From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Robert Gill <rtgill82@gmail.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Brian Gerst <brgerst@gmail.com>,
Pawan Gupta <pawan.kumar.gupta@linux.intel.com>,
Ingo Molnar <mingo@kernel.org>
Subject: [PATCH 5.15 66/73] x86/bugs: Use code segment selector for VERW operand
Date: Wed, 6 Nov 2024 13:06:10 +0100 [thread overview]
Message-ID: <20241106120301.920631199@linuxfoundation.org> (raw)
In-Reply-To: <20241106120259.955073160@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
commit e4d2102018542e3ae5e297bc6e229303abff8a0f upstream.
Robert Gill reported below #GP in 32-bit mode when dosemu software was
executing vm86() system call:
general protection fault: 0000 [#1] PREEMPT SMP
CPU: 4 PID: 4610 Comm: dosemu.bin Not tainted 6.6.21-gentoo-x86 #1
Hardware name: Dell Inc. PowerEdge 1950/0H723K, BIOS 2.7.0 10/30/2010
EIP: restore_all_switch_stack+0xbe/0xcf
EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000
ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: ff8affdc
DS: 0000 ES: 0000 FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010046
CR0: 80050033 CR2: 00c2101c CR3: 04b6d000 CR4: 000406d0
Call Trace:
show_regs+0x70/0x78
die_addr+0x29/0x70
exc_general_protection+0x13c/0x348
exc_bounds+0x98/0x98
handle_exception+0x14d/0x14d
exc_bounds+0x98/0x98
restore_all_switch_stack+0xbe/0xcf
exc_bounds+0x98/0x98
restore_all_switch_stack+0xbe/0xcf
This only happens in 32-bit mode when VERW based mitigations like MDS/RFDS
are enabled. This is because segment registers with an arbitrary user value
can result in #GP when executing VERW. Intel SDM vol. 2C documents the
following behavior for VERW instruction:
#GP(0) - If a memory operand effective address is outside the CS, DS, ES,
FS, or GS segment limit.
CLEAR_CPU_BUFFERS macro executes VERW instruction before returning to user
space. Use %cs selector to reference VERW operand. This ensures VERW will
not #GP for an arbitrary user %ds.
[ mingo: Fixed the SOB chain. ]
Fixes: a0e2dab44d22 ("x86/entry_32: Add VERW just before userspace transition")
Reported-by: Robert Gill <rtgill82@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com
Cc: stable@vger.kernel.org # 5.10+
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218707
Closes: https://lore.kernel.org/all/8c77ccfd-d561-45a1-8ed5-6b75212c7a58@leemhuis.info/
Suggested-by: Dave Hansen <dave.hansen@linux.intel.com>
Suggested-by: Brian Gerst <brgerst@gmail.com>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/nospec-branch.h | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -199,7 +199,16 @@
*/
.macro CLEAR_CPU_BUFFERS
ALTERNATIVE "jmp .Lskip_verw_\@", "", X86_FEATURE_CLEAR_CPU_BUF
- verw _ASM_RIP(mds_verw_sel)
+#ifdef CONFIG_X86_64
+ verw mds_verw_sel(%rip)
+#else
+ /*
+ * In 32bit mode, the memory operand must be a %cs reference. The data
+ * segments may not be usable (vm86 mode), and the stack segment may not
+ * be flat (ESPFIX32).
+ */
+ verw %cs:mds_verw_sel
+#endif
.Lskip_verw_\@:
.endm
next prev parent reply other threads:[~2024-11-06 13:21 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-06 12:05 [PATCH 5.15 00/73] 5.15.171-rc1 review Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 01/73] selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 02/73] ksmbd: fix user-after-free from session log off Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 03/73] ACPI: PRM: Remove unnecessary blank lines Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 04/73] ACPI: PRM: Change handler_addr type to void pointer Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 05/73] ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 06/73] cgroup: Fix potential overflow issue when checking max_depth Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 07/73] mac80211: MAC80211_MESSAGE_TRACING should depend on TRACING Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 08/73] wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 09/73] wifi: brcm80211: BRCM_TRACING should depend on TRACING Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 10/73] RDMA/cxgb4: Dump vendor specific QP details Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 11/73] RDMA/mlx5: Round max_rd_atomic/max_dest_rd_atomic up instead of down Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 12/73] RDMA/bnxt_re: synchronize the qp-handle table array Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 13/73] mac80211: do drv_reconfig_complete() before restarting all Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 14/73] mac80211: Add support to trigger sta disconnect on hardware restart Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 15/73] wifi: iwlwifi: mvm: disconnect station vifs if recovery failed Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 16/73] wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 17/73] ASoC: cs42l51: Fix some error handling paths in cs42l51_probe() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 18/73] net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 19/73] igb: Disable threaded IRQ for igb_msix_other Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 20/73] ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 21/73] gtp: allow -1 to be specified as file description from userspace Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 22/73] net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 23/73] netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 24/73] bpf: Fix out-of-bounds write in trie_get_next_key() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 25/73] netfilter: Fix use-after-free in get_info() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 26/73] net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 27/73] netfilter: nft_payload: sanitize offset and length before calling skb_checksum() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 28/73] firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 29/73] ACPI: CPPC: Make rmw_lock a raw_spin_lock Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 30/73] fs/ntfs3: Check if more than chunk-size bytes are written Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 31/73] fs/ntfs3: Fix warning possible deadlock in ntfs_set_state Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 32/73] fs/ntfs3: Fix possible deadlock in mi_read Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 33/73] fs/ntfs3: Additional check in ni_clear() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 34/73] scsi: scsi_transport_fc: Allow setting rport state to current state Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 35/73] net: amd: mvme147: Fix probe banner message Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 36/73] NFS: remove revoked delegation from servers delegation list Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 37/73] misc: sgi-gru: Dont disable preemption in GRU driver Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 38/73] usbip: tools: Fix detach_port() invalid port error path Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 39/73] usb: phy: Fix API devm_usb_put_phy() can not release the phy Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 40/73] usb: typec: fix unreleased fwnode_handle in typec_port_register_altmodes() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 41/73] xhci: Fix Link TRB DMA in command ring stopped completion event Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 42/73] xhci: Use pm_runtime_get to prevent RPM on unsupported systems Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 43/73] Revert "driver core: Fix uevent_show() vs driver detach race" Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 44/73] wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 45/73] wifi: ath10k: Fix memory leak in management tx Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 46/73] wifi: iwlegacy: Clear stale interrupts before resuming device Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 47/73] staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 48/73] iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 49/73] iio: light: veml6030: fix microlux value calculation Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 50/73] nilfs2: fix potential deadlock with newly created symlinks Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 51/73] riscv: vdso: Prevent the compiler from inserting calls to memset() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 52/73] riscv: efi: Set NX compat flag in PE/COFF header Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 53/73] riscv: Use %u to format the output of cpu Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 54/73] riscv: Remove unused GENERATING_ASM_OFFSETS Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 55/73] riscv: Remove duplicated GET_RM Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 56/73] mm/page_alloc: call check_new_pages() while zone spinlock is not held Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 57/73] mm/page_alloc: fix tracepoint mm_page_alloc_zone_locked() Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 58/73] mm/page_alloc: split out buddy removal code from rmqueue into separate helper Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 59/73] mm/page_alloc: rename ALLOC_HIGH to ALLOC_MIN_RESERVE Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 60/73] mm/page_alloc: treat RT tasks similar to __GFP_HIGH Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 61/73] mm/page_alloc: explicitly record high-order atomic allocations in alloc_flags Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 62/73] mm/page_alloc: explicitly define what alloc flags deplete min reserves Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 63/73] mm/page_alloc: explicitly define how __GFP_HIGH non-blocking allocations accesses reserves Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 64/73] mm/page_alloc: let GFP_ATOMIC order-0 allocs access highatomic reserves Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 65/73] ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Greg Kroah-Hartman
2024-11-06 12:06 ` Greg Kroah-Hartman [this message]
2024-11-06 12:06 ` [PATCH 5.15 67/73] nilfs2: fix kernel bug due to missing clearing of checked flag Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 68/73] wifi: iwlwifi: mvm: fix 6 GHz scan construction Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 69/73] mm: shmem: fix data-race in shmem_getattr() Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 70/73] Revert "drm/mipi-dsi: Set the fwnode for mipi_dsi_device" Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 71/73] drm/i915: Fix potential context UAFs Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 72/73] vt: prevent kernel-infoleak in con_font_get() Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 73/73] mac80211: always have ieee80211_sta_restart() Greg Kroah-Hartman
2024-11-06 16:53 ` [PATCH 5.15 00/73] 5.15.171-rc1 review SeongJae Park
2024-11-07 2:50 ` Shuah Khan
2024-11-07 2:56 ` Shuah Khan
2024-11-07 12:03 ` Naresh Kamboju
2024-11-11 14:37 ` [PATCH 5.15] ACPI: PRM: Clean up guid type in struct prm_handler_info Nathan Chancellor
2024-11-12 8:31 ` Greg KH
2024-11-07 13:42 ` [PATCH 5.15 00/73] 5.15.171-rc1 review Jon Hunter
2024-11-07 19:29 ` Florian Fainelli
2024-11-08 2:31 ` Ron Economos
2024-11-08 7:06 ` [PATCH 5.15] " Hardik Garg
2024-11-08 15:46 ` [PATCH 5.15 00/73] " Mark Brown
2024-11-09 16:05 ` Harshit Mogalapalli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241106120301.920631199@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=brgerst@gmail.com \
--cc=dave.hansen@linux.intel.com \
--cc=mingo@kernel.org \
--cc=patches@lists.linux.dev \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=rtgill82@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.