From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
To: Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>
Cc: linux-kernel@vger.kernel.org, x86@kernel.org,
Robert Gill <rtgill82@gmail.com>,
Jari Ruusu <jariruusu@protonmail.com>,
Brian Gerst <brgerst@gmail.com>,
"Linux regression tracking (Thorsten Leemhuis)"
<regressions@leemhuis.info>,
antonio.gomez.iglesias@linux.intel.com,
daniel.sneddon@linux.intel.com, stable@vger.kernel.org
Subject: [PATCH v7 0/3] Fix dosemu vm86() fault
Date: Wed, 25 Sep 2024 15:25:32 -0700 [thread overview]
Message-ID: <20240925-fix-dosemu-vm86-v7-0-1de0daca2d42@linux.intel.com> (raw)
Changes in v7:
- Using %ss for verw fails kselftest ldt_gdt.c in 32-bit mode, use safer %cs instead (Dave).
v6: https://lore.kernel.org/r/20240905-fix-dosemu-vm86-v6-0-7aff8e53cbbf@linux.intel.com
- Use %ss in 64-bit mode as well for all VERW calls. This avoids any having
a separate macro for 32-bit (Dave).
- Split 32-bit mode fixes into separate patches.
v5: https://lore.kernel.org/r/20240711-fix-dosemu-vm86-v5-1-e87dcd7368aa@linux.intel.com
- Simplify the use of ALTERNATIVE construct (Uros/Jiri/Peter).
v4: https://lore.kernel.org/r/20240710-fix-dosemu-vm86-v4-1-aa6464e1de6f@linux.intel.com
- Further simplify the patch by using %ss for all VERW calls in 32-bit mode (Brian).
- In NMI exit path move VERW after RESTORE_ALL_NMI that touches GPRs (Dave).
v3: https://lore.kernel.org/r/20240701-fix-dosemu-vm86-v3-1-b1969532c75a@linux.intel.com
- Simplify CLEAR_CPU_BUFFERS_SAFE by using %ss instead of %ds (Brian).
- Do verw before popf in SYSEXIT path (Jari).
v2: https://lore.kernel.org/r/20240627-fix-dosemu-vm86-v2-1-d5579f698e77@linux.intel.com
- Safe guard against any other system calls like vm86() that might change %ds (Dave).
v1: https://lore.kernel.org/r/20240426-fix-dosemu-vm86-v1-1-88c826a3f378@linux.intel.com
Hi,
This series fixes a #GP in 32-bit kernels when executing vm86() system call
in dosemu software. In 32-bit mode, their are cases when user can set an
arbitrary %ds that can cause a #GP when executing VERW instruction. The
fix is to use %ss for referencing the VERW operand.
Patch 1-2: Fixes the VERW callsites in 32-bit entry path.
Patch 3: Uses %ss for VERW in 32-bit and 64-bit mode.
The fix is tested with below kselftest on 32-bit kernel:
./tools/testing/selftests/x86/entry_from_vm86.c
64-bit kernel was boot tested. On a Rocket Lake, measuring the CPU cycles
for VERW with and without the %ss shows no significant difference. This
indicates that the scrubbing behavior of VERW is intact.
Thanks,
Pawan
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
---
Pawan Gupta (3):
x86/entry_32: Do not clobber user EFLAGS.ZF
x86/entry_32: Clear CPU buffers after register restore in NMI return
x86/bugs: Use code segment selector for VERW operand
arch/x86/entry/entry_32.S | 6 ++++--
arch/x86/include/asm/nospec-branch.h | 6 ++++--
2 files changed, 8 insertions(+), 4 deletions(-)
---
base-commit: 431c1646e1f86b949fa3685efc50b660a364c2b6
change-id: 20240426-fix-dosemu-vm86-dd111a01737e
Best regards,
--
Thanks,
Pawan
next reply other threads:[~2024-09-25 22:25 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-25 22:25 Pawan Gupta [this message]
2024-09-25 22:25 ` [PATCH v7 1/3] x86/entry_32: Do not clobber user EFLAGS.ZF Pawan Gupta
2024-09-25 22:25 ` [PATCH v7 2/3] x86/entry_32: Clear CPU buffers after register restore in NMI return Pawan Gupta
2024-09-25 22:25 ` [PATCH v7 3/3] x86/bugs: Use code segment selector for VERW operand Pawan Gupta
2024-09-25 23:29 ` Andrew Cooper
2024-09-25 23:46 ` Pawan Gupta
2024-09-26 0:17 ` Pawan Gupta
2024-09-26 0:32 ` Andrew Cooper
2024-09-26 1:04 ` Pawan Gupta
2024-09-26 14:52 ` Uros Bizjak
2024-09-26 16:10 ` Pawan Gupta
2024-09-26 16:28 ` Andrew Cooper
2024-09-26 16:56 ` Pawan Gupta
2024-09-26 17:01 ` Andrew Cooper
2024-10-08 13:52 ` [PATCH v7 0/3] Fix dosemu vm86() fault Thorsten Leemhuis
2024-10-08 22:48 ` Dave Hansen
2024-10-09 8:50 ` Linux regression tracking (Thorsten Leemhuis)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240925-fix-dosemu-vm86-v7-0-1de0daca2d42@linux.intel.com \
--to=pawan.kumar.gupta@linux.intel.com \
--cc=antonio.gomez.iglesias@linux.intel.com \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=daniel.sneddon@linux.intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=jariruusu@protonmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=regressions@leemhuis.info \
--cc=rtgill82@gmail.com \
--cc=stable@vger.kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox