From 9de43ded7a45b6a2ee5fc4cff812779b43e13e25 Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Thu, 13 Sep 2018 09:03:03 +0200 Subject: [PATCH] rebase patches on top of Ubuntu-4.15.0-35.38 (generated with debian/scripts/import-upstream-tag) Signed-off-by: Thomas Lamprecht --- ...ides-for-missing-ACS-capabilities-4..patch | 2 +- ...Protect-against-userspace-userspace-.patch | 95 ------------------- 2 files changed, 1 insertion(+), 96 deletions(-) delete mode 100644 patches/kernel/0009-x86-speculation-Protect-against-userspace-userspace-.patch diff --git a/patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch b/patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch index b4807be..e254152 100644 --- a/patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch +++ b/patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch @@ -54,7 +54,7 @@ Signed-off-by: Fabian Grünbichler 2 files changed, 110 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index e1c10a202abe..e40248310433 100644 +index 51210d10d905..ceb1b471d249 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -3049,6 +3049,15 @@ diff --git a/patches/kernel/0009-x86-speculation-Protect-against-userspace-userspace-.patch b/patches/kernel/0009-x86-speculation-Protect-against-userspace-userspace-.patch deleted file mode 100644 index 4202dd6..0000000 --- a/patches/kernel/0009-x86-speculation-Protect-against-userspace-userspace-.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Jiri Kosina -Date: Wed, 29 Aug 2018 19:17:40 +0000 -Subject: [PATCH] x86/speculation: Protect against userspace-userspace - spectreRSB - -The article "Spectre Returns! Speculation Attacks using the Return Stack -Buffer" [1] describes two new (sub-)variants of spectrev2-like attacks, -making use solely of the RSB contents even on CPUs that don't fallback to -BTB on RSB underflow (Skylake+). - -Mitigate userspace-userspace attacks by always unconditionally filling RSB on -context switch when the generic spectrev2 mitigation has been enabled. - -[1] https://arxiv.org/pdf/1807.07940.pdf - -Signed-off-by: Jiri Kosina -Signed-off-by: Thomas Gleixner -Reviewed-by: Josh Poimboeuf -Acked-by: Tim Chen -Cc: Konrad Rzeszutek Wilk -Cc: Borislav Petkov -Cc: David Woodhouse -Cc: Peter Zijlstra -Cc: Linus Torvalds -Cc: stable@vger.kernel.org -Link: https://lkml.kernel.org/r/nycvar.YFH.7.76.1807261308190.997@cbobk.fhfr.pm - -CVE-2017-5715 (SpectreRSB sub-variant) - -(cherry picked from commit fdf82a7856b32d905c39afc85e34364491e46346) -Signed-off-by: Tyler Hicks -Signed-off-by: Thomas Lamprecht ---- - arch/x86/kernel/cpu/bugs.c | 38 +++++++------------------------------- - 1 file changed, 7 insertions(+), 31 deletions(-) - -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index 700b4c0a93a2..edfc64a8a154 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -322,23 +322,6 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) - return cmd; - } - --/* Check for Skylake-like CPUs (for RSB handling) */ --static bool __init is_skylake_era(void) --{ -- if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL && -- boot_cpu_data.x86 == 6) { -- switch (boot_cpu_data.x86_model) { -- case INTEL_FAM6_SKYLAKE_MOBILE: -- case INTEL_FAM6_SKYLAKE_DESKTOP: -- case INTEL_FAM6_SKYLAKE_X: -- case INTEL_FAM6_KABYLAKE_MOBILE: -- case INTEL_FAM6_KABYLAKE_DESKTOP: -- return true; -- } -- } -- return false; --} -- - static void __init spectre_v2_select_mitigation(void) - { - enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); -@@ -399,22 +382,15 @@ static void __init spectre_v2_select_mitigation(void) - pr_info("%s\n", spectre_v2_strings[mode]); - - /* -- * If neither SMEP nor PTI are available, there is a risk of -- * hitting userspace addresses in the RSB after a context switch -- * from a shallow call stack to a deeper one. To prevent this fill -- * the entire RSB, even when using IBRS. -+ * If spectre v2 protection has been enabled, unconditionally fill -+ * RSB during a context switch; this protects against two independent -+ * issues: - * -- * Skylake era CPUs have a separate issue with *underflow* of the -- * RSB, when they will predict 'ret' targets from the generic BTB. -- * The proper mitigation for this is IBRS. If IBRS is not supported -- * or deactivated in favour of retpolines the RSB fill on context -- * switch is required. -+ * - RSB underflow (and switch to BTB) on Skylake+ -+ * - SpectreRSB variant of spectre v2 on X86_BUG_SPECTRE_V2 CPUs - */ -- if ((!boot_cpu_has(X86_FEATURE_PTI) && -- !boot_cpu_has(X86_FEATURE_SMEP)) || is_skylake_era()) { -- setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); -- pr_info("Spectre v2 mitigation: Filling RSB on context switch\n"); -- } -+ setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); -+ pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n"); - - /* Initialize Indirect Branch Prediction Barrier if supported */ - if (boot_cpu_has(X86_FEATURE_IBPB)) { -- 2.39.2