ACK: [SRU][Trusty][PATCH] UBUNTU: SAUCE: Fix "x86/retpoline/entry: Convert entry assembler indirect jumps"

Stefan Bader stefan.bader at canonical.com
Mon Jul 30 10:58:59 UTC 2018 

On 27.07.2018 17:43, Juerg Haefliger wrote:
> CVE-2017-5715 (Spectre v2 retpoline)
> 
> For whatever reason, our backport of "x86/retpoline/entry: Convert entry
> assembler indirect jumps" added "#ifdef RETPOLINE" in entry_64.S when it
> should be "#ifdef CONFIG_RETPOLINE". Although this doesn't make a fuctional
> difference for the Ubuntu kernel, fix it to be formally correct and
> equivalent to upstream.
> 
> Also, the backport is incomplete (doesn't convert the indirect jumps
> through the syscall table in ia32entry.S) and also introduces whitespaces
> instead of tabs. Fix that too, to be in line with upstream stable 3.16 and
> to prevent potential future conflicts when cherry picking patches that
> modify these areas.
> 
> Fixes: b12de0b8b316 ("x86/retpoline/entry: Convert entry assembler indirect jumps")
> Signed-off-by: Juerg Haefliger <juergh at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
>  arch/x86/ia32/ia32entry.S  | 18 +++++++++++++++++-
>  arch/x86/kernel/entry_32.S |  6 +++---
>  arch/x86/kernel/entry_64.S | 14 +++++++-------
>  3 files changed, 27 insertions(+), 11 deletions(-)
> 
> diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
> index aedd4b526243..cc9fa083175d 100644
> --- a/arch/x86/ia32/ia32entry.S
> +++ b/arch/x86/ia32/ia32entry.S
> @@ -20,6 +20,7 @@
>  #include <asm/spec_ctrl.h>
>  #include <linux/linkage.h>
>  #include <linux/err.h>
> +#include <asm/nospec-branch.h>
>  
>  /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
>  #include <linux/elf-em.h>
> @@ -176,7 +177,12 @@ sysenter_flags_fixed:
>  sysenter_do_call:
>  	IA32_ARG_FIXUP
>  sysenter_dispatch:
> +#ifdef CONFIG_RETPOLINE
> +	movq	ia32_sys_call_table(,%rax,8),%rax
> +	call	__x86_indirect_thunk_rax
> +#else
>  	call	*ia32_sys_call_table(,%rax,8)
> +#endif
>  	movq	%rax,RAX-ARGOFFSET(%rsp)
>  	DISABLE_INTERRUPTS(CLBR_NONE)
>  	TRACE_IRQS_OFF
> @@ -344,7 +350,12 @@ ENTRY(ia32_cstar_target)
>  cstar_do_call:
>  	IA32_ARG_FIXUP 1
>  cstar_dispatch:
> +#ifdef CONFIG_RETPOLINE
> +	movq ia32_sys_call_table(,%rax,8),%rax
> +	call __x86_indirect_thunk_rax
> +#else
>  	call *ia32_sys_call_table(,%rax,8)
> +#endif
>  	movq %rax,RAX-ARGOFFSET(%rsp)
>  	DISABLE_INTERRUPTS(CLBR_NONE)
>  	TRACE_IRQS_OFF
> @@ -458,7 +469,12 @@ ENTRY(ia32_syscall)
>  	ja ia32_badsys
>  ia32_do_call:
>  	IA32_ARG_FIXUP
> +#ifdef CONFIG_RETPOLINE
> +	movq ia32_sys_call_table(,%rax,8),%rax
> +	call __x86_indirect_thunk_rax
> +#else
>  	call *ia32_sys_call_table(,%rax,8) # xxx: rip relative
> +#endif
>  ia32_sysret:
>  	movq %rax,RAX-ARGOFFSET(%rsp)
>  ia32_ret_from_sys_call:
> @@ -524,7 +540,7 @@ ia32_ptregs_common:
>  	CFI_REL_OFFSET	rsp,RSP-ARGOFFSET
>  /*	CFI_REL_OFFSET	ss,SS-ARGOFFSET*/
>  	SAVE_REST
> -	call *%rax
> +	CALL_NOSPEC %rax
>  	RESTORE_REST
>  	jmp  ia32_sysret	/* misbalances the return cache */
>  	CFI_ENDPROC
> diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
> index afab84e0e50e..a250f31c0093 100644
> --- a/arch/x86/kernel/entry_32.S
> +++ b/arch/x86/kernel/entry_32.S
> @@ -309,7 +309,7 @@ ENTRY(ret_from_kernel_thread)
>  	pushl_cfi $0x0202		# Reset kernel eflags
>  	popfl_cfi
>  	movl PT_EBP(%esp),%eax
> -	movl PT_EBX(%esp),%edx
> +	movl	PT_EBX(%esp), %edx
>  	CALL_NOSPEC %edx
>  	movl $0,PT_EAX(%esp)
>  	jmp syscall_exit
> @@ -435,7 +435,7 @@ sysenter_do_call:
>  	cmpl $(NR_syscalls), %eax
>  	jae sysenter_badsys
>  #ifdef CONFIG_RETPOLINE
> -	movl sys_call_table(,%eax,4), %eax
> +	movl sys_call_table(,%eax,4),%eax
>  	call __x86_indirect_thunk_eax
>  #else
>  	call *sys_call_table(,%eax,4)
> @@ -521,7 +521,7 @@ ENTRY(system_call)
>  	jae syscall_badsys
>  syscall_call:
>  #ifdef CONFIG_RETPOLINE
> -	movl sys_call_table(,%eax,4), %eax
> +	movl sys_call_table(,%eax,4),%eax
>  	call __x86_indirect_thunk_eax
>  #else
>  	call *sys_call_table(,%eax,4)
> diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
> index 3b9377790eca..8cf5cfa4a8a2 100644
> --- a/arch/x86/kernel/entry_64.S
> +++ b/arch/x86/kernel/entry_64.S
> @@ -61,8 +61,8 @@
>  #include <asm/pgtable_types.h>
>  #include <asm/kaiser.h>
>  #include <asm/spec_ctrl.h>
> -#include <linux/err.h>
>  #include <asm/nospec-branch.h>
> +#include <linux/err.h>
>  
>  /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
>  #include <linux/elf-em.h>
> @@ -709,9 +709,9 @@ system_call_fastpath:
>  #endif
>  	ja badsys
>  	movq %r10,%rcx
> -#ifdef RETPOLINE
> -	movq    sys_call_table(, %rax, 8), %rax
> -	call    __x86_indirect_thunk_rax
> +#ifdef CONFIG_RETPOLINE
> +	movq	sys_call_table(, %rax, 8), %rax
> +	call	__x86_indirect_thunk_rax
>  #else
>  	call *sys_call_table(,%rax,8)  # XXX:	 rip relative
>  #endif
> @@ -842,9 +842,9 @@ tracesys:
>  #endif
>  	ja   int_ret_from_sys_call	/* RAX(%rsp) set to -ENOSYS above */
>  	movq %r10,%rcx	/* fixup for C */
> -#ifdef RETPOLINE
> -	movq    sys_call_table(, %rax, 8), %rax
> -	call    __x86_indirect_thunk_rax
> +#ifdef CONFIG_RETPOLINE
> +	movq	sys_call_table(, %rax, 8), %rax
> +	call	__x86_indirect_thunk_rax
>  #else
>  	call *sys_call_table(,%rax,8)
>  #endif
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180730/97b6a5d0/attachment.sig>

More information about the kernel-team mailing list