From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Robert Gill <rtgill82@gmail.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Brian Gerst <brgerst@gmail.com>,
Pawan Gupta <pawan.kumar.gupta@linux.intel.com>,
Ingo Molnar <mingo@kernel.org>
Subject: [PATCH 5.15 66/73] x86/bugs: Use code segment selector for VERW operand
Date: Wed, 6 Nov 2024 13:06:10 +0100 [thread overview]
Message-ID: <20241106120301.920631199@linuxfoundation.org> (raw)
In-Reply-To: <20241106120259.955073160@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
commit e4d2102018542e3ae5e297bc6e229303abff8a0f upstream.
Robert Gill reported below #GP in 32-bit mode when dosemu software was
executing vm86() system call:
general protection fault: 0000 [#1] PREEMPT SMP
CPU: 4 PID: 4610 Comm: dosemu.bin Not tainted 6.6.21-gentoo-x86 #1
Hardware name: Dell Inc. PowerEdge 1950/0H723K, BIOS 2.7.0 10/30/2010
EIP: restore_all_switch_stack+0xbe/0xcf
EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000
ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: ff8affdc
DS: 0000 ES: 0000 FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010046
CR0: 80050033 CR2: 00c2101c CR3: 04b6d000 CR4: 000406d0
Call Trace:
show_regs+0x70/0x78
die_addr+0x29/0x70
exc_general_protection+0x13c/0x348
exc_bounds+0x98/0x98
handle_exception+0x14d/0x14d
exc_bounds+0x98/0x98
restore_all_switch_stack+0xbe/0xcf
exc_bounds+0x98/0x98
restore_all_switch_stack+0xbe/0xcf
This only happens in 32-bit mode when VERW based mitigations like MDS/RFDS
are enabled. This is because segment registers with an arbitrary user value
can result in #GP when executing VERW. Intel SDM vol. 2C documents the
following behavior for VERW instruction:
#GP(0) - If a memory operand effective address is outside the CS, DS, ES,
FS, or GS segment limit.
CLEAR_CPU_BUFFERS macro executes VERW instruction before returning to user
space. Use %cs selector to reference VERW operand. This ensures VERW will
not #GP for an arbitrary user %ds.
[ mingo: Fixed the SOB chain. ]
Fixes: a0e2dab44d22 ("x86/entry_32: Add VERW just before userspace transition")
Reported-by: Robert Gill <rtgill82@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com
Cc: stable@vger.kernel.org # 5.10+
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218707
Closes: https://lore.kernel.org/all/8c77ccfd-d561-45a1-8ed5-6b75212c7a58@leemhuis.info/
Suggested-by: Dave Hansen <dave.hansen@linux.intel.com>
Suggested-by: Brian Gerst <brgerst@gmail.com>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/nospec-branch.h | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -199,7 +199,16 @@
*/
.macro CLEAR_CPU_BUFFERS
ALTERNATIVE "jmp .Lskip_verw_\@", "", X86_FEATURE_CLEAR_CPU_BUF
- verw _ASM_RIP(mds_verw_sel)
+#ifdef CONFIG_X86_64
+ verw mds_verw_sel(%rip)
+#else
+ /*
+ * In 32bit mode, the memory operand must be a %cs reference. The data
+ * segments may not be usable (vm86 mode), and the stack segment may not
+ * be flat (ESPFIX32).
+ */
+ verw %cs:mds_verw_sel
+#endif
.Lskip_verw_\@:
.endm
next prev parent reply other threads:[~2024-11-06 13:21 UTC|newest]
Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-06 12:05 [PATCH 5.15 00/73] 5.15.171-rc1 review Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 01/73] selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 02/73] ksmbd: fix user-after-free from session log off Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 03/73] ACPI: PRM: Remove unnecessary blank lines Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 04/73] ACPI: PRM: Change handler_addr type to void pointer Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 05/73] ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 06/73] cgroup: Fix potential overflow issue when checking max_depth Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 07/73] mac80211: MAC80211_MESSAGE_TRACING should depend on TRACING Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 08/73] wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 09/73] wifi: brcm80211: BRCM_TRACING should depend on TRACING Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 10/73] RDMA/cxgb4: Dump vendor specific QP details Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 11/73] RDMA/mlx5: Round max_rd_atomic/max_dest_rd_atomic up instead of down Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 12/73] RDMA/bnxt_re: synchronize the qp-handle table array Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 13/73] mac80211: do drv_reconfig_complete() before restarting all Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 14/73] mac80211: Add support to trigger sta disconnect on hardware restart Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 15/73] wifi: iwlwifi: mvm: disconnect station vifs if recovery failed Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 16/73] wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 17/73] ASoC: cs42l51: Fix some error handling paths in cs42l51_probe() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 18/73] net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 19/73] igb: Disable threaded IRQ for igb_msix_other Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 20/73] ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 21/73] gtp: allow -1 to be specified as file description from userspace Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 22/73] net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 23/73] netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 24/73] bpf: Fix out-of-bounds write in trie_get_next_key() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 25/73] netfilter: Fix use-after-free in get_info() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 26/73] net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 27/73] netfilter: nft_payload: sanitize offset and length before calling skb_checksum() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 28/73] firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 29/73] ACPI: CPPC: Make rmw_lock a raw_spin_lock Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 30/73] fs/ntfs3: Check if more than chunk-size bytes are written Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 31/73] fs/ntfs3: Fix warning possible deadlock in ntfs_set_state Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 32/73] fs/ntfs3: Fix possible deadlock in mi_read Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 33/73] fs/ntfs3: Additional check in ni_clear() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 34/73] scsi: scsi_transport_fc: Allow setting rport state to current state Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 35/73] net: amd: mvme147: Fix probe banner message Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 36/73] NFS: remove revoked delegation from servers delegation list Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 37/73] misc: sgi-gru: Dont disable preemption in GRU driver Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 38/73] usbip: tools: Fix detach_port() invalid port error path Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 39/73] usb: phy: Fix API devm_usb_put_phy() can not release the phy Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 40/73] usb: typec: fix unreleased fwnode_handle in typec_port_register_altmodes() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 41/73] xhci: Fix Link TRB DMA in command ring stopped completion event Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 42/73] xhci: Use pm_runtime_get to prevent RPM on unsupported systems Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 43/73] Revert "driver core: Fix uevent_show() vs driver detach race" Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 44/73] wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 45/73] wifi: ath10k: Fix memory leak in management tx Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 46/73] wifi: iwlegacy: Clear stale interrupts before resuming device Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 47/73] staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 48/73] iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 49/73] iio: light: veml6030: fix microlux value calculation Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 50/73] nilfs2: fix potential deadlock with newly created symlinks Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 51/73] riscv: vdso: Prevent the compiler from inserting calls to memset() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 52/73] riscv: efi: Set NX compat flag in PE/COFF header Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 53/73] riscv: Use %u to format the output of cpu Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 54/73] riscv: Remove unused GENERATING_ASM_OFFSETS Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 55/73] riscv: Remove duplicated GET_RM Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 56/73] mm/page_alloc: call check_new_pages() while zone spinlock is not held Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 57/73] mm/page_alloc: fix tracepoint mm_page_alloc_zone_locked() Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 58/73] mm/page_alloc: split out buddy removal code from rmqueue into separate helper Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 59/73] mm/page_alloc: rename ALLOC_HIGH to ALLOC_MIN_RESERVE Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 60/73] mm/page_alloc: treat RT tasks similar to __GFP_HIGH Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 61/73] mm/page_alloc: explicitly record high-order atomic allocations in alloc_flags Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 62/73] mm/page_alloc: explicitly define what alloc flags deplete min reserves Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 63/73] mm/page_alloc: explicitly define how __GFP_HIGH non-blocking allocations accesses reserves Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 64/73] mm/page_alloc: let GFP_ATOMIC order-0 allocs access highatomic reserves Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 65/73] ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Greg Kroah-Hartman
2024-11-06 12:06 ` Greg Kroah-Hartman [this message]
2024-11-06 12:06 ` [PATCH 5.15 67/73] nilfs2: fix kernel bug due to missing clearing of checked flag Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 68/73] wifi: iwlwifi: mvm: fix 6 GHz scan construction Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 69/73] mm: shmem: fix data-race in shmem_getattr() Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 70/73] Revert "drm/mipi-dsi: Set the fwnode for mipi_dsi_device" Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 71/73] drm/i915: Fix potential context UAFs Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 72/73] vt: prevent kernel-infoleak in con_font_get() Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 73/73] mac80211: always have ieee80211_sta_restart() Greg Kroah-Hartman
2024-11-06 16:53 ` [PATCH 5.15 00/73] 5.15.171-rc1 review SeongJae Park
2024-11-07 2:50 ` Shuah Khan
2024-11-07 2:56 ` Shuah Khan
2024-11-07 12:03 ` Naresh Kamboju
2024-11-07 13:42 ` Jon Hunter
2024-11-07 19:29 ` Florian Fainelli
2024-11-08 2:31 ` Ron Economos
2024-11-08 7:06 ` [PATCH 5.15] " Hardik Garg
2024-11-08 15:46 ` [PATCH 5.15 00/73] " Mark Brown
2024-11-09 16:05 ` Harshit Mogalapalli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241106120301.920631199@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=brgerst@gmail.com \
--cc=dave.hansen@linux.intel.com \
--cc=mingo@kernel.org \
--cc=patches@lists.linux.dev \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=rtgill82@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox