* [PATCH 0/2] x86/speculation/mds: Minor fixes @ 2019-05-14 20:24 Andy Lutomirski 2019-05-14 20:24 ` [PATCH 1/2] x86/speculation/mds: Revert CPU buffer clear on double fault exit Andy Lutomirski 2019-05-14 20:24 ` [PATCH 2/2] x86/speculation/mds: Improve CPU buffer clear documentation Andy Lutomirski 0 siblings, 2 replies; 5+ messages in thread From: Andy Lutomirski @ 2019-05-14 20:24 UTC (permalink / raw) To: x86; +Cc: LKML, Andy Lutomirski The first I heard of MDS was today. Let's fix the problems I noticed right away. Andy Lutomirski (2): x86/speculation/mds: Revert CPU buffer clear on double fault exit x86/speculation/mds: Improve CPU buffer clear documentation Documentation/x86/mds.rst | 44 ++++++--------------------------------- arch/x86/kernel/traps.c | 8 ------- 2 files changed, 6 insertions(+), 46 deletions(-) -- 2.21.0 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/2] x86/speculation/mds: Revert CPU buffer clear on double fault exit 2019-05-14 20:24 [PATCH 0/2] x86/speculation/mds: Minor fixes Andy Lutomirski @ 2019-05-14 20:24 ` Andy Lutomirski 2019-05-16 7:10 ` [tip:x86/urgent] " tip-bot for Andy Lutomirski 2019-05-14 20:24 ` [PATCH 2/2] x86/speculation/mds: Improve CPU buffer clear documentation Andy Lutomirski 1 sibling, 1 reply; 5+ messages in thread From: Andy Lutomirski @ 2019-05-14 20:24 UTC (permalink / raw) To: x86 Cc: LKML, Andy Lutomirski, stable, Greg Kroah-Hartman, Borislav Petkov, Frederic Weisbecker, Jon Masters The double fault ESPFIX path doesn't return to user mode at all -- it returns back to the kernel by simulating a #GP fault. prepare_exit_to_usermode() will run on the way out of general_protection before running user code. Cc: stable@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Borislav Petkov <bp@suse.de> Cc: Frederic Weisbecker <frederic@kernel.org> Cc: Jon Masters <jcm@redhat.com> Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user") Signed-off-by: Andy Lutomirski <luto@kernel.org> --- Documentation/x86/mds.rst | 7 ------- arch/x86/kernel/traps.c | 8 -------- 2 files changed, 15 deletions(-) diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst index 534e9baa4e1d..0dc812bb9249 100644 --- a/Documentation/x86/mds.rst +++ b/Documentation/x86/mds.rst @@ -158,13 +158,6 @@ Mitigation points mitigated on the return from do_nmi() to provide almost complete coverage. - - Double fault (#DF): - - A double fault is usually fatal, but the ESPFIX workaround, which can - be triggered from user space through modify_ldt(2) is a recoverable - double fault. #DF uses the paranoid exit path, so explicit mitigation - in the double fault handler is required. - - Machine Check Exception (#MC): Another corner case is a #MC which hits between the CPU buffer clear diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c index 7de466eb960b..8b6d03e55d2f 100644 --- a/arch/x86/kernel/traps.c +++ b/arch/x86/kernel/traps.c @@ -58,7 +58,6 @@ #include <asm/alternative.h> #include <asm/fpu/xstate.h> #include <asm/trace/mpx.h> -#include <asm/nospec-branch.h> #include <asm/mpx.h> #include <asm/vm86.h> #include <asm/umip.h> @@ -368,13 +367,6 @@ dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code) regs->ip = (unsigned long)general_protection; regs->sp = (unsigned long)&gpregs->orig_ax; - /* - * This situation can be triggered by userspace via - * modify_ldt(2) and the return does not take the regular - * user space exit, so a CPU buffer clear is required when - * MDS mitigation is enabled. - */ - mds_user_clear_cpu_buffers(); return; } #endif -- 2.21.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [tip:x86/urgent] x86/speculation/mds: Revert CPU buffer clear on double fault exit 2019-05-14 20:24 ` [PATCH 1/2] x86/speculation/mds: Revert CPU buffer clear on double fault exit Andy Lutomirski @ 2019-05-16 7:10 ` tip-bot for Andy Lutomirski 0 siblings, 0 replies; 5+ messages in thread From: tip-bot for Andy Lutomirski @ 2019-05-16 7:10 UTC (permalink / raw) To: linux-tip-commits Cc: tglx, gregkh, linux-kernel, frederic, bp, peterz, torvalds, mingo, jcm, hpa, luto Commit-ID: 88640e1dcd089879530a49a8d212d1814678dfe7 Gitweb: https://git.kernel.org/tip/88640e1dcd089879530a49a8d212d1814678dfe7 Author: Andy Lutomirski <luto@kernel.org> AuthorDate: Tue, 14 May 2019 13:24:39 -0700 Committer: Ingo Molnar <mingo@kernel.org> CommitDate: Thu, 16 May 2019 09:05:11 +0200 x86/speculation/mds: Revert CPU buffer clear on double fault exit The double fault ESPFIX path doesn't return to user mode at all -- it returns back to the kernel by simulating a #GP fault. prepare_exit_to_usermode() will run on the way out of general_protection before running user code. Signed-off-by: Andy Lutomirski <luto@kernel.org> Cc: Borislav Petkov <bp@suse.de> Cc: Frederic Weisbecker <frederic@kernel.org> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Jon Masters <jcm@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: stable@vger.kernel.org Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user") Link: http://lkml.kernel.org/r/ac97612445c0a44ee10374f6ea79c222fe22a5c4.1557865329.git.luto@kernel.org Signed-off-by: Ingo Molnar <mingo@kernel.org> --- Documentation/x86/mds.rst | 7 ------- arch/x86/kernel/traps.c | 8 -------- 2 files changed, 15 deletions(-) diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst index 534e9baa4e1d..0dc812bb9249 100644 --- a/Documentation/x86/mds.rst +++ b/Documentation/x86/mds.rst @@ -158,13 +158,6 @@ Mitigation points mitigated on the return from do_nmi() to provide almost complete coverage. - - Double fault (#DF): - - A double fault is usually fatal, but the ESPFIX workaround, which can - be triggered from user space through modify_ldt(2) is a recoverable - double fault. #DF uses the paranoid exit path, so explicit mitigation - in the double fault handler is required. - - Machine Check Exception (#MC): Another corner case is a #MC which hits between the CPU buffer clear diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c index 7de466eb960b..8b6d03e55d2f 100644 --- a/arch/x86/kernel/traps.c +++ b/arch/x86/kernel/traps.c @@ -58,7 +58,6 @@ #include <asm/alternative.h> #include <asm/fpu/xstate.h> #include <asm/trace/mpx.h> -#include <asm/nospec-branch.h> #include <asm/mpx.h> #include <asm/vm86.h> #include <asm/umip.h> @@ -368,13 +367,6 @@ dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code) regs->ip = (unsigned long)general_protection; regs->sp = (unsigned long)&gpregs->orig_ax; - /* - * This situation can be triggered by userspace via - * modify_ldt(2) and the return does not take the regular - * user space exit, so a CPU buffer clear is required when - * MDS mitigation is enabled. - */ - mds_user_clear_cpu_buffers(); return; } #endif ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/2] x86/speculation/mds: Improve CPU buffer clear documentation 2019-05-14 20:24 [PATCH 0/2] x86/speculation/mds: Minor fixes Andy Lutomirski 2019-05-14 20:24 ` [PATCH 1/2] x86/speculation/mds: Revert CPU buffer clear on double fault exit Andy Lutomirski @ 2019-05-14 20:24 ` Andy Lutomirski 2019-05-16 7:11 ` [tip:x86/urgent] " tip-bot for Andy Lutomirski 1 sibling, 1 reply; 5+ messages in thread From: Andy Lutomirski @ 2019-05-14 20:24 UTC (permalink / raw) To: x86 Cc: LKML, Andy Lutomirski, stable, Greg Kroah-Hartman, Borislav Petkov, Frederic Weisbecker, Jon Masters On x86_64, all returns to usermode go through prepare_exit_to_usermode(), with the sole exception of do_nmi(). This even includes machine checks -- this was added several years ago to support MCE recovery. Update the documentation. Cc: stable@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Borislav Petkov <bp@suse.de> Cc: Frederic Weisbecker <frederic@kernel.org> Cc: Jon Masters <jcm@redhat.com> Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user") Signed-off-by: Andy Lutomirski <luto@kernel.org> --- Documentation/x86/mds.rst | 39 +++++++-------------------------------- 1 file changed, 7 insertions(+), 32 deletions(-) diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst index 0dc812bb9249..5d4330be200f 100644 --- a/Documentation/x86/mds.rst +++ b/Documentation/x86/mds.rst @@ -142,38 +142,13 @@ Mitigation points mds_user_clear. The mitigation is invoked in prepare_exit_to_usermode() which covers - most of the kernel to user space transitions. There are a few exceptions - which are not invoking prepare_exit_to_usermode() on return to user - space. These exceptions use the paranoid exit code. - - - Non Maskable Interrupt (NMI): - - Access to sensible data like keys, credentials in the NMI context is - mostly theoretical: The CPU can do prefetching or execute a - misspeculated code path and thereby fetching data which might end up - leaking through a buffer. - - But for mounting other attacks the kernel stack address of the task is - already valuable information. So in full mitigation mode, the NMI is - mitigated on the return from do_nmi() to provide almost complete - coverage. - - - Machine Check Exception (#MC): - - Another corner case is a #MC which hits between the CPU buffer clear - invocation and the actual return to user. As this still is in kernel - space it takes the paranoid exit path which does not clear the CPU - buffers. So the #MC handler repopulates the buffers to some - extent. Machine checks are not reliably controllable and the window is - extremly small so mitigation would just tick a checkbox that this - theoretical corner case is covered. To keep the amount of special - cases small, ignore #MC. - - - Debug Exception (#DB): - - This takes the paranoid exit path only when the INT1 breakpoint is in - kernel space. #DB on a user space address takes the regular exit path, - so no extra mitigation required. + all but one of the kernel to user space transitions. The exception + is when we return from a Non Maskable Interrupt (NMI), which is + handled directly in do_nmi(). + + (The reason that NMI is special is that prepare_exit_to_usermode() can + enable IRQs. In NMI context, NMIs are blocked, and we don't want to + enable IRQs with NMIs blocked.) 2. C-State transition -- 2.21.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [tip:x86/urgent] x86/speculation/mds: Improve CPU buffer clear documentation 2019-05-14 20:24 ` [PATCH 2/2] x86/speculation/mds: Improve CPU buffer clear documentation Andy Lutomirski @ 2019-05-16 7:11 ` tip-bot for Andy Lutomirski 0 siblings, 0 replies; 5+ messages in thread From: tip-bot for Andy Lutomirski @ 2019-05-16 7:11 UTC (permalink / raw) To: linux-tip-commits Cc: mingo, tglx, hpa, torvalds, linux-kernel, frederic, bp, luto, gregkh, peterz, jcm Commit-ID: 9d8d0294e78a164d407133dea05caf4b84247d6a Gitweb: https://git.kernel.org/tip/9d8d0294e78a164d407133dea05caf4b84247d6a Author: Andy Lutomirski <luto@kernel.org> AuthorDate: Tue, 14 May 2019 13:24:40 -0700 Committer: Ingo Molnar <mingo@kernel.org> CommitDate: Thu, 16 May 2019 09:05:12 +0200 x86/speculation/mds: Improve CPU buffer clear documentation On x86_64, all returns to usermode go through prepare_exit_to_usermode(), with the sole exception of do_nmi(). This even includes machine checks -- this was added several years ago to support MCE recovery. Update the documentation. Signed-off-by: Andy Lutomirski <luto@kernel.org> Cc: Borislav Petkov <bp@suse.de> Cc: Frederic Weisbecker <frederic@kernel.org> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Jon Masters <jcm@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: stable@vger.kernel.org Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user") Link: http://lkml.kernel.org/r/999fa9e126ba6a48e9d214d2f18dbde5c62ac55c.1557865329.git.luto@kernel.org Signed-off-by: Ingo Molnar <mingo@kernel.org> --- Documentation/x86/mds.rst | 39 +++++++-------------------------------- 1 file changed, 7 insertions(+), 32 deletions(-) diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst index 0dc812bb9249..5d4330be200f 100644 --- a/Documentation/x86/mds.rst +++ b/Documentation/x86/mds.rst @@ -142,38 +142,13 @@ Mitigation points mds_user_clear. The mitigation is invoked in prepare_exit_to_usermode() which covers - most of the kernel to user space transitions. There are a few exceptions - which are not invoking prepare_exit_to_usermode() on return to user - space. These exceptions use the paranoid exit code. - - - Non Maskable Interrupt (NMI): - - Access to sensible data like keys, credentials in the NMI context is - mostly theoretical: The CPU can do prefetching or execute a - misspeculated code path and thereby fetching data which might end up - leaking through a buffer. - - But for mounting other attacks the kernel stack address of the task is - already valuable information. So in full mitigation mode, the NMI is - mitigated on the return from do_nmi() to provide almost complete - coverage. - - - Machine Check Exception (#MC): - - Another corner case is a #MC which hits between the CPU buffer clear - invocation and the actual return to user. As this still is in kernel - space it takes the paranoid exit path which does not clear the CPU - buffers. So the #MC handler repopulates the buffers to some - extent. Machine checks are not reliably controllable and the window is - extremly small so mitigation would just tick a checkbox that this - theoretical corner case is covered. To keep the amount of special - cases small, ignore #MC. - - - Debug Exception (#DB): - - This takes the paranoid exit path only when the INT1 breakpoint is in - kernel space. #DB on a user space address takes the regular exit path, - so no extra mitigation required. + all but one of the kernel to user space transitions. The exception + is when we return from a Non Maskable Interrupt (NMI), which is + handled directly in do_nmi(). + + (The reason that NMI is special is that prepare_exit_to_usermode() can + enable IRQs. In NMI context, NMIs are blocked, and we don't want to + enable IRQs with NMIs blocked.) 2. C-State transition ^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-05-16 7:11 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2019-05-14 20:24 [PATCH 0/2] x86/speculation/mds: Minor fixes Andy Lutomirski 2019-05-14 20:24 ` [PATCH 1/2] x86/speculation/mds: Revert CPU buffer clear on double fault exit Andy Lutomirski 2019-05-16 7:10 ` [tip:x86/urgent] " tip-bot for Andy Lutomirski 2019-05-14 20:24 ` [PATCH 2/2] x86/speculation/mds: Improve CPU buffer clear documentation Andy Lutomirski 2019-05-16 7:11 ` [tip:x86/urgent] " tip-bot for Andy Lutomirski
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.