVE __stringify(__ASM_STUFF_RSB), "", X86_FEATURE_SMEP
+.endm
+
 #endif /* __ASSEMBLY__ */
 #endif /* _ASM_X86_SPEC_CTRL_H */
diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
index 5f898c3c1dad..f6ec4ad5b114 100644
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -214,8 +214,6 @@ ENTRY(entry_SYSCALL_64)
 	movq	%rsp, PER_CPU_VAR(rsp_scratch)
 	movq	PER_CPU_VAR(cpu_current_top_of_stack), %rsp
 
-	TRACE_IRQS_OFF
-
 	/* Construct struct pt_regs on stack */
 	pushq	$__USER_DS			/* pt_regs->ss */
 	pushq	PER_CPU_VAR(rsp_scratch)	/* pt_regs->sp */
@@ -238,6 +236,10 @@ GLOBAL(entry_SYSCALL_64_after_hwframe)
 
 	ENABLE_IBRS
 
+	STUFF_RSB
+
+	TRACE_IRQS_OFF
+
 	/*
 	 * If we need to do entry work or if we guess we'll need to do
 	 * exit work, go straight to the slow path.
@@ -658,6 +660,13 @@ END(irq_entries_start)
 	ALLOC_PT_GPREGS_ON_STACK
 	SAVE_C_REGS
 	SAVE_EXTRA_REGS
+
+	/*
+	 * Have to do stuffing before encoding frame pointer.
+	 * Could add some unnecessary RSB clearing if coming
+	 * from kernel for non-SMEP platform.
+	 */
+	STUFF_RSB
 	ENCODE_FRAME_POINTER
 
 	testb	$3, CS(%rsp)
@@ -1276,6 +1285,10 @@ ENTRY(paranoid_entry)
 	cld
 	SAVE_C_REGS 8
 	SAVE_EXTRA_REGS 8
+	/*
+	 * Do the stuffing unconditionally from user/kernel to be safe
+	 */
+	STUFF_RSB
 	ENCODE_FRAME_POINTER 8
 	movl	$1, %ebx
 	movl	$MSR_GS_BASE, %ecx
@@ -1329,6 +1342,7 @@ ENTRY(error_entry)
 	cld
 	SAVE_C_REGS 8
 	SAVE_EXTRA_REGS 8
+	STUFF_RSB
 	ENCODE_FRAME_POINTER 8
 	xorl	%ebx, %ebx
 	testb	$3, CS+8(%rsp)
diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
index ee4f3edb3c50..1480222bae02 100644
--- a/arch/x86/entry/entry_64_compat.S
+++ b/arch/x86/entry/entry_64_compat.S
@@ -97,6 +97,7 @@ ENTRY(entry_SYSENTER_compat)
 	cld
 
 	ENABLE_IBRS
+	STUFF_RSB
 
 	/*
 	 * SYSENTER doesn't filter flags, so we need to clear NT and AC
@@ -227,6 +228,8 @@ GLOBAL(entry_SYSCALL_compat_after_hwframe)
 	pushq   $0			/* pt_regs->r14 = 0 */
 	pushq   $0			/* pt_regs->r15 = 0 */
 
+	STUFF_RSB
+
 	/*
 	 * User mode is traced as though IRQs are on, and SYSENTER
 	 * turned them off.
@@ -354,6 +357,7 @@ ENTRY(entry_INT80_compat)
 	cld
 
 	ENABLE_IBRS
+	STUFF_RSB
 
 	/*
 	 * User mode is traced as though IRQs are on, and the interrupt
-- 
2.14.2
Commit	Line	Data
035dbe67 FG	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	2	From: Tim Chen <tim.c.chen@linux.intel.com>
	3	Date: Tue, 14 Nov 2017 17:16:30 -0800
	4	Subject: [PATCH] x86/entry: Stuff RSB for entry to kernel for non-SMEP
	5	platform
	6	MIME-Version: 1.0
	7	Content-Type: text/plain; charset=UTF-8
	8	Content-Transfer-Encoding: 8bit
	9
	10	CVE-2017-5753
	11	CVE-2017-5715
	12
	13	Stuff RSB to prevent RSB underflow on non-SMEP platform.
	14
	15	Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
	16	Signed-off-by: Andy Whitcroft <apw@canonical.com>
	17	Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	18	(cherry picked from commit b82785ac1d33ce219c77d72b7bd80a21e1441ac8)
	19	Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
	20	---
	21	arch/x86/include/asm/spec_ctrl.h \| 71 ++++++++++++++++++++++++++++++++++++++++
	22	arch/x86/entry/entry_64.S \| 18 ++++++++--
	23	arch/x86/entry/entry_64_compat.S \| 4 +++
	24	3 files changed, 91 insertions(+), 2 deletions(-)
	25
	26	diff --git a/arch/x86/include/asm/spec_ctrl.h b/arch/x86/include/asm/spec_ctrl.h
	27	index 7f8bb09b6acb..55ee1f36bda2 100644
	28	--- a/arch/x86/include/asm/spec_ctrl.h
	29	+++ b/arch/x86/include/asm/spec_ctrl.h
	30	@@ -35,6 +35,73 @@
	31	popq %rdx; \
	32	popq %rcx; \
	33	popq %rax
	34	+#define __ASM_STUFF_RSB \
	35	+ call 1f; \
	36	+ pause; \
	37	+1: call 2f; \
	38	+ pause; \
	39	+2: call 3f; \
	40	+ pause; \
	41	+3: call 4f; \
	42	+ pause; \
	43	+4: call 5f; \
	44	+ pause; \
	45	+5: call 6f; \
	46	+ pause; \
	47	+6: call 7f; \
	48	+ pause; \
	49	+7: call 8f; \
	50	+ pause; \
	51	+8: call 9f; \
	52	+ pause; \
	53	+9: call 10f; \
	54	+ pause; \
	55	+10: call 11f; \
	56	+ pause; \
	57	+11: call 12f; \
	58	+ pause; \
	59	+12: call 13f; \
	60	+ pause; \
	61	+13: call 14f; \
	62	+ pause; \
	63	+14: call 15f; \
	64	+ pause; \
65	+15: call 16f; \
66	+ pause; \
67	+16: call 17f; \
68	+ pause; \
69	+17: call 18f; \
70	+ pause; \
71	+18: call 19f; \
72	+ pause; \
73	+19: call 20f; \
74	+ pause; \
75	+20: call 21f; \
76	+ pause; \
77	+21: call 22f; \
78	+ pause; \
79	+22: call 23f; \
80	+ pause; \
81	+23: call 24f; \
82	+ pause; \
83	+24: call 25f; \
84	+ pause; \
85	+25: call 26f; \
86	+ pause; \
87	+26: call 27f; \
88	+ pause; \
89	+27: call 28f; \
90	+ pause; \
91	+28: call 29f; \
92	+ pause; \
93	+29: call 30f; \
94	+ pause; \
95	+30: call 31f; \
96	+ pause; \
97	+31: call 32f; \
98	+ pause; \
99	+32: \
100	+ add $(32*8), %rsp;
101
102	.macro ENABLE_IBRS
103	ALTERNATIVE "", __stringify(__ASM_ENABLE_IBRS), X86_FEATURE_SPEC_CTRL
104	@@ -48,5 +115,9 @@ ALTERNATIVE "", __stringify(__ASM_ENABLE_IBRS_CLOBBER), X86_FEATURE_SPEC_CTRL
105	ALTERNATIVE "", __stringify(__ASM_DISABLE_IBRS), X86_FEATURE_SPEC_CTRL
106	.endm
107
108	+.macro STUFF_RSB
109	+ALTERNATIVE __stringify(__ASM_STUFF_RSB), "", X86_FEATURE_SMEP
110	+.endm
111	+
112	#endif /* __ASSEMBLY__ */
113	#endif /* _ASM_X86_SPEC_CTRL_H */
114	diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
115	index 5f898c3c1dad..f6ec4ad5b114 100644
116	--- a/arch/x86/entry/entry_64.S
117	+++ b/arch/x86/entry/entry_64.S
118	@@ -214,8 +214,6 @@ ENTRY(entry_SYSCALL_64)
119	movq %rsp, PER_CPU_VAR(rsp_scratch)
120	movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
121
122	- TRACE_IRQS_OFF
123	-
124	/* Construct struct pt_regs on stack */
125	pushq $__USER_DS /* pt_regs->ss */
126	pushq PER_CPU_VAR(rsp_scratch) /* pt_regs->sp */
127	@@ -238,6 +236,10 @@ GLOBAL(entry_SYSCALL_64_after_hwframe)
128
129	ENABLE_IBRS
130
131	+ STUFF_RSB
132	+
133	+ TRACE_IRQS_OFF
134	+
135	/*
136	* If we need to do entry work or if we guess we'll need to do
137	* exit work, go straight to the slow path.
138	@@ -658,6 +660,13 @@ END(irq_entries_start)
139	ALLOC_PT_GPREGS_ON_STACK
140	SAVE_C_REGS
141	SAVE_EXTRA_REGS
142	+
143	+ /*
144	+ * Have to do stuffing before encoding frame pointer.
145	+ * Could add some unnecessary RSB clearing if coming
146	+ * from kernel for non-SMEP platform.
147	+ */
148	+ STUFF_RSB
149	ENCODE_FRAME_POINTER
150
151	testb $3, CS(%rsp)
152	@@ -1276,6 +1285,10 @@ ENTRY(paranoid_entry)
153	cld
154	SAVE_C_REGS 8
155	SAVE_EXTRA_REGS 8
156	+ /*
157	+ * Do the stuffing unconditionally from user/kernel to be safe
158	+ */
159	+ STUFF_RSB
160	ENCODE_FRAME_POINTER 8
161	movl $1, %ebx
162	movl $MSR_GS_BASE, %ecx
163	@@ -1329,6 +1342,7 @@ ENTRY(error_entry)
164	cld
165	SAVE_C_REGS 8
166	SAVE_EXTRA_REGS 8
167	+ STUFF_RSB
168	ENCODE_FRAME_POINTER 8
169	xorl %ebx, %ebx
170	testb $3, CS+8(%rsp)
171	diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
172	index ee4f3edb3c50..1480222bae02 100644
173	--- a/arch/x86/entry/entry_64_compat.S
174	+++ b/arch/x86/entry/entry_64_compat.S
175	@@ -97,6 +97,7 @@ ENTRY(entry_SYSENTER_compat)
176	cld
177
178	ENABLE_IBRS
179	+ STUFF_RSB
180
181	/*
182	* SYSENTER doesn't filter flags, so we need to clear NT and AC
183	@@ -227,6 +228,8 @@ GLOBAL(entry_SYSCALL_compat_after_hwframe)
184	pushq $0 /* pt_regs->r14 = 0 */
185	pushq $0 /* pt_regs->r15 = 0 */
186
187	+ STUFF_RSB
188	+
189	/*
190	* User mode is traced as though IRQs are on, and SYSENTER
191	* turned them off.
192	@@ -354,6 +357,7 @@ ENTRY(entry_INT80_compat)
193	cld
194
195	ENABLE_IBRS
196	+ STUFF_RSB
197
198	/*
199	* User mode is traced as though IRQs are on, and the interrupt
200	--
201	2.14.2
202