patches/kernel/0286-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch

   1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
   2 From: Tim Chen <tim.c.chen@linux.intel.com>
   3 Date: Tue, 19 Sep 2017 15:21:40 -0700
   4 Subject: [PATCH] x86/syscall: Clear unused extra registers on syscall entrance
   5 MIME-Version: 1.0
   6 Content-Type: text/plain; charset=UTF-8
   7 Content-Transfer-Encoding: 8bit
   8
   9 CVE-2017-5753
  10 CVE-2017-5715
  11
  12 To prevent the unused registers %r12-%r15, %rbp and %rbx from
  13 being used speculatively, we clear them upon syscall entrance
  14 for code hygiene.
  15
  16 Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
  17 Signed-off-by: Andy Whitcroft <apw@canonical.com>
  18 Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
  19 (cherry picked from commit 7b5ea16f42b5e4860cf9033897bcdfa3e1209033)
  20 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
  21 ---
  22  arch/x86/entry/calling.h  |  9 +++++++++
  23  arch/x86/entry/entry_64.S | 12 ++++++++----
  24  2 files changed, 17 insertions(+), 4 deletions(-)
  25
  26 diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h
  27 index 015e0a84bb99..d537818ad285 100644
  28 --- a/arch/x86/entry/calling.h
  29 +++ b/arch/x86/entry/calling.h
  30 @@ -155,6 +155,15 @@ For 32-bit we have the following conventions - kernel is built with
  31         popq %rbx
  32         .endm
  33
  34 +       .macro CLEAR_EXTRA_REGS
  35 +       xorq %r15, %r15
  36 +       xorq %r14, %r14
  37 +       xorq %r13, %r13
  38 +       xorq %r12, %r12
  39 +       xorq %rbp, %rbp
  40 +       xorq %rbx, %rbx
  41 +       .endm
  42 +
  43         .macro POP_C_REGS
  44         popq %r11
  45         popq %r10
  46 diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
  47 index f6ec4ad5b114..1118a6256c69 100644
  48 --- a/arch/x86/entry/entry_64.S
  49 +++ b/arch/x86/entry/entry_64.S
  50 @@ -231,10 +231,16 @@ GLOBAL(entry_SYSCALL_64_after_hwframe)
  51         pushq   %r9                             /* pt_regs->r9 */
  52         pushq   %r10                            /* pt_regs->r10 */
  53         pushq   %r11                            /* pt_regs->r11 */
  54 -       sub     $(6*8), %rsp                    /* pt_regs->bp, bx, r12-15 not saved */
  55 +       sub     $(6*8), %rsp                    /* pt_regs->bp, bx, r12-15 not used */
  56         UNWIND_HINT_REGS extra=0
  57
  58         ENABLE_IBRS
  59 +       /*
  60 +        * Clear the unused extra regs for code hygiene.
  61 +        * Will restore the callee saved extra regs at end of syscall.
  62 +        */
  63 +       SAVE_EXTRA_REGS
  64 +       CLEAR_EXTRA_REGS
  65
  66         STUFF_RSB
  67
  68 @@ -292,7 +298,7 @@ entry_SYSCALL_64_fastpath:
  69         movq    RIP(%rsp), %rcx
  70         movq    EFLAGS(%rsp), %r11
  71         DISABLE_IBRS
  72 -       addq    $6*8, %rsp      /* skip extra regs -- they were preserved */
  73 +       POP_EXTRA_REGS
  74         UNWIND_HINT_EMPTY
  75         jmp     .Lpop_c_regs_except_rcx_r11_and_sysret
  76
  77 @@ -304,14 +310,12 @@ entry_SYSCALL_64_fastpath:
  78          */
  79         TRACE_IRQS_ON
  80         ENABLE_INTERRUPTS(CLBR_ANY)
  81 -       SAVE_EXTRA_REGS
  82         movq    %rsp, %rdi
  83         call    syscall_return_slowpath /* returns with IRQs disabled */
  84         jmp     return_from_SYSCALL_64
  85
  86  entry_SYSCALL64_slow_path:
  87         /* IRQs are off. */
  88 -       SAVE_EXTRA_REGS
  89         movq    %rsp, %rdi
  90         call    do_syscall_64           /* returns with IRQs disabled */
  91
  92 --
  93 2.14.2
  94