]> git.proxmox.com Git - pve-kernel.git/blob - patches/kernel/0281-x86-entry-Stuff-RSB-for-entry-to-kernel-for-non-SMEP.patch
projects / pve-kernel.git / blob
? search:


0eebfdf18257f0f4f7e4417219c7406ab7ee1728
[pve-kernel.git] / patches / kernel / 0281-x86-entry-Stuff-RSB-for-entry-to-kernel-for-non-SMEP.patch
1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2 From: Tim Chen <tim.c.chen@linux.intel.com>
3 Date: Tue, 14 Nov 2017 17:16:30 -0800
4 Subject: [PATCH] x86/entry: Stuff RSB for entry to kernel for non-SMEP
5 platform
6 MIME-Version: 1.0
7 Content-Type: text/plain; charset=UTF-8
8 Content-Transfer-Encoding: 8bit
9
10 CVE-2017-5753
11 CVE-2017-5715
12
13 Stuff RSB to prevent RSB underflow on non-SMEP platform.
14
15 Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
16 Signed-off-by: Andy Whitcroft <apw@canonical.com>
17 Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
18 (cherry picked from commit b82785ac1d33ce219c77d72b7bd80a21e1441ac8)
19 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
20 ---
21 arch/x86/include/asm/spec_ctrl.h | 71 ++++++++++++++++++++++++++++++++++++++++
22 arch/x86/entry/entry_64.S | 18 ++++++++--
23 arch/x86/entry/entry_64_compat.S | 4 +++
24 3 files changed, 91 insertions(+), 2 deletions(-)
25
26 diff --git a/arch/x86/include/asm/spec_ctrl.h b/arch/x86/include/asm/spec_ctrl.h
27 index 7f8bb09b6acb..55ee1f36bda2 100644
28 --- a/arch/x86/include/asm/spec_ctrl.h
29 +++ b/arch/x86/include/asm/spec_ctrl.h
30 @@ -35,6 +35,73 @@
31 popq %rdx; \
32 popq %rcx; \
33 popq %rax
34 +#define __ASM_STUFF_RSB \
35 + call 1f; \
36 + pause; \
37 +1: call 2f; \
38 + pause; \
39 +2: call 3f; \
40 + pause; \
41 +3: call 4f; \
42 + pause; \
43 +4: call 5f; \
44 + pause; \
45 +5: call 6f; \
46 + pause; \
47 +6: call 7f; \
48 + pause; \
49 +7: call 8f; \
50 + pause; \
51 +8: call 9f; \
52 + pause; \
53 +9: call 10f; \
54 + pause; \
55 +10: call 11f; \
56 + pause; \
57 +11: call 12f; \
58 + pause; \
59 +12: call 13f; \
60 + pause; \
61 +13: call 14f; \
62 + pause; \
63 +14: call 15f; \
64 + pause; \
65 +15: call 16f; \
66 + pause; \
67 +16: call 17f; \
68 + pause; \
69 +17: call 18f; \
70 + pause; \
71 +18: call 19f; \
72 + pause; \
73 +19: call 20f; \
74 + pause; \
75 +20: call 21f; \
76 + pause; \
77 +21: call 22f; \
78 + pause; \
79 +22: call 23f; \
80 + pause; \
81 +23: call 24f; \
82 + pause; \
83 +24: call 25f; \
84 + pause; \
85 +25: call 26f; \
86 + pause; \
87 +26: call 27f; \
88 + pause; \
89 +27: call 28f; \
90 + pause; \
91 +28: call 29f; \
92 + pause; \
93 +29: call 30f; \
94 + pause; \
95 +30: call 31f; \
96 + pause; \
97 +31: call 32f; \
98 + pause; \
99 +32: \
100 + add $(32*8), %rsp;
101
102 .macro ENABLE_IBRS
103 ALTERNATIVE "", __stringify(__ASM_ENABLE_IBRS), X86_FEATURE_SPEC_CTRL
104 @@ -48,5 +115,9 @@ ALTERNATIVE "", __stringify(__ASM_ENABLE_IBRS_CLOBBER), X86_FEATURE_SPEC_CTRL
105 ALTERNATIVE "", __stringify(__ASM_DISABLE_IBRS), X86_FEATURE_SPEC_CTRL
106 .endm
107
108 +.macro STUFF_RSB
109 +ALTERNATIVE __stringify(__ASM_STUFF_RSB), "", X86_FEATURE_SMEP
110 +.endm
111 +
112 #endif /* __ASSEMBLY__ */
113 #endif /* _ASM_X86_SPEC_CTRL_H */
114 diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
115 index 5f898c3c1dad..f6ec4ad5b114 100644
116 --- a/arch/x86/entry/entry_64.S
117 +++ b/arch/x86/entry/entry_64.S
118 @@ -214,8 +214,6 @@ ENTRY(entry_SYSCALL_64)
119 movq %rsp, PER_CPU_VAR(rsp_scratch)
120 movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
121
122 - TRACE_IRQS_OFF
123 -
124 /* Construct struct pt_regs on stack */
125 pushq $__USER_DS /* pt_regs->ss */
126 pushq PER_CPU_VAR(rsp_scratch) /* pt_regs->sp */
127 @@ -238,6 +236,10 @@ GLOBAL(entry_SYSCALL_64_after_hwframe)
128
129 ENABLE_IBRS
130
131 + STUFF_RSB
132 +
133 + TRACE_IRQS_OFF
134 +
135 /*
136 * If we need to do entry work or if we guess we'll need to do
137 * exit work, go straight to the slow path.
138 @@ -658,6 +660,13 @@ END(irq_entries_start)
139 ALLOC_PT_GPREGS_ON_STACK
140 SAVE_C_REGS
141 SAVE_EXTRA_REGS
142 +
143 + /*
144 + * Have to do stuffing before encoding frame pointer.
145 + * Could add some unnecessary RSB clearing if coming
146 + * from kernel for non-SMEP platform.
147 + */
148 + STUFF_RSB
149 ENCODE_FRAME_POINTER
150
151 testb $3, CS(%rsp)
152 @@ -1276,6 +1285,10 @@ ENTRY(paranoid_entry)
153 cld
154 SAVE_C_REGS 8
155 SAVE_EXTRA_REGS 8
156 + /*
157 + * Do the stuffing unconditionally from user/kernel to be safe
158 + */
159 + STUFF_RSB
160 ENCODE_FRAME_POINTER 8
161 movl $1, %ebx
162 movl $MSR_GS_BASE, %ecx
163 @@ -1329,6 +1342,7 @@ ENTRY(error_entry)
164 cld
165 SAVE_C_REGS 8
166 SAVE_EXTRA_REGS 8
167 + STUFF_RSB
168 ENCODE_FRAME_POINTER 8
169 xorl %ebx, %ebx
170 testb $3, CS+8(%rsp)
171 diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
172 index ee4f3edb3c50..1480222bae02 100644
173 --- a/arch/x86/entry/entry_64_compat.S
174 +++ b/arch/x86/entry/entry_64_compat.S
175 @@ -97,6 +97,7 @@ ENTRY(entry_SYSENTER_compat)
176 cld
177
178 ENABLE_IBRS
179 + STUFF_RSB
180
181 /*
182 * SYSENTER doesn't filter flags, so we need to clear NT and AC
183 @@ -227,6 +228,8 @@ GLOBAL(entry_SYSCALL_compat_after_hwframe)
184 pushq $0 /* pt_regs->r14 = 0 */
185 pushq $0 /* pt_regs->r15 = 0 */
186
187 + STUFF_RSB
188 +
189 /*
190 * User mode is traced as though IRQs are on, and SYSENTER
191 * turned them off.
192 @@ -354,6 +357,7 @@ ENTRY(entry_INT80_compat)
193 cld
194
195 ENABLE_IBRS
196 + STUFF_RSB
197
198 /*
199 * User mode is traced as though IRQs are on, and the interrupt
200 --
201 2.14.2
202
Linux Kernel for Proxmox projects