APPLIED: [SRU PR Jammy] CVE-2023-20569 - AMD SRSO
Stefan Bader
stefan.bader at canonical.com
Fri Sep 1 08:28:49 UTC 2023
On 01.09.23 03:39, Thadeu Lima de Souza Cascardo wrote:
> The following changes since commit 8e01c63c8de30a27a4f87e4f86e69403aaf6aa5b:
>
> e1000e: Use PME poll to circumvent unreliable ACPI wake (2023-08-31 11:16:50 +0200)
>
> are available in the Git repository at:
>
> git+ssh://cascardo@git.launchpad.net/~cascardo/ubuntu/+source/linux/+git/jammy srso+master
>
> for you to fetch changes up to 785e38eb6f4343afe59aea187d0a782251c3a9f2:
>
> Ubuntu: [Config]: enable Speculative Return Stack Overflow mitigation (2023-08-31 22:28:42 -0300)
>
> ----------------------------------------------------------------
>
> [Impact]
> A side channel vulnerability on some of the AMD CPUs may allow an attacker
> to influence the return address prediction. This may result in speculative
> execution at an attacker-controlled address, potentially leading to
> information disclosure.
>
> [Backport]
> Patches have been backported from 5.15.y upstream stable. Minor conflicts
> around previous backports of GDS and DIV0 had to be handled.
>
> Backports for 6.1 and 6.2 are on their way.
>
> [Tests]
> Tests were run on an AWS Zen1 instance with no IBRS or IBPB. Mitigation
> options were toggled and vulnerabilities mitigations reports were as
> expected.
>
> An Intel VM was booted with spectre_v2=retpoline.
>
> An AMD Zen3 metal instance was tested as well with an SVM guest booted on top
> of it with the same kernel. spec_rstack_overflow report was as expected.
>
> [Potential regression]
> This could cause boot problems and also cause some CPU vulnerabilties
> mitigations, specially Retbleed, to regress.
>
>
> ----------------------------------------------------------------
> Borislav Petkov (AMD) (9):
> x86/srso: Add a Speculative RAS Overflow mitigation
> x86/srso: Add IBPB_BRTYPE support
> x86/srso: Add SRSO_NO support
> x86/srso: Add IBPB
> x86/srso: Add IBPB on VMEXIT
> x86/srso: Tie SBPB bit setting to microcode patch detection
> x86/srso: Explain the untraining sequences a bit more
> x86/srso: Disable the mitigation on unaffected configurations
> x86/srso: Correct the mitigation status when SMT is disabled
>
> Greg Kroah-Hartman (1):
> x86: fix backwards merge of GDS/SRSO bit
>
> Josh Poimboeuf (2):
> x86/srso: Fix return thunks in generated code
> objtool: Add frame-pointer-specific function ignore
>
> Kim Phillips (1):
> x86/cpu, kvm: Add support for CPUID_80000021_EAX
>
> Nick Desaulniers (1):
> x86/srso: Fix build breakage with the LLVM linker
>
> Peter Zijlstra (11):
> x86/cpu: Fix __x86_return_thunk symbol type
> x86/cpu: Fix up srso_safe_ret() and __x86_return_thunk()
> x86/alternative: Make custom return thunk unconditional
> x86/ibt: Add ANNOTATE_NOENDBR
> x86/cpu: Clean up SRSO return thunk mess
> x86/cpu: Rename original retbleed methods
> x86/cpu: Rename srso_(.*)_alias to srso_alias_\1
> x86/cpu: Cleanup the untrain mess
> x86/static_call: Fix __static_call_fixup()
> objtool/x86: Fixup frame-pointer vs rethunk
> objtool/x86: Fix SRSO mess
>
> Petr Pavlu (1):
> x86/retpoline,kprobes: Fix position of thunk sections with CONFIG_LTO_CLANG
>
> Sean Christopherson (1):
> x86/retpoline: Don't clobber RFLAGS during srso_safe_ret()
>
> Thadeu Lima de Souza Cascardo (1):
> Ubuntu: [Config]: enable Speculative Return Stack Overflow mitigation
>
> Documentation/admin-guide/hw-vuln/index.rst | 1 +
> Documentation/admin-guide/hw-vuln/srso.rst | 133 ++++++++++++++++
> Documentation/admin-guide/kernel-parameters.txt | 11 ++
> arch/x86/Kconfig | 7 +
> arch/x86/include/asm/cpufeature.h | 7 +-
> arch/x86/include/asm/cpufeatures.h | 11 +-
> arch/x86/include/asm/disabled-features.h | 3 +-
> arch/x86/include/asm/msr-index.h | 1 +
> arch/x86/include/asm/nospec-branch.h | 34 ++--
> arch/x86/include/asm/processor.h | 2 +
> arch/x86/include/asm/required-features.h | 3 +-
> arch/x86/kernel/cpu/amd.c | 19 +++
> arch/x86/kernel/cpu/bugs.c | 197 ++++++++++++++++++++++++
> arch/x86/kernel/cpu/common.c | 15 +-
> arch/x86/kernel/static_call.c | 13 ++
> arch/x86/kernel/vmlinux.lds.S | 38 ++++-
> arch/x86/kvm/cpuid.c | 3 +
> arch/x86/kvm/reverse_cpuid.h | 1 +
> arch/x86/kvm/svm/svm.c | 4 +-
> arch/x86/kvm/svm/vmenter.S | 3 +
> arch/x86/lib/retpoline.S | 158 +++++++++++++++++--
> debian.master/config/annotations | 1 +
> drivers/base/cpu.c | 8 +
> include/linux/cpu.h | 2 +
> include/linux/objtool.h | 28 ++++
> tools/include/linux/objtool.h | 28 ++++
> tools/objtool/arch/x86/decode.c | 6 +
> tools/objtool/check.c | 43 ++++--
> tools/objtool/include/objtool/arch.h | 1 +
> tools/objtool/include/objtool/elf.h | 1 +
> 30 files changed, 738 insertions(+), 44 deletions(-)
> create mode 100644 Documentation/admin-guide/hw-vuln/srso.rst
>
Applied to jammy:linux/master-next. Thanks.
-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 44613 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230901/9f37525b/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230901/9f37525b/attachment-0001.sig>
More information about the kernel-team
mailing list