[RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Srivatsa S. Bhat]

Hi Greg,

This patch series is a backport of the Spectre-v2 fixes (IBPB/IBRS)
and patches for the Speculative Store Bypass vulnerability to 4.4.y
(they apply cleanly on top of 4.4.140).

I used 4.9.y as my reference when backporting to 4.4.y (as I thought
that would minimize the amount of fixing up necessary). Unfortunately
I had to skip the KVM fixes for these vulnerabilities, as the KVM
codebase is drastically different in 4.4 as compared to 4.9. (I tried
my best to backport them initially, but wasn't confident that they
were correct, so I decided to drop them from this series).

You'll notice that the initial few patches in this series include
cleanups etc., that are non-critical to IBPB/IBRS/SSBD. Most of these
patches are aimed at getting the cpufeature.h vs cpufeatures.h split
into 4.4, since a lot of the subsequent patches update these headers.
On my first attempt to backport these patches to 4.4.y, I had actually
tried to do all the updates on the cpufeature.h file itself, but it
started getting very cumbersome, so I resorted to backporting the
cpufeature.h vs cpufeatures.h split and their dependencies as well. I
think apart from these initial patches, the rest of the patchset
doesn't have all that much noise. 

This patchset has been tested on both Intel and AMD machines (Intel
Xeon CPU E5-2660 v4 and AMD EPYC 7281 16-Core Processor, respectively)
with updated microcode. All the patch backports have been
independently reviewed by Matt Helsley, Alexey Makhalov and Bo Gan.

I would appreciate if you could kindly consider these patches for
review and inclusion in a future 4.4.y release.

Thank you very much!

Regards,
Srivatsa
VMware Photon OS

P.S. This patchset is also available in the following repo if anyone
     is interested in giving it a try:

https://github.com/srivatsabhat/linux-stable spectre-v2-fixes-nokvm-4.4.140


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[PATCH 4.4.y 040/101] x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend

[Srivatsa S. Bhat]

From: Juergen Gross <jgross@suse.com>

commit 71c208dd54ab971036d83ff6d9837bae4976e623 upstream.

Older Xen versions (4.5 and before) might have problems migrating pv
guests with MSR_IA32_SPEC_CTRL having a non-zero value. So before
suspending zero that MSR and restore it after being resumed.

Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Cc: stable@vger.kernel.org
Cc: xen-devel@lists.xenproject.org
Cc: boris.ostrovsky@oracle.com
Link: https://lkml.kernel.org/r/20180226140818.4849-1-jgross@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
Reviewed-by: Matt Helsley (VMware) <matt.helsley@gmail.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Bo Gan <ganb@vmware.com>
---

 arch/x86/xen/suspend.c |   16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/arch/x86/xen/suspend.c b/arch/x86/xen/suspend.c
index 7f664c4..4ecd0de 100644
--- a/arch/x86/xen/suspend.c
+++ b/arch/x86/xen/suspend.c
@@ -1,11 +1,14 @@
 #include <linux/types.h>
 #include <linux/tick.h>
+#include <linux/percpu-defs.h>
 
 #include <xen/xen.h>
 #include <xen/interface/xen.h>
 #include <xen/grant_table.h>
 #include <xen/events.h>
 
+#include <asm/cpufeatures.h>
+#include <asm/msr-index.h>
 #include <asm/xen/hypercall.h>
 #include <asm/xen/page.h>
 #include <asm/fixmap.h>
@@ -68,6 +71,8 @@ static void xen_pv_post_suspend(int suspend_cancelled)
 	xen_mm_unpin_all();
 }
 
+static DEFINE_PER_CPU(u64, spec_ctrl);
+
 void xen_arch_pre_suspend(void)
 {
 	if (xen_pv_domain())
@@ -84,6 +89,9 @@ void xen_arch_post_suspend(int cancelled)
 
 static void xen_vcpu_notify_restore(void *data)
 {
+	if (xen_pv_domain() && boot_cpu_has(X86_FEATURE_SPEC_CTRL))
+		wrmsrl(MSR_IA32_SPEC_CTRL, this_cpu_read(spec_ctrl));
+
 	/* Boot processor notified via generic timekeeping_resume() */
 	if (smp_processor_id() == 0)
 		return;
@@ -93,7 +101,15 @@ static void xen_vcpu_notify_restore(void *data)
 
 static void xen_vcpu_notify_suspend(void *data)
 {
+	u64 tmp;
+
 	tick_suspend_local();
+
+	if (xen_pv_domain() && boot_cpu_has(X86_FEATURE_SPEC_CTRL)) {
+		rdmsrl(MSR_IA32_SPEC_CTRL, tmp);
+		this_cpu_write(spec_ctrl, tmp);
+		wrmsrl(MSR_IA32_SPEC_CTRL, 0);
+	}
 }
 
 void xen_arch_resume(void)


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Greg KH]

On Sat, Jul 14, 2018 at 02:25:43AM -0700, Srivatsa S. Bhat wrote:
> Hi Greg,
> 
> This patch series is a backport of the Spectre-v2 fixes (IBPB/IBRS)
> and patches for the Speculative Store Bypass vulnerability to 4.4.y
> (they apply cleanly on top of 4.4.140).
> 
> I used 4.9.y as my reference when backporting to 4.4.y (as I thought
> that would minimize the amount of fixing up necessary). Unfortunately
> I had to skip the KVM fixes for these vulnerabilities, as the KVM
> codebase is drastically different in 4.4 as compared to 4.9. (I tried
> my best to backport them initially, but wasn't confident that they
> were correct, so I decided to drop them from this series).
> 
> You'll notice that the initial few patches in this series include
> cleanups etc., that are non-critical to IBPB/IBRS/SSBD. Most of these
> patches are aimed at getting the cpufeature.h vs cpufeatures.h split
> into 4.4, since a lot of the subsequent patches update these headers.
> On my first attempt to backport these patches to 4.4.y, I had actually
> tried to do all the updates on the cpufeature.h file itself, but it
> started getting very cumbersome, so I resorted to backporting the
> cpufeature.h vs cpufeatures.h split and their dependencies as well. I
> think apart from these initial patches, the rest of the patchset
> doesn't have all that much noise. 

I've applied the "initial" patches to the 4.4-stable queue right now, as
those were all just "housekeeping" stuff.  I'll let others review the
rest of the series this week and see if anyone objects before throwing
them at the test-bots.

Many thanks for doing all of this work.

greg k-h

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Srivatsa S. Bhat]

On 7/15/18 4:26 AM, Greg KH wrote:
> On Sat, Jul 14, 2018 at 02:25:43AM -0700, Srivatsa S. Bhat wrote:
>> Hi Greg,
>>
>> This patch series is a backport of the Spectre-v2 fixes (IBPB/IBRS)
>> and patches for the Speculative Store Bypass vulnerability to 4.4.y
>> (they apply cleanly on top of 4.4.140).
>>
>> I used 4.9.y as my reference when backporting to 4.4.y (as I thought
>> that would minimize the amount of fixing up necessary). Unfortunately
>> I had to skip the KVM fixes for these vulnerabilities, as the KVM
>> codebase is drastically different in 4.4 as compared to 4.9. (I tried
>> my best to backport them initially, but wasn't confident that they
>> were correct, so I decided to drop them from this series).
>>
>> You'll notice that the initial few patches in this series include
>> cleanups etc., that are non-critical to IBPB/IBRS/SSBD. Most of these
>> patches are aimed at getting the cpufeature.h vs cpufeatures.h split
>> into 4.4, since a lot of the subsequent patches update these headers.
>> On my first attempt to backport these patches to 4.4.y, I had actually
>> tried to do all the updates on the cpufeature.h file itself, but it
>> started getting very cumbersome, so I resorted to backporting the
>> cpufeature.h vs cpufeatures.h split and their dependencies as well. I
>> think apart from these initial patches, the rest of the patchset
>> doesn't have all that much noise. 
> 
> I've applied the "initial" patches to the 4.4-stable queue right now, as
> those were all just "housekeeping" stuff.  I'll let others review the
> rest of the series this week and see if anyone objects before throwing
> them at the test-bots.
> 

Sounds great! Thanks a lot!

> Many thanks for doing all of this work.
> 

Thank you Greg!
 
Regards,
Srivatsa
VMware Photon OS

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Greg KH]

On Sat, Jul 14, 2018 at 02:25:43AM -0700, Srivatsa S. Bhat wrote:
> Hi Greg,
> 
> This patch series is a backport of the Spectre-v2 fixes (IBPB/IBRS)
> and patches for the Speculative Store Bypass vulnerability to 4.4.y
> (they apply cleanly on top of 4.4.140).
> 
> I used 4.9.y as my reference when backporting to 4.4.y (as I thought
> that would minimize the amount of fixing up necessary). Unfortunately
> I had to skip the KVM fixes for these vulnerabilities, as the KVM
> codebase is drastically different in 4.4 as compared to 4.9. (I tried
> my best to backport them initially, but wasn't confident that they
> were correct, so I decided to drop them from this series).
> 
> You'll notice that the initial few patches in this series include
> cleanups etc., that are non-critical to IBPB/IBRS/SSBD. Most of these
> patches are aimed at getting the cpufeature.h vs cpufeatures.h split
> into 4.4, since a lot of the subsequent patches update these headers.
> On my first attempt to backport these patches to 4.4.y, I had actually
> tried to do all the updates on the cpufeature.h file itself, but it
> started getting very cumbersome, so I resorted to backporting the
> cpufeature.h vs cpufeatures.h split and their dependencies as well. I
> think apart from these initial patches, the rest of the patchset
> doesn't have all that much noise. 
> 
> This patchset has been tested on both Intel and AMD machines (Intel
> Xeon CPU E5-2660 v4 and AMD EPYC 7281 16-Core Processor, respectively)
> with updated microcode. All the patch backports have been
> independently reviewed by Matt Helsley, Alexey Makhalov and Bo Gan.
> 
> I would appreciate if you could kindly consider these patches for
> review and inclusion in a future 4.4.y release.

Given no one has complained about these yet, I've queued them all up,
including the 2 extra ones you sent afterward.

Let's see what breaks :)

thanks,

greg k-h

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Srivatsa S. Bhat]

On 7/23/18 4:26 AM, Greg KH wrote:
> On Sat, Jul 14, 2018 at 02:25:43AM -0700, Srivatsa S. Bhat wrote:
>> Hi Greg,
>>
>> This patch series is a backport of the Spectre-v2 fixes (IBPB/IBRS)
>> and patches for the Speculative Store Bypass vulnerability to 4.4.y
>> (they apply cleanly on top of 4.4.140).
>>
>> I used 4.9.y as my reference when backporting to 4.4.y (as I thought
>> that would minimize the amount of fixing up necessary). Unfortunately
>> I had to skip the KVM fixes for these vulnerabilities, as the KVM
>> codebase is drastically different in 4.4 as compared to 4.9. (I tried
>> my best to backport them initially, but wasn't confident that they
>> were correct, so I decided to drop them from this series).
>>
>> You'll notice that the initial few patches in this series include
>> cleanups etc., that are non-critical to IBPB/IBRS/SSBD. Most of these
>> patches are aimed at getting the cpufeature.h vs cpufeatures.h split
>> into 4.4, since a lot of the subsequent patches update these headers.
>> On my first attempt to backport these patches to 4.4.y, I had actually
>> tried to do all the updates on the cpufeature.h file itself, but it
>> started getting very cumbersome, so I resorted to backporting the
>> cpufeature.h vs cpufeatures.h split and their dependencies as well. I
>> think apart from these initial patches, the rest of the patchset
>> doesn't have all that much noise. 
>>
>> This patchset has been tested on both Intel and AMD machines (Intel
>> Xeon CPU E5-2660 v4 and AMD EPYC 7281 16-Core Processor, respectively)
>> with updated microcode. All the patch backports have been
>> independently reviewed by Matt Helsley, Alexey Makhalov and Bo Gan.
>>
>> I would appreciate if you could kindly consider these patches for
>> review and inclusion in a future 4.4.y release.
> 
> Given no one has complained about these yet, I've queued them all up,
> including the 2 extra ones you sent afterward.
>
Great! Thank you very much!

> Let's see what breaks :)
> 

Hehe :)

Regards,
Srivatsa
VMware Photon OS


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Jiri Kosina]

On Sat, 14 Jul 2018, Srivatsa S. Bhat wrote:

> This patch series is a backport of the Spectre-v2 fixes (IBPB/IBRS)
> and patches for the Speculative Store Bypass vulnerability to 4.4.y
> (they apply cleanly on top of 4.4.140).

FWIW -- not sure how much inspiration you took from our SLE 4.4-based 
tree, but most of the stuff is already there for quite some time 
(including the non-upstream IBRS on kernel boundary on SKL+, trampoline 
stack for PTI (which the original port didn't have), etc).

The IBRS SKL+ stuff has not been picked up by Greg, as it's non-upstream, 
and the trampoline stack I believe was pointed out to stable@, but noone 
really sat down and did the port (our codebase is different than 4.4.x 
stable base), but it definitely should be done if someone has to put 100% 
trust into the PTI port (either that, or at least zeroing out the kernel 
thread thread stack ... we used to have temporarily that before we 
switched over to proper entry trampoline in this version as well).

Thanks,

-- 
Jiri Kosina
SUSE Labs


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Srivatsa S. Bhat]

On 7/23/18 3:06 PM, Jiri Kosina wrote:
> On Sat, 14 Jul 2018, Srivatsa S. Bhat wrote:
> 
>> This patch series is a backport of the Spectre-v2 fixes (IBPB/IBRS)
>> and patches for the Speculative Store Bypass vulnerability to 4.4.y
>> (they apply cleanly on top of 4.4.140).
> 
> FWIW -- not sure how much inspiration you took from our SLE 4.4-based 
> tree, but most of the stuff is already there for quite some time 
> (including the non-upstream IBRS on kernel boundary on SKL+, trampoline 
> stack for PTI (which the original port didn't have), etc).
> 
> The IBRS SKL+ stuff has not been picked up by Greg, as it's non-upstream, 
> and the trampoline stack I believe was pointed out to stable@, but noone 
> really sat down and did the port (our codebase is different than 4.4.x 
> stable base), but it definitely should be done if someone has to put 100% 
> trust into the PTI port (either that, or at least zeroing out the kernel 
> thread thread stack ... we used to have temporarily that before we 
> switched over to proper entry trampoline in this version as well).
> 

I did glance at the SLES 4.4 kernel sometime ago, but there seemed to
be way too many custom patches and I wasn't sure in what ways your
PTI/Spectre fixes depended on the other (x86) patches in your tree. So
I decided to backport entirely from the 4.9 stable tree instead. My
reasoning was that, since the 4.9 stable patches were trusted to work
well, their 4.4 backports should work well too, as long as they are
backported correctly.
 
However, if you are proposing that you'd like to contribute the
enhanced PTI/Spectre (upstream) patches from the SLES 4.4 tree to 4.4
stable, and have them merged instead of this patch series, then I
would certainly welcome it!

Regards,
Srivatsa
VMware Photon OS

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Jiri Kosina]

On Tue, 24 Jul 2018, Srivatsa S. Bhat wrote:

> However, if you are proposing that you'd like to contribute the enhanced 
> PTI/Spectre (upstream) patches from the SLES 4.4 tree to 4.4 stable, and 
> have them merged instead of this patch series, then I would certainly 
> welcome it!

I'd in principle love us to push everything back to 4.4, but there are a 
few reasons (*) why that's not happening shortly.

Anyway, to point out explicitly what's really needed for those folks 
running 4.4-stable and relying on PTI providing The Real Thing(TM), it's 
either a 4.4-stable port of

	http://kernel.suse.com/cgit/kernel-source/plain/patches.suse/x86-entry-64-use-a-per-cpu-trampoline-stack.patch?id=3428a77b02b1ba03e45d8fc352ec350429f57fc7

or making THREADINFO_GFP imply __GFP_ZERO.

(*) IBRS is not upstream, we historically have had very different x86 
    codebase compared to either 4.4, 4.4-stable or current Linus' tree, 
    and there are simply too many things happening right now to give this 
    high enough priority, sadly. We're not fully-dependent downstream 
    consumer of -stable any more, so this is one of the expected outcomes, 
    unfortunately; we don't immediately benefit from pushing our 
    downstream changes to stable, as we have to carry those over forward
    ourselves anyway.

Thanks,

-- 
Jiri Kosina
SUSE Labs


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Kees Cook]

On Tue, Jul 24, 2018 at 3:02 PM, Jiri Kosina <jikos@kernel.org> wrote:
> On Tue, 24 Jul 2018, Srivatsa S. Bhat wrote:
>
>> However, if you are proposing that you'd like to contribute the enhanced
>> PTI/Spectre (upstream) patches from the SLES 4.4 tree to 4.4 stable, and
>> have them merged instead of this patch series, then I would certainly
>> welcome it!
>
> I'd in principle love us to push everything back to 4.4, but there are a
> few reasons (*) why that's not happening shortly.
>
> Anyway, to point out explicitly what's really needed for those folks
> running 4.4-stable and relying on PTI providing The Real Thing(TM), it's
> either a 4.4-stable port of
>
>         http://kernel.suse.com/cgit/kernel-source/plain/patches.suse/x86-entry-64-use-a-per-cpu-trampoline-stack.patch?id=3428a77b02b1ba03e45d8fc352ec350429f57fc7
>
> or making THREADINFO_GFP imply __GFP_ZERO.

This is true in Linus's tree now. Should be trivial to backport:
https://git.kernel.org/linus/e01e80634ecdd

-Kees

-- 
Kees Cook
Pixel Security

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Srivatsa S. Bhat]

[-- Attachment #1: Type: text/plain, Size: 1379 bytes --]

On 7/26/18 4:09 PM, Kees Cook wrote:
> On Tue, Jul 24, 2018 at 3:02 PM, Jiri Kosina <jikos@kernel.org> wrote:
>> On Tue, 24 Jul 2018, Srivatsa S. Bhat wrote:
>>
>>> However, if you are proposing that you'd like to contribute the enhanced
>>> PTI/Spectre (upstream) patches from the SLES 4.4 tree to 4.4 stable, and
>>> have them merged instead of this patch series, then I would certainly
>>> welcome it!
>>
>> I'd in principle love us to push everything back to 4.4, but there are a
>> few reasons (*) why that's not happening shortly.
>>
>> Anyway, to point out explicitly what's really needed for those folks
>> running 4.4-stable and relying on PTI providing The Real Thing(TM), it's
>> either a 4.4-stable port of
>>
>>         http://kernel.suse.com/cgit/kernel-source/plain/patches.suse/x86-entry-64-use-a-per-cpu-trampoline-stack.patch?id=3428a77b02b1ba03e45d8fc352ec350429f57fc7
>>
>> or making THREADINFO_GFP imply __GFP_ZERO.
> 
> This is true in Linus's tree now. Should be trivial to backport:
> https://git.kernel.org/linus/e01e80634ecdd
> 

Hi Jiri, Kees,

Thank you for suggesting the patch! I have attached the (locally
tested) 4.4 and 4.9 backports of that patch with this mail. (The
mainline commit applies cleanly on 4.14).

Greg, could you please consider including them in stable 4.4, 4.9
and 4.14?

Thank you very much!

Regards,
Srivatsa
VMware Photon OS

[-- Attachment #2: 4.4-fork-unconditionally-clear-stack-on-fork.patch --]
[-- Type: text/plain, Size: 3081 bytes --]

From 7e39d8ccbb0889c03ce6dc0dee0e63d78f37d0a9 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Fri, 20 Apr 2018 14:55:31 -0700
Subject: [PATCH] fork: unconditionally clear stack on fork

commit e01e80634ecdde1dd113ac43b3adad21b47f3957 upstream.

One of the classes of kernel stack content leaks[1] is exposing the
contents of prior heap or stack contents when a new process stack is
allocated.  Normally, those stacks are not zeroed, and the old contents
remain in place.  In the face of stack content exposure flaws, those
contents can leak to userspace.

Fixing this will make the kernel no longer vulnerable to these flaws, as
the stack will be wiped each time a stack is assigned to a new process.
There's not a meaningful change in runtime performance; it almost looks
like it provides a benefit.

Performing back-to-back kernel builds before:
	Run times: 157.86 157.09 158.90 160.94 160.80
	Mean: 159.12
	Std Dev: 1.54

and after:
	Run times: 159.31 157.34 156.71 158.15 160.81
	Mean: 158.46
	Std Dev: 1.46

Instead of making this a build or runtime config, Andy Lutomirski
recommended this just be enabled by default.

[1] A noisy search for many kinds of stack content leaks can be seen here:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=linux+kernel+stack+leak

I did some more with perf and cycle counts on running 100,000 execs of
/bin/true.

before:
Cycles: 218858861551 218853036130 214727610969 227656844122 224980542841
Mean:  221015379122.60
Std Dev: 4662486552.47

after:
Cycles: 213868945060 213119275204 211820169456 224426673259 225489986348
Mean:  217745009865.40
Std Dev: 5935559279.99

It continues to look like it's faster, though the deviation is rather
wide, but I'm not sure what I could do that would be less noisy.  I'm
open to ideas!

Link: http://lkml.kernel.org/r/20180221021659.GA37073@beast
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Cc: Mel Gorman <mgorman@techsingularity.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ Srivatsa: Backported to 4.4.y ]
Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
Reviewed-by: Srinidhi Rao <srinidhir@vmware.com>
---
 include/linux/thread_info.h | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
index ff307b5..646891f 100644
--- a/include/linux/thread_info.h
+++ b/include/linux/thread_info.h
@@ -55,11 +55,7 @@ extern long do_no_restart_syscall(struct restart_block *parm);
 
 #ifdef __KERNEL__
 
-#ifdef CONFIG_DEBUG_STACK_USAGE
-# define THREADINFO_GFP		(GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO)
-#else
-# define THREADINFO_GFP		(GFP_KERNEL | __GFP_NOTRACK)
-#endif
+#define THREADINFO_GFP		(GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO)
 
 /*
  * flag set/clear/test wrappers
-- 
2.7.4


[-- Attachment #3: 4.9-fork-unconditionally-clear-stack-on-fork.patch --]
[-- Type: text/plain, Size: 3113 bytes --]

From 7debcc6438b4a0bdc9a7b509a751350dad883328 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Fri, 20 Apr 2018 14:55:31 -0700
Subject: [PATCH] fork: unconditionally clear stack on fork

commit e01e80634ecdde1dd113ac43b3adad21b47f3957 upstream.

One of the classes of kernel stack content leaks[1] is exposing the
contents of prior heap or stack contents when a new process stack is
allocated.  Normally, those stacks are not zeroed, and the old contents
remain in place.  In the face of stack content exposure flaws, those
contents can leak to userspace.

Fixing this will make the kernel no longer vulnerable to these flaws, as
the stack will be wiped each time a stack is assigned to a new process.
There's not a meaningful change in runtime performance; it almost looks
like it provides a benefit.

Performing back-to-back kernel builds before:
	Run times: 157.86 157.09 158.90 160.94 160.80
	Mean: 159.12
	Std Dev: 1.54

and after:
	Run times: 159.31 157.34 156.71 158.15 160.81
	Mean: 158.46
	Std Dev: 1.46

Instead of making this a build or runtime config, Andy Lutomirski
recommended this just be enabled by default.

[1] A noisy search for many kinds of stack content leaks can be seen here:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=linux+kernel+stack+leak

I did some more with perf and cycle counts on running 100,000 execs of
/bin/true.

before:
Cycles: 218858861551 218853036130 214727610969 227656844122 224980542841
Mean:  221015379122.60
Std Dev: 4662486552.47

after:
Cycles: 213868945060 213119275204 211820169456 224426673259 225489986348
Mean:  217745009865.40
Std Dev: 5935559279.99

It continues to look like it's faster, though the deviation is rather
wide, but I'm not sure what I could do that would be less noisy.  I'm
open to ideas!

Link: http://lkml.kernel.org/r/20180221021659.GA37073@beast
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Cc: Mel Gorman <mgorman@techsingularity.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ Srivatsa: Backported to 4.9.y ]
Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
Reviewed-by: Srinidhi Rao <srinidhir@vmware.com>
---
 include/linux/thread_info.h | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
index 2873baf..5e64367 100644
--- a/include/linux/thread_info.h
+++ b/include/linux/thread_info.h
@@ -59,12 +59,7 @@ extern long do_no_restart_syscall(struct restart_block *parm);
 
 #ifdef __KERNEL__
 
-#ifdef CONFIG_DEBUG_STACK_USAGE
-# define THREADINFO_GFP		(GFP_KERNEL_ACCOUNT | __GFP_NOTRACK | \
-				 __GFP_ZERO)
-#else
-# define THREADINFO_GFP		(GFP_KERNEL_ACCOUNT | __GFP_NOTRACK)
-#endif
+#define THREADINFO_GFP	(GFP_KERNEL_ACCOUNT | __GFP_NOTRACK | __GFP_ZERO)
 
 /*
  * flag set/clear/test wrappers
-- 
2.7.4


[-- Attachment #4: Type: text/plain, Size: 157 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Kees Cook]

On Thu, Aug 2, 2018 at 12:22 PM, Srivatsa S. Bhat
<srivatsa@csail.mit.edu> wrote:
> On 7/26/18 4:09 PM, Kees Cook wrote:
>> On Tue, Jul 24, 2018 at 3:02 PM, Jiri Kosina <jikos@kernel.org> wrote:
>>> On Tue, 24 Jul 2018, Srivatsa S. Bhat wrote:
>>>
>>>> However, if you are proposing that you'd like to contribute the enhanced
>>>> PTI/Spectre (upstream) patches from the SLES 4.4 tree to 4.4 stable, and
>>>> have them merged instead of this patch series, then I would certainly
>>>> welcome it!
>>>
>>> I'd in principle love us to push everything back to 4.4, but there are a
>>> few reasons (*) why that's not happening shortly.
>>>
>>> Anyway, to point out explicitly what's really needed for those folks
>>> running 4.4-stable and relying on PTI providing The Real Thing(TM), it's
>>> either a 4.4-stable port of
>>>
>>>         http://kernel.suse.com/cgit/kernel-source/plain/patches.suse/x86-entry-64-use-a-per-cpu-trampoline-stack.patch?id=3428a77b02b1ba03e45d8fc352ec350429f57fc7
>>>
>>> or making THREADINFO_GFP imply __GFP_ZERO.
>>
>> This is true in Linus's tree now. Should be trivial to backport:
>> https://git.kernel.org/linus/e01e80634ecdd
>>
>
> Hi Jiri, Kees,
>
> Thank you for suggesting the patch! I have attached the (locally
> tested) 4.4 and 4.9 backports of that patch with this mail. (The
> mainline commit applies cleanly on 4.14).
>
> Greg, could you please consider including them in stable 4.4, 4.9
> and 4.14?

I don't think your v4.9 is sufficient: it leaves the vmapped stack
uncleared. v4.9 needs ca182551857 ("kmemleak: clear stale pointers
from task stacks") included in the backport (really, just adding the
memset()).

Otherwise, yup, looks good.

-Kees

-- 
Kees Cook
Pixel Security

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Srivatsa S. Bhat]

[-- Attachment #1: Type: text/plain, Size: 1932 bytes --]

On 8/2/18 3:22 PM, Kees Cook wrote:
> On Thu, Aug 2, 2018 at 12:22 PM, Srivatsa S. Bhat
> <srivatsa@csail.mit.edu> wrote:
>> On 7/26/18 4:09 PM, Kees Cook wrote:
>>> On Tue, Jul 24, 2018 at 3:02 PM, Jiri Kosina <jikos@kernel.org> wrote:
>>>> On Tue, 24 Jul 2018, Srivatsa S. Bhat wrote:
>>>>
>>>>> However, if you are proposing that you'd like to contribute the enhanced
>>>>> PTI/Spectre (upstream) patches from the SLES 4.4 tree to 4.4 stable, and
>>>>> have them merged instead of this patch series, then I would certainly
>>>>> welcome it!
>>>>
>>>> I'd in principle love us to push everything back to 4.4, but there are a
>>>> few reasons (*) why that's not happening shortly.
>>>>
>>>> Anyway, to point out explicitly what's really needed for those folks
>>>> running 4.4-stable and relying on PTI providing The Real Thing(TM), it's
>>>> either a 4.4-stable port of
>>>>
>>>>         http://kernel.suse.com/cgit/kernel-source/plain/patches.suse/x86-entry-64-use-a-per-cpu-trampoline-stack.patch?id=3428a77b02b1ba03e45d8fc352ec350429f57fc7
>>>>
>>>> or making THREADINFO_GFP imply __GFP_ZERO.
>>>
>>> This is true in Linus's tree now. Should be trivial to backport:
>>> https://git.kernel.org/linus/e01e80634ecdd
>>>
>>
>> Hi Jiri, Kees,
>>
>> Thank you for suggesting the patch! I have attached the (locally
>> tested) 4.4 and 4.9 backports of that patch with this mail. (The
>> mainline commit applies cleanly on 4.14).
>>
>> Greg, could you please consider including them in stable 4.4, 4.9
>> and 4.14?
> 
> I don't think your v4.9 is sufficient: it leaves the vmapped stack
> uncleared. v4.9 needs ca182551857 ("kmemleak: clear stale pointers
> from task stacks") included in the backport (really, just adding the
> memset()).
> 

Ah, I see, thank you! I have attached the updated patchset for 4.9
with this mail.

> Otherwise, yup, looks good.
> 
Thank you for reviewing the patches!
 
Regards,
Srivatsa
VMware Photon OS

[-- Attachment #2: 4.9-0001-kmemleak-clear-stale-pointers-from-task-stacks.patch --]
[-- Type: text/plain, Size: 1906 bytes --]

From edf835d8b6bac08bc5e69efb3e1cc321e2457f61 Mon Sep 17 00:00:00 2001
From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Date: Fri, 13 Oct 2017 15:58:22 -0700
Subject: [PATCH 1/2] kmemleak: clear stale pointers from task stacks

commit ca182551857cc2c1e6a2b7f1e72090a137a15008 upstream.

Kmemleak considers any pointers on task stacks as references.  This
patch clears newly allocated and reused vmap stacks.

Link: http://lkml.kernel.org/r/150728990124.744199.8403409836394318684.stgit@buzz
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ Srivatsa: Backported to 4.9.y ]
Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
---
 include/linux/thread_info.h | 2 +-
 kernel/fork.c               | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
index 2873baf..cf87c16 100644
--- a/include/linux/thread_info.h
+++ b/include/linux/thread_info.h
@@ -59,7 +59,7 @@ extern long do_no_restart_syscall(struct restart_block *parm);
 
 #ifdef __KERNEL__
 
-#ifdef CONFIG_DEBUG_STACK_USAGE
+#if IS_ENABLED(CONFIG_DEBUG_STACK_USAGE) || IS_ENABLED(CONFIG_DEBUG_KMEMLEAK)
 # define THREADINFO_GFP		(GFP_KERNEL_ACCOUNT | __GFP_NOTRACK | \
 				 __GFP_ZERO)
 #else
diff --git a/kernel/fork.c b/kernel/fork.c
index 70e10cb..c19e6d4 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -184,6 +184,10 @@ static unsigned long *alloc_thread_stack_node(struct task_struct *tsk, int node)
 			continue;
 		this_cpu_write(cached_stacks[i], NULL);
 
+#ifdef CONFIG_DEBUG_KMEMLEAK
+		/* Clear stale pointers from reused stack. */
+		memset(s->addr, 0, THREAD_SIZE);
+#endif
 		tsk->stack_vm_area = s;
 		local_irq_enable();
 		return s->addr;
-- 
2.7.4


[-- Attachment #3: 4.9-0002-fork-unconditionally-clear-stack-on-fork.patch --]
[-- Type: text/plain, Size: 3670 bytes --]

From 5371cd0bb1e2ca8d1603845c764e1524f7e729ad Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Fri, 20 Apr 2018 14:55:31 -0700
Subject: [PATCH 2/2] fork: unconditionally clear stack on fork

commit e01e80634ecdde1dd113ac43b3adad21b47f3957 upstream.

One of the classes of kernel stack content leaks[1] is exposing the
contents of prior heap or stack contents when a new process stack is
allocated.  Normally, those stacks are not zeroed, and the old contents
remain in place.  In the face of stack content exposure flaws, those
contents can leak to userspace.

Fixing this will make the kernel no longer vulnerable to these flaws, as
the stack will be wiped each time a stack is assigned to a new process.
There's not a meaningful change in runtime performance; it almost looks
like it provides a benefit.

Performing back-to-back kernel builds before:
	Run times: 157.86 157.09 158.90 160.94 160.80
	Mean: 159.12
	Std Dev: 1.54

and after:
	Run times: 159.31 157.34 156.71 158.15 160.81
	Mean: 158.46
	Std Dev: 1.46

Instead of making this a build or runtime config, Andy Lutomirski
recommended this just be enabled by default.

[1] A noisy search for many kinds of stack content leaks can be seen here:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=linux+kernel+stack+leak

I did some more with perf and cycle counts on running 100,000 execs of
/bin/true.

before:
Cycles: 218858861551 218853036130 214727610969 227656844122 224980542841
Mean:  221015379122.60
Std Dev: 4662486552.47

after:
Cycles: 213868945060 213119275204 211820169456 224426673259 225489986348
Mean:  217745009865.40
Std Dev: 5935559279.99

It continues to look like it's faster, though the deviation is rather
wide, but I'm not sure what I could do that would be less noisy.  I'm
open to ideas!

Link: http://lkml.kernel.org/r/20180221021659.GA37073@beast
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Cc: Mel Gorman <mgorman@techsingularity.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ Srivatsa: Backported to 4.9.y ]
Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
Reviewed-by: Srinidhi Rao <srinidhir@vmware.com>
---
 include/linux/thread_info.h | 7 +------
 kernel/fork.c               | 3 +--
 2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
index cf87c16..5e64367 100644
--- a/include/linux/thread_info.h
+++ b/include/linux/thread_info.h
@@ -59,12 +59,7 @@ extern long do_no_restart_syscall(struct restart_block *parm);
 
 #ifdef __KERNEL__
 
-#if IS_ENABLED(CONFIG_DEBUG_STACK_USAGE) || IS_ENABLED(CONFIG_DEBUG_KMEMLEAK)
-# define THREADINFO_GFP		(GFP_KERNEL_ACCOUNT | __GFP_NOTRACK | \
-				 __GFP_ZERO)
-#else
-# define THREADINFO_GFP		(GFP_KERNEL_ACCOUNT | __GFP_NOTRACK)
-#endif
+#define THREADINFO_GFP	(GFP_KERNEL_ACCOUNT | __GFP_NOTRACK | __GFP_ZERO)
 
 /*
  * flag set/clear/test wrappers
diff --git a/kernel/fork.c b/kernel/fork.c
index c19e6d4..2c98b98 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -184,10 +184,9 @@ static unsigned long *alloc_thread_stack_node(struct task_struct *tsk, int node)
 			continue;
 		this_cpu_write(cached_stacks[i], NULL);
 
-#ifdef CONFIG_DEBUG_KMEMLEAK
 		/* Clear stale pointers from reused stack. */
 		memset(s->addr, 0, THREAD_SIZE);
-#endif
+
 		tsk->stack_vm_area = s;
 		local_irq_enable();
 		return s->addr;
-- 
2.7.4


[-- Attachment #4: Type: text/plain, Size: 157 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Greg KH]

On Fri, Aug 03, 2018 at 04:20:31PM -0700, Srivatsa S. Bhat wrote:
> On 8/2/18 3:22 PM, Kees Cook wrote:
> > On Thu, Aug 2, 2018 at 12:22 PM, Srivatsa S. Bhat
> > <srivatsa@csail.mit.edu> wrote:
> >> On 7/26/18 4:09 PM, Kees Cook wrote:
> >>> On Tue, Jul 24, 2018 at 3:02 PM, Jiri Kosina <jikos@kernel.org> wrote:
> >>>> On Tue, 24 Jul 2018, Srivatsa S. Bhat wrote:
> >>>>
> >>>>> However, if you are proposing that you'd like to contribute the enhanced
> >>>>> PTI/Spectre (upstream) patches from the SLES 4.4 tree to 4.4 stable, and
> >>>>> have them merged instead of this patch series, then I would certainly
> >>>>> welcome it!
> >>>>
> >>>> I'd in principle love us to push everything back to 4.4, but there are a
> >>>> few reasons (*) why that's not happening shortly.
> >>>>
> >>>> Anyway, to point out explicitly what's really needed for those folks
> >>>> running 4.4-stable and relying on PTI providing The Real Thing(TM), it's
> >>>> either a 4.4-stable port of
> >>>>
> >>>>         http://kernel.suse.com/cgit/kernel-source/plain/patches.suse/x86-entry-64-use-a-per-cpu-trampoline-stack.patch?id=3428a77b02b1ba03e45d8fc352ec350429f57fc7
> >>>>
> >>>> or making THREADINFO_GFP imply __GFP_ZERO.
> >>>
> >>> This is true in Linus's tree now. Should be trivial to backport:
> >>> https://git.kernel.org/linus/e01e80634ecdd
> >>>
> >>
> >> Hi Jiri, Kees,
> >>
> >> Thank you for suggesting the patch! I have attached the (locally
> >> tested) 4.4 and 4.9 backports of that patch with this mail. (The
> >> mainline commit applies cleanly on 4.14).
> >>
> >> Greg, could you please consider including them in stable 4.4, 4.9
> >> and 4.14?
> > 
> > I don't think your v4.9 is sufficient: it leaves the vmapped stack
> > uncleared. v4.9 needs ca182551857 ("kmemleak: clear stale pointers
> > from task stacks") included in the backport (really, just adding the
> > memset()).
> > 
> 
> Ah, I see, thank you! I have attached the updated patchset for 4.9
> with this mail.
> 
> > Otherwise, yup, looks good.
> > 
> Thank you for reviewing the patches!
>  
> Regards,
> Srivatsa
> VMware Photon OS

These work for 4.9, do you also have a set for 4.4?

thanks,

greg k-h

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Srivatsa S. Bhat]

[-- Attachment #1: Type: text/plain, Size: 2649 bytes --]

On 8/7/18 6:49 AM, Greg KH wrote:
> On Fri, Aug 03, 2018 at 04:20:31PM -0700, Srivatsa S. Bhat wrote:
>> On 8/2/18 3:22 PM, Kees Cook wrote:
>>> On Thu, Aug 2, 2018 at 12:22 PM, Srivatsa S. Bhat
>>> <srivatsa@csail.mit.edu> wrote:
>>>> On 7/26/18 4:09 PM, Kees Cook wrote:
>>>>> On Tue, Jul 24, 2018 at 3:02 PM, Jiri Kosina <jikos@kernel.org> wrote:
>>>>>> On Tue, 24 Jul 2018, Srivatsa S. Bhat wrote:
>>>>>>
>>>>>>> However, if you are proposing that you'd like to contribute the enhanced
>>>>>>> PTI/Spectre (upstream) patches from the SLES 4.4 tree to 4.4 stable, and
>>>>>>> have them merged instead of this patch series, then I would certainly
>>>>>>> welcome it!
>>>>>>
>>>>>> I'd in principle love us to push everything back to 4.4, but there are a
>>>>>> few reasons (*) why that's not happening shortly.
>>>>>>
>>>>>> Anyway, to point out explicitly what's really needed for those folks
>>>>>> running 4.4-stable and relying on PTI providing The Real Thing(TM), it's
>>>>>> either a 4.4-stable port of
>>>>>>
>>>>>>         http://kernel.suse.com/cgit/kernel-source/plain/patches.suse/x86-entry-64-use-a-per-cpu-trampoline-stack.patch?id=3428a77b02b1ba03e45d8fc352ec350429f57fc7
>>>>>>
>>>>>> or making THREADINFO_GFP imply __GFP_ZERO.
>>>>>
>>>>> This is true in Linus's tree now. Should be trivial to backport:
>>>>> https://git.kernel.org/linus/e01e80634ecdd
>>>>>
>>>>
>>>> Hi Jiri, Kees,
>>>>
>>>> Thank you for suggesting the patch! I have attached the (locally
>>>> tested) 4.4 and 4.9 backports of that patch with this mail. (The
>>>> mainline commit applies cleanly on 4.14).
>>>>
>>>> Greg, could you please consider including them in stable 4.4, 4.9
>>>> and 4.14?
>>>
>>> I don't think your v4.9 is sufficient: it leaves the vmapped stack
>>> uncleared. v4.9 needs ca182551857 ("kmemleak: clear stale pointers
>>> from task stacks") included in the backport (really, just adding the
>>> memset()).
>>>
>>
>> Ah, I see, thank you! I have attached the updated patchset for 4.9
>> with this mail.
>>
>>> Otherwise, yup, looks good.
>>>
>> Thank you for reviewing the patches!
>>  
>> Regards,
>> Srivatsa
>> VMware Photon OS
> 
> These work for 4.9, do you also have a set for 4.4?
> 

Thank you for considering these patches for 4.9!

The (single) patch for 4.4 did not need any more changes, and hence is
the same as the one I attached in my previous mail. I'll attach it
again here for your reference.

Also, upstream commit e01e80634ecdde1 (fork: unconditionally clear
stack on fork) applies cleanly on 4.14 stable, so it would be great to
cherry-pick it to 4.14 stable as well.

Thank you!

Regards,
Srivatsa
VMware Photon OS

[-- Attachment #2: 4.4-fork-unconditionally-clear-stack-on-fork.patch --]
[-- Type: text/plain, Size: 3081 bytes --]

From 7e39d8ccbb0889c03ce6dc0dee0e63d78f37d0a9 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Fri, 20 Apr 2018 14:55:31 -0700
Subject: [PATCH] fork: unconditionally clear stack on fork

commit e01e80634ecdde1dd113ac43b3adad21b47f3957 upstream.

One of the classes of kernel stack content leaks[1] is exposing the
contents of prior heap or stack contents when a new process stack is
allocated.  Normally, those stacks are not zeroed, and the old contents
remain in place.  In the face of stack content exposure flaws, those
contents can leak to userspace.

Fixing this will make the kernel no longer vulnerable to these flaws, as
the stack will be wiped each time a stack is assigned to a new process.
There's not a meaningful change in runtime performance; it almost looks
like it provides a benefit.

Performing back-to-back kernel builds before:
	Run times: 157.86 157.09 158.90 160.94 160.80
	Mean: 159.12
	Std Dev: 1.54

and after:
	Run times: 159.31 157.34 156.71 158.15 160.81
	Mean: 158.46
	Std Dev: 1.46

Instead of making this a build or runtime config, Andy Lutomirski
recommended this just be enabled by default.

[1] A noisy search for many kinds of stack content leaks can be seen here:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=linux+kernel+stack+leak

I did some more with perf and cycle counts on running 100,000 execs of
/bin/true.

before:
Cycles: 218858861551 218853036130 214727610969 227656844122 224980542841
Mean:  221015379122.60
Std Dev: 4662486552.47

after:
Cycles: 213868945060 213119275204 211820169456 224426673259 225489986348
Mean:  217745009865.40
Std Dev: 5935559279.99

It continues to look like it's faster, though the deviation is rather
wide, but I'm not sure what I could do that would be less noisy.  I'm
open to ideas!

Link: http://lkml.kernel.org/r/20180221021659.GA37073@beast
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Cc: Mel Gorman <mgorman@techsingularity.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ Srivatsa: Backported to 4.4.y ]
Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
Reviewed-by: Srinidhi Rao <srinidhir@vmware.com>
---
 include/linux/thread_info.h | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
index ff307b5..646891f 100644
--- a/include/linux/thread_info.h
+++ b/include/linux/thread_info.h
@@ -55,11 +55,7 @@ extern long do_no_restart_syscall(struct restart_block *parm);
 
 #ifdef __KERNEL__
 
-#ifdef CONFIG_DEBUG_STACK_USAGE
-# define THREADINFO_GFP		(GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO)
-#else
-# define THREADINFO_GFP		(GFP_KERNEL | __GFP_NOTRACK)
-#endif
+#define THREADINFO_GFP		(GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO)
 
 /*
  * flag set/clear/test wrappers
-- 
2.7.4


[-- Attachment #3: Type: text/plain, Size: 157 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Greg KH]

On Tue, Aug 07, 2018 at 12:08:07PM -0700, Srivatsa S. Bhat wrote:
> Also, upstream commit e01e80634ecdde1 (fork: unconditionally clear
> stack on fork) applies cleanly on 4.14 stable, so it would be great to
> cherry-pick it to 4.14 stable as well.

It is already in the 4.14.60 release, did I somehow mess up the
backport?

thanks,

greg k-h

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Srivatsa S. Bhat]

On 8/7/18 12:15 PM, Greg KH wrote:
> On Tue, Aug 07, 2018 at 12:08:07PM -0700, Srivatsa S. Bhat wrote:
>> Also, upstream commit e01e80634ecdde1 (fork: unconditionally clear
>> stack on fork) applies cleanly on 4.14 stable, so it would be great to
>> cherry-pick it to 4.14 stable as well.
> 
> It is already in the 4.14.60 release, did I somehow mess up the
> backport?
> 

Sorry, my bad! The backport in 4.14.60 looks fine. Thank you!
 
Regards,
Srivatsa
VMware Photon OS

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel