NACK/Cmnt: [SRU][Jammy][PATCH 00/12] CVE-2024-2201

Stefan Bader stefan.bader at canonical.com
Tue Apr 16 14:30:29 UTC 2024 

On 12.04.24 21:23, Yuxuan Luo wrote:
> [Impact]
> Native BHI attack, a Spectre v2 variant, allows local unprivileged attackers to
> obtain kernel memory information without the help of unprivileged eBPF, negating
> to the previous belief that unprivileged eBPF is the only real-world source of
> such an attack. Also, this vulnerability affects KVM as well.
> 
> [Backport]
> Since the stable/linux-5.15.y backport is almost identical to the upstream patch
> set, only the 7390db8aea0d (“x86/bhi: Add support for clearing branch history at
> syscall entry”) commit is substitute by the stable/linux-5.15.y one and the rest
> are backported from the upstream.
> 
> The missing prerequisite commits are:
> 1. 1d30800c0c0a (“x86/bugs: Use sysfs_emit()”)
>    This one solves the conflict in [1/8] 0cd01ac5dcb1 (“x86/bugs: Change commas
>    to semicolons in 'spectre_v2' sysfs file”) by substitute sprintf() with
>    sysfs_emit()
> 2. eefe5e668209 (“KVM: x86: Advertise CPUID.(EAX=7,ECX=2):EDX[5:0] to userspace“)
>    This commit introduced CPUID_7_2_EDX, a flag used by [4/8] 0f4a837615ff
>    (“x86/bhi: Define SPEC_CTRL_BHI_DIS_S“)
> 3. 047c72299061 (“KVM: x86: Update KVM-only leaf handling to allow for 100% KVM-only leafs”)
>    This one introduced kvm_cpu_cap_init_kvm_defined(), solving a build error
>    caused by the commit above. No functional change as noted by the commit
>    message, safe to backport.
> 
> [Test]
> Compiled only.
> 
> [Where things could go wrong]
> This patch is more about enabling CPU features and reducing branch history
> exposed, therefore, that the system is able to boot and run should denote that
> it is not introducing any regression.
> 
> For KVM, the most significant impact is the performance regression due to system
> call substitution since branch prediction probably won't perform as fast as the
> previous version for users who do not care about the mitigation.
> 
> Borislav Petkov (1):
>    x86/bugs: Use sysfs_emit()
> 
> Daniel Sneddon (2):
>    x86/bhi: Define SPEC_CTRL_BHI_DIS_S
>    KVM: x86: Add BHI_NO
> 
> Jim Mattson (1):
>    KVM: x86: Advertise CPUID.(EAX=7,ECX=2):EDX[5:0] to userspace
> 
> Josh Poimboeuf (1):
>    x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file
> 
> Linus Torvalds (1):
>    x86/syscall: Don't force use of indirect calls for system calls
> 
> Pawan Gupta (4):
>    x86/bhi: Add support for clearing branch history at syscall entry
>    x86/bhi: Enumerate Branch History Injection (BHI) bug
>    x86/bhi: Add BHI mitigation knob
>    x86/bhi: Mitigate KVM by default
> 
> Sean Christopherson (1):
>    KVM: x86: Update KVM-only leaf handling to allow for 100% KVM-only
>      leafs
> 
> Yuxuan Luo (1):
>    placeholder
> 
>   Documentation/admin-guide/hw-vuln/spectre.rst |  50 +++-
>   .../admin-guide/kernel-parameters.txt         |  12 +
>   arch/x86/Kconfig                              |  25 ++
>   arch/x86/entry/common.c                       |   6 +-
>   arch/x86/entry/entry_64.S                     |  61 +++++
>   arch/x86/entry/entry_64_compat.S              |   3 +
>   arch/x86/entry/syscall_32.c                   |  21 +-
>   arch/x86/entry/syscall_64.c                   |  19 +-
>   arch/x86/entry/syscall_x32.c                  |  10 +-
>   arch/x86/include/asm/cpufeatures.h            |  12 +
>   arch/x86/include/asm/msr-index.h              |   9 +-
>   arch/x86/include/asm/nospec-branch.h          |  17 ++
>   arch/x86/include/asm/syscall.h                |  10 +-
>   arch/x86/kernel/cpu/bugs.c                    | 218 +++++++++++++-----
>   arch/x86/kernel/cpu/common.c                  |  24 +-
>   arch/x86/kernel/cpu/scattered.c               |   1 +
>   arch/x86/kvm/cpuid.c                          |  29 ++-
>   arch/x86/kvm/reverse_cpuid.h                  |  32 ++-
>   arch/x86/kvm/vmx/vmenter.S                    |   2 +
>   arch/x86/kvm/x86.c                            |   3 +-
>   debian.master/config/annotations              |   3 +
>   21 files changed, 463 insertions(+), 104 deletions(-)
> 

Rejected for the following reasons:
Thinking more about this I believe it is better to stick as close to 
linux-5.15.y to make the upstream stable work not to difficult. I think 
I got a set prepared which picks one more change from the pending stable 
patches and then only adjusts for context in 4 of the BHI patches. This 
time I will do a test build before submitting a v2.
Oh and I will adjust the config update to use auto as we did for mantic.

-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240416/f7706171/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240416/f7706171/attachment-0001.sig>

More information about the kernel-team mailing list