[SRU Jammy v2][PATCH 00/13] CVE-2024-2201
Stefan Bader
stefan.bader at canonical.com
Tue Apr 16 14:53:12 UTC 2024
[Impact]
Native BHI attack, a Spectre v2 variant, allows local unprivileged attackers to
obtain kernel memory information without the help of unprivileged eBPF, negating
to the previous belief that unprivileged eBPF is the only real-world source of
such an attack. Also, this vulnerability affects KVM as well.
[Backport]
In order to minimize effort with future upstream stable ports I only
used patches from linux-5.15.y which have not yet picked up. This
allowed the BHI set from linux-5.15.y to be applied with just 4 simple
context changes.
The missing prerequisite commits are:
1. 1d30800c0c0a (“x86/bugs: Use sysfs_emit()”)
This one solves the conflict in [1/8] 0cd01ac5dcb1 (“x86/bugs: Change commas
to semicolons in 'spectre_v2' sysfs file”) by substitute sprintf() with
sysfs_emit()
2. eefe5e668209 (“KVM: x86: Advertise CPUID.(EAX=7,ECX=2):EDX[5:0] to userspace“)
This commit introduced CPUID_7_2_EDX, a flag used by [4/8] 0f4a837615ff
(“x86/bhi: Define SPEC_CTRL_BHI_DIS_S“)
3. 047c72299061 (“KVM: x86: Update KVM-only leaf handling to allow for 100% KVM-only leafs”)
This one introduced kvm_cpu_cap_init_kvm_defined(), solving a build error
caused by the commit above. No functional change as noted by the commit
message, safe to backport.
4. 3de7708607e5 ("KVM: x86: Use a switch statement and macros in
__feature_translate()")
This changes __feature_translate in reverse-cpuid.h to use macros and
by that allows ("x86/bhi: Define SPEC_CTRL_BHI_DIS_S") to be applied
without changes.
[Test]
Compiled only.
[Where things could go wrong]
This patch is more about enabling CPU features and reducing branch history
exposed, therefore, that the system is able to boot and run should denote that
it is not introducing any regression.
For KVM, the most significant impact is the performance regression due to system
call substitution since branch prediction probably won't perform as fast as the
previous version for users who do not care about the mitigation.
For this reason we are right now only enable this in auto mode which
means only if firmware supports it.
Borislav Petkov (1):
x86/bugs: Use sysfs_emit()
Daniel Sneddon (2):
x86/bhi: Define SPEC_CTRL_BHI_DIS_S
KVM: x86: Add BHI_NO
Jim Mattson (2):
KVM: x86: Advertise CPUID.(EAX=7,ECX=2):EDX[5:0] to userspace
KVM: x86: Use a switch statement and macros in __feature_translate()
Josh Poimboeuf (1):
x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file
Linus Torvalds (1):
x86/syscall: Don't force use of indirect calls for system calls
Pawan Gupta (4):
x86/bhi: Add support for clearing branch history at syscall entry
x86/bhi: Enumerate Branch History Injection (BHI) bug
x86/bhi: Add BHI mitigation knob
x86/bhi: Mitigate KVM by default
Sean Christopherson (1):
KVM: x86: Update KVM-only leaf handling to allow for 100% KVM-only
leafs
Stefan Bader (1):
UBUNTU: [Config] Set CONFIG_BHI to enabled (auto)
Documentation/admin-guide/hw-vuln/spectre.rst | 51 +++-
.../admin-guide/kernel-parameters.txt | 12 +
arch/x86/Kconfig | 25 ++
arch/x86/entry/common.c | 6 +-
arch/x86/entry/entry_64.S | 61 +++++
arch/x86/entry/entry_64_compat.S | 3 +
arch/x86/entry/syscall_32.c | 21 +-
arch/x86/entry/syscall_64.c | 19 +-
arch/x86/entry/syscall_x32.c | 10 +-
arch/x86/include/asm/cpufeatures.h | 12 +
arch/x86/include/asm/msr-index.h | 9 +-
arch/x86/include/asm/nospec-branch.h | 17 ++
arch/x86/include/asm/syscall.h | 10 +-
arch/x86/kernel/cpu/bugs.c | 218 +++++++++++++-----
arch/x86/kernel/cpu/common.c | 24 +-
arch/x86/kernel/cpu/scattered.c | 1 +
arch/x86/kvm/cpuid.c | 29 ++-
arch/x86/kvm/reverse_cpuid.h | 45 +++-
arch/x86/kvm/vmx/vmenter.S | 2 +
arch/x86/kvm/x86.c | 3 +-
debian.master/config/annotations | 3 +
21 files changed, 470 insertions(+), 111 deletions(-)
--
2.34.1
More information about the kernel-team
mailing list