NACK/Cmnt: [SRU][Jammy][PATCH 00/12] CVE-2024-2201
Stefan Bader
stefan.bader at canonical.com
Tue Apr 16 14:30:29 UTC 2024
On 12.04.24 21:23, Yuxuan Luo wrote:
> [Impact]
> Native BHI attack, a Spectre v2 variant, allows local unprivileged attackers to
> obtain kernel memory information without the help of unprivileged eBPF, negating
> to the previous belief that unprivileged eBPF is the only real-world source of
> such an attack. Also, this vulnerability affects KVM as well.
>
> [Backport]
> Since the stable/linux-5.15.y backport is almost identical to the upstream patch
> set, only the 7390db8aea0d (“x86/bhi: Add support for clearing branch history at
> syscall entry”) commit is substitute by the stable/linux-5.15.y one and the rest
> are backported from the upstream.
>
> The missing prerequisite commits are:
> 1. 1d30800c0c0a (“x86/bugs: Use sysfs_emit()”)
> This one solves the conflict in [1/8] 0cd01ac5dcb1 (“x86/bugs: Change commas
> to semicolons in 'spectre_v2' sysfs file”) by substitute sprintf() with
> sysfs_emit()
> 2. eefe5e668209 (“KVM: x86: Advertise CPUID.(EAX=7,ECX=2):EDX[5:0] to userspace“)
> This commit introduced CPUID_7_2_EDX, a flag used by [4/8] 0f4a837615ff
> (“x86/bhi: Define SPEC_CTRL_BHI_DIS_S“)
> 3. 047c72299061 (“KVM: x86: Update KVM-only leaf handling to allow for 100% KVM-only leafs”)
> This one introduced kvm_cpu_cap_init_kvm_defined(), solving a build error
> caused by the commit above. No functional change as noted by the commit
> message, safe to backport.
>
> [Test]
> Compiled only.
>
> [Where things could go wrong]
> This patch is more about enabling CPU features and reducing branch history
> exposed, therefore, that the system is able to boot and run should denote that
> it is not introducing any regression.
>
> For KVM, the most significant impact is the performance regression due to system
> call substitution since branch prediction probably won't perform as fast as the
> previous version for users who do not care about the mitigation.
>
> Borislav Petkov (1):
> x86/bugs: Use sysfs_emit()
>
> Daniel Sneddon (2):
> x86/bhi: Define SPEC_CTRL_BHI_DIS_S
> KVM: x86: Add BHI_NO
>
> Jim Mattson (1):
> KVM: x86: Advertise CPUID.(EAX=7,ECX=2):EDX[5:0] to userspace
>
> Josh Poimboeuf (1):
> x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file
>
> Linus Torvalds (1):
> x86/syscall: Don't force use of indirect calls for system calls
>
> Pawan Gupta (4):
> x86/bhi: Add support for clearing branch history at syscall entry
> x86/bhi: Enumerate Branch History Injection (BHI) bug
> x86/bhi: Add BHI mitigation knob
> x86/bhi: Mitigate KVM by default
>
> Sean Christopherson (1):
> KVM: x86: Update KVM-only leaf handling to allow for 100% KVM-only
> leafs
>
> Yuxuan Luo (1):
> placeholder
>
> Documentation/admin-guide/hw-vuln/spectre.rst | 50 +++-
> .../admin-guide/kernel-parameters.txt | 12 +
> arch/x86/Kconfig | 25 ++
> arch/x86/entry/common.c | 6 +-
> arch/x86/entry/entry_64.S | 61 +++++
> arch/x86/entry/entry_64_compat.S | 3 +
> arch/x86/entry/syscall_32.c | 21 +-
> arch/x86/entry/syscall_64.c | 19 +-
> arch/x86/entry/syscall_x32.c | 10 +-
> arch/x86/include/asm/cpufeatures.h | 12 +
> arch/x86/include/asm/msr-index.h | 9 +-
> arch/x86/include/asm/nospec-branch.h | 17 ++
> arch/x86/include/asm/syscall.h | 10 +-
> arch/x86/kernel/cpu/bugs.c | 218 +++++++++++++-----
> arch/x86/kernel/cpu/common.c | 24 +-
> arch/x86/kernel/cpu/scattered.c | 1 +
> arch/x86/kvm/cpuid.c | 29 ++-
> arch/x86/kvm/reverse_cpuid.h | 32 ++-
> arch/x86/kvm/vmx/vmenter.S | 2 +
> arch/x86/kvm/x86.c | 3 +-
> debian.master/config/annotations | 3 +
> 21 files changed, 463 insertions(+), 104 deletions(-)
>
Rejected for the following reasons:
Thinking more about this I believe it is better to stick as close to
linux-5.15.y to make the upstream stable work not to difficult. I think
I got a set prepared which picks one more change from the pending stable
patches and then only adjusts for context in 4 of the BHI patches. This
time I will do a test build before submitting a v2.
Oh and I will adjust the config update to use auto as we did for mantic.
-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240416/f7706171/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240416/f7706171/attachment-0001.sig>
More information about the kernel-team
mailing list