From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andy Lutomirski <luto@kernel.org>,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
Borislav Petkov <bp@alien8.de>, Brian Gerst <brgerst@gmail.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Denys Vlasenko <dvlasenk@redhat.com>,
Dominik Brodowski <linux@dominikbrodowski.net>,
"H. Peter Anvin" <hpa@zytor.com>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Juergen Gross <jgross@suse.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>,
xen-devel@lists.xenproject.org, Ingo Molnar <mingo@kernel.org>
Subject: [PATCH 4.17 19/31] x86/entry/64: Remove %ebx handling from error_entry/exit
Date: Sat, 4 Aug 2018 11:00:54 +0200 [thread overview]
Message-ID: <20180804082633.816762866@linuxfoundation.org> (raw)
In-Reply-To: <20180804082632.304529527@linuxfoundation.org>
4.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Lutomirski <luto@kernel.org>
commit b3681dd548d06deb2e1573890829dff4b15abf46 upstream.
error_entry and error_exit communicate the user vs. kernel status of
the frame using %ebx. This is unnecessary -- the information is in
regs->cs. Just use regs->cs.
This makes error_entry simpler and makes error_exit more robust.
It also fixes a nasty bug. Before all the Spectre nonsense, the
xen_failsafe_callback entry point returned like this:
ALLOC_PT_GPREGS_ON_STACK
SAVE_C_REGS
SAVE_EXTRA_REGS
ENCODE_FRAME_POINTER
jmp error_exit
And it did not go through error_entry. This was bogus: RBX
contained garbage, and error_exit expected a flag in RBX.
Fortunately, it generally contained *nonzero* garbage, so the
correct code path was used. As part of the Spectre fixes, code was
added to clear RBX to mitigate certain speculation attacks. Now,
depending on kernel configuration, RBX got zeroed and, when running
some Wine workloads, the kernel crashes. This was introduced by:
commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface")
With this patch applied, RBX is no longer needed as a flag, and the
problem goes away.
I suspect that malicious userspace could use this bug to crash the
kernel even without the offending patch applied, though.
[ Historical note: I wrote this patch as a cleanup before I was aware
of the bug it fixed. ]
[ Note to stable maintainers: this should probably get applied to all
kernels. If you're nervous about that, a more conservative fix to
add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should
also fix the problem. ]
Reported-and-tested-by: M. Vefa Bicakci <m.v.b@runbox.com>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Dominik Brodowski <linux@dominikbrodowski.net>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Cc: xen-devel@lists.xenproject.org
Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface")
Link: http://lkml.kernel.org/r/b5010a090d3586b2d6e06c7ad3ec5542d1241c45.1532282627.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/entry/entry_64.S | 18 ++++--------------
1 file changed, 4 insertions(+), 14 deletions(-)
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -981,7 +981,7 @@ ENTRY(\sym)
call \do_sym
- jmp error_exit /* %ebx: no swapgs flag */
+ jmp error_exit
.endif
END(\sym)
.endm
@@ -1222,7 +1222,6 @@ END(paranoid_exit)
/*
* Save all registers in pt_regs, and switch GS if needed.
- * Return: EBX=0: came from user mode; EBX=1: otherwise
*/
ENTRY(error_entry)
UNWIND_HINT_FUNC
@@ -1269,7 +1268,6 @@ ENTRY(error_entry)
* for these here too.
*/
.Lerror_kernelspace:
- incl %ebx
leaq native_irq_return_iret(%rip), %rcx
cmpq %rcx, RIP+8(%rsp)
je .Lerror_bad_iret
@@ -1303,28 +1301,20 @@ ENTRY(error_entry)
/*
* Pretend that the exception came from user mode: set up pt_regs
- * as if we faulted immediately after IRET and clear EBX so that
- * error_exit knows that we will be returning to user mode.
+ * as if we faulted immediately after IRET.
*/
mov %rsp, %rdi
call fixup_bad_iret
mov %rax, %rsp
- decl %ebx
jmp .Lerror_entry_from_usermode_after_swapgs
END(error_entry)
-
-/*
- * On entry, EBX is a "return to kernel mode" flag:
- * 1: already in kernel mode, don't need SWAPGS
- * 0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode
- */
ENTRY(error_exit)
UNWIND_HINT_REGS
DISABLE_INTERRUPTS(CLBR_ANY)
TRACE_IRQS_OFF
- testl %ebx, %ebx
- jnz retint_kernel
+ testb $3, CS(%rsp)
+ jz retint_kernel
jmp retint_user
END(error_exit)
next prev parent reply other threads:[~2018-08-04 9:03 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-04 9:00 [PATCH 4.17 00/31] 4.17.13-stable review Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.17 01/31] bonding: avoid lockdep confusion in bond_get_stats() Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.17 02/31] inet: frag: enforce memory limits earlier Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.17 03/31] ipv4: frags: handle possible skb truesize change Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.17 04/31] net: dsa: Do not suspend/resume closed slave_dev Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.17 05/31] netlink: Fix spectre v1 gadget in netlink_create() Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.17 06/31] net: stmmac: Fix WoL for PCI-based setups Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.17 07/31] rxrpc: Fix user call ID check in rxrpc_service_prealloc_one Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.17 08/31] net/mlx5e: E-Switch, Initialize eswitch only if eswitch manager Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.17 09/31] net/mlx5e: Set port trust mode to PCP as default Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.17 10/31] net/mlx5e: IPoIB, Set the netdevice sw mtu in ipoib enhanced flow Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.17 11/31] squashfs: more metadata hardening Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.17 13/31] can: ems_usb: Fix memory leak on ems_usb_disconnect() Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.17 14/31] net: socket: fix potential spectre v1 gadget in socketcall Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.17 15/31] net: socket: Fix potential spectre v1 gadget in sock_is_registered Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.17 16/31] virtio_balloon: fix another race between migration and ballooning Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.17 17/31] x86/efi: Access EFI MMIO data as unencrypted when SEV is active Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.17 18/31] x86/apic: Future-proof the TSC_DEADLINE quirk for SKX Greg Kroah-Hartman
2018-08-04 9:00 ` Greg Kroah-Hartman [this message]
2018-08-04 9:00 ` [PATCH 4.17 20/31] kvm: x86: vmx: fix vpid leak Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.17 21/31] audit: fix potential null dereference context->module.name Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.17 23/31] userfaultfd: remove uffd flags from vma->vm_flags if UFFD_EVENT_FORK fails Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.17 24/31] iwlwifi: add more card IDs for 9000 series Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.17 26/31] RDMA/uverbs: Expand primary and alt AV port checks Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.17 27/31] crypto: padlock-aes - Fix Nano workaround data corruption Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.17 28/31] drm/vc4: Reset ->{x, y}_scaling[1] when dealing with uniplanar formats Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.17 29/31] drm/atomic: Check old_plane_state->crtc in drm_atomic_helper_async_check() Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.17 30/31] drm/atomic: Initialize variables in drm_atomic_helper_async_check() to make gcc happy Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.17 31/31] scsi: sg: fix minor memory leak in error path Greg Kroah-Hartman
2018-08-04 14:49 ` [PATCH 4.17 00/31] 4.17.13-stable review Guenter Roeck
2018-08-05 6:54 ` Greg Kroah-Hartman
2018-08-05 11:50 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180804082633.816762866@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=boris.ostrovsky@oracle.com \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=dave.hansen@linux.intel.com \
--cc=dvlasenk@redhat.com \
--cc=hpa@zytor.com \
--cc=jgross@suse.com \
--cc=jpoimboe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@dominikbrodowski.net \
--cc=luto@kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox