From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andrew Cooper <andrew.cooper3@citrix.com>,
Pawan Gupta <pawan.kumar.gupta@linux.intel.com>,
Borislav Petkov <bp@suse.de>
Subject: [PATCH 5.4 15/15] x86/speculation: Add LFENCE to RSB fill sequence
Date: Tue, 9 Aug 2022 20:00:33 +0200 [thread overview]
Message-ID: <20220809175510.849644425@linuxfoundation.org> (raw)
In-Reply-To: <20220809175510.312431319@linuxfoundation.org>
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
commit ba6e31af2be96c4d0536f2152ed6f7b6c11bca47 upstream.
RSB fill sequence does not have any protection for miss-prediction of
conditional branch at the end of the sequence. CPU can speculatively
execute code immediately after the sequence, while RSB filling hasn't
completed yet.
#define __FILL_RETURN_BUFFER(reg, nr, sp) \
mov $(nr/2), reg; \
771: \
call 772f; \
773: /* speculation trap */ \
pause; \
lfence; \
jmp 773b; \
772: \
call 774f; \
775: /* speculation trap */ \
pause; \
lfence; \
jmp 775b; \
774: \
dec reg; \
jnz 771b; <----- CPU can miss-predict here. \
add $(BITS_PER_LONG/8) * nr, sp;
Before RSB is filled, RETs that come in program order after this macro
can be executed speculatively, making them vulnerable to RSB-based
attacks.
Mitigate it by adding an LFENCE after the conditional branch to prevent
speculation while RSB is being filled.
Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/nospec-branch.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -61,7 +61,9 @@
774: \
dec reg; \
jnz 771b; \
- add $(BITS_PER_LONG/8) * nr, sp;
+ add $(BITS_PER_LONG/8) * nr, sp; \
+ /* barrier for jnz misprediction */ \
+ lfence;
#define __ISSUE_UNBALANCED_RET_GUARD(sp) \
call 881f; \
next prev parent reply other threads:[~2022-08-09 18:09 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-09 18:00 [PATCH 5.4 00/15] 5.4.210-rc1 review Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 5.4 01/15] thermal: Fix NULL pointer dereferences in of_thermal_ functions Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 5.4 02/15] ACPI: video: Force backlight native for some TongFang devices Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 5.4 03/15] ACPI: video: Shortening quirk list by identifying Clevo by board_name only Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 5.4 04/15] ACPI: APEI: Better fix to avoid spamming the console with old error logs Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 5.4 05/15] bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds() Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 5.4 06/15] selftests/bpf: Extend verifier and bpf_sock tests for dst_port loads Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 5.4 07/15] bpf: Test_verifier, #70 error message updates for 32-bit right shift Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 5.4 08/15] selftests/bpf: Fix test_align verifier log patterns Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 5.4 09/15] selftests/bpf: Fix "dubious pointer arithmetic" test Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 5.4 10/15] KVM: Dont null dereference ops->destroy Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 5.4 11/15] selftests: KVM: Handle compiler optimizations in ucall Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 5.4 12/15] media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers across ioctls Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 5.4 13/15] macintosh/adb: fix oob read in do_adb_query() function Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 5.4 14/15] x86/speculation: Add RSB VM Exit protections Greg Kroah-Hartman
2022-08-09 18:00 ` Greg Kroah-Hartman [this message]
2022-08-09 18:56 ` [PATCH 5.4 00/15] 5.4.210-rc1 review Florian Fainelli
2022-08-10 9:12 ` Naresh Kamboju
2022-08-10 13:20 ` Sudip Mukherjee (Codethink)
2022-08-10 13:31 ` Guenter Roeck
2022-08-10 14:25 ` Jon Hunter
2022-08-10 14:45 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220809175510.849644425@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andrew.cooper3@citrix.com \
--cc=bp@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox