ACK/Cmnt: [PATCH 1/1] x86/speculation: Protect against userspace-userspace spectreRSB

Stefan Bader stefan.bader at canonical.com
Mon Sep 3 09:35:28 UTC 2018 

On 29.08.2018 21:17, Tyler Hicks wrote:
> From: Jiri Kosina <jkosina at suse.cz>
> 
> The article "Spectre Returns! Speculation Attacks using the Return Stack
> Buffer" [1] describes two new (sub-)variants of spectrev2-like attacks,
> making use solely of the RSB contents even on CPUs that don't fallback to
> BTB on RSB underflow (Skylake+).
> 
> Mitigate userspace-userspace attacks by always unconditionally filling RSB on
> context switch when the generic spectrev2 mitigation has been enabled.
> 
> [1] https://arxiv.org/pdf/1807.07940.pdf
> 
> Signed-off-by: Jiri Kosina <jkosina at suse.cz>
> Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
> Reviewed-by: Josh Poimboeuf <jpoimboe at redhat.com>
> Acked-by: Tim Chen <tim.c.chen at linux.intel.com>
> Cc: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
> Cc: Borislav Petkov <bp at suse.de>
> Cc: David Woodhouse <dwmw at amazon.co.uk>
> Cc: Peter Zijlstra <peterz at infradead.org>
> Cc: Linus Torvalds <torvalds at linux-foundation.org>
> Cc: stable at vger.kernel.org
> Link: https://lkml.kernel.org/r/nycvar.YFH.7.76.1807261308190.997@cbobk.fhfr.pm
> 
> CVE-2017-5715 (SpectreRSB sub-variant)

CVE-2018-15572 (SpectreRSB)

> 
> (cherry picked from commit fdf82a7856b32d905c39afc85e34364491e46346)
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---

With updated CVE number on commit.

>  arch/x86/kernel/cpu/bugs.c | 38 +++++++-------------------------------
>  1 file changed, 7 insertions(+), 31 deletions(-)
> 
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index 700b4c0a93a2..edfc64a8a154 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -322,23 +322,6 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
>  	return cmd;
>  }
>  
> -/* Check for Skylake-like CPUs (for RSB handling) */
> -static bool __init is_skylake_era(void)
> -{
> -	if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL &&
> -	    boot_cpu_data.x86 == 6) {
> -		switch (boot_cpu_data.x86_model) {
> -		case INTEL_FAM6_SKYLAKE_MOBILE:
> -		case INTEL_FAM6_SKYLAKE_DESKTOP:
> -		case INTEL_FAM6_SKYLAKE_X:
> -		case INTEL_FAM6_KABYLAKE_MOBILE:
> -		case INTEL_FAM6_KABYLAKE_DESKTOP:
> -			return true;
> -		}
> -	}
> -	return false;
> -}
> -
>  static void __init spectre_v2_select_mitigation(void)
>  {
>  	enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
> @@ -399,22 +382,15 @@ static void __init spectre_v2_select_mitigation(void)
>  	pr_info("%s\n", spectre_v2_strings[mode]);
>  
>  	/*
> -	 * If neither SMEP nor PTI are available, there is a risk of
> -	 * hitting userspace addresses in the RSB after a context switch
> -	 * from a shallow call stack to a deeper one. To prevent this fill
> -	 * the entire RSB, even when using IBRS.
> +	 * If spectre v2 protection has been enabled, unconditionally fill
> +	 * RSB during a context switch; this protects against two independent
> +	 * issues:
>  	 *
> -	 * Skylake era CPUs have a separate issue with *underflow* of the
> -	 * RSB, when they will predict 'ret' targets from the generic BTB.
> -	 * The proper mitigation for this is IBRS. If IBRS is not supported
> -	 * or deactivated in favour of retpolines the RSB fill on context
> -	 * switch is required.
> +	 *	- RSB underflow (and switch to BTB) on Skylake+
> +	 *	- SpectreRSB variant of spectre v2 on X86_BUG_SPECTRE_V2 CPUs
>  	 */
> -	if ((!boot_cpu_has(X86_FEATURE_PTI) &&
> -	     !boot_cpu_has(X86_FEATURE_SMEP)) || is_skylake_era()) {
> -		setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
> -		pr_info("Spectre v2 mitigation: Filling RSB on context switch\n");
> -	}
> +	setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
> +	pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");
>  
>  	/* Initialize Indirect Branch Prediction Barrier if supported */
>  	if (boot_cpu_has(X86_FEATURE_IBPB)) {
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180903/90d0042b/attachment.sig>

More information about the kernel-team mailing list