[SRU Jammy v2][PATCH 00/13] CVE-2024-2201

Andy Whitcroft apw at canonical.com
Wed Apr 17 08:59:20 UTC 2024 

LGTM

Acked-by: Andy Whitcroft <apw at canonical.com>

-apw

On Tue, Apr 16, 2024 at 3:54 PM Stefan Bader <stefan.bader at canonical.com>
wrote:

> [Impact]
> Native BHI attack, a Spectre v2 variant, allows local unprivileged
> attackers to
> obtain kernel memory information without the help of unprivileged eBPF,
> negating
> to the previous belief that unprivileged eBPF is the only real-world
> source of
> such an attack. Also, this vulnerability affects KVM as well.
>
> [Backport]
> In order to minimize effort with future upstream stable ports I only
> used patches from linux-5.15.y which have not yet picked up. This
> allowed the BHI set from linux-5.15.y to be applied with just 4 simple
> context changes.
>
> The missing prerequisite commits are:
> 1. 1d30800c0c0a (“x86/bugs: Use sysfs_emit()”)
>   This one solves the conflict in [1/8] 0cd01ac5dcb1 (“x86/bugs: Change
> commas
>   to semicolons in 'spectre_v2' sysfs file”) by substitute sprintf() with
>   sysfs_emit()
> 2. eefe5e668209 (“KVM: x86: Advertise CPUID.(EAX=7,ECX=2):EDX[5:0] to
> userspace“)
>   This commit introduced CPUID_7_2_EDX, a flag used by [4/8] 0f4a837615ff
>   (“x86/bhi: Define SPEC_CTRL_BHI_DIS_S“)
> 3. 047c72299061 (“KVM: x86: Update KVM-only leaf handling to allow for
> 100% KVM-only leafs”)
>   This one introduced kvm_cpu_cap_init_kvm_defined(), solving a build error
>   caused by the commit above. No functional change as noted by the commit
>   message, safe to backport.
> 4. 3de7708607e5 ("KVM: x86: Use a switch statement and macros in
>                   __feature_translate()")
>   This changes __feature_translate in reverse-cpuid.h to use macros and
>   by that allows ("x86/bhi: Define SPEC_CTRL_BHI_DIS_S") to be applied
>   without changes.
>
> [Test]
> Compiled only.
>
> [Where things could go wrong]
> This patch is more about enabling CPU features and reducing branch history
> exposed, therefore, that the system is able to boot and run should denote
> that
> it is not introducing any regression.
>
> For KVM, the most significant impact is the performance regression due to
> system
> call substitution since branch prediction probably won't perform as fast
> as the
> previous version for users who do not care about the mitigation.
> For this reason we are right now only enable this in auto mode which
> means only if firmware supports it.
>
> Borislav Petkov (1):
>   x86/bugs: Use sysfs_emit()
>
> Daniel Sneddon (2):
>   x86/bhi: Define SPEC_CTRL_BHI_DIS_S
>   KVM: x86: Add BHI_NO
>
> Jim Mattson (2):
>   KVM: x86: Advertise CPUID.(EAX=7,ECX=2):EDX[5:0] to userspace
>   KVM: x86: Use a switch statement and macros in __feature_translate()
>
> Josh Poimboeuf (1):
>   x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file
>
> Linus Torvalds (1):
>   x86/syscall: Don't force use of indirect calls for system calls
>
> Pawan Gupta (4):
>   x86/bhi: Add support for clearing branch history at syscall entry
>   x86/bhi: Enumerate Branch History Injection (BHI) bug
>   x86/bhi: Add BHI mitigation knob
>   x86/bhi: Mitigate KVM by default
>
> Sean Christopherson (1):
>   KVM: x86: Update KVM-only leaf handling to allow for 100% KVM-only
>     leafs
>
> Stefan Bader (1):
>   UBUNTU: [Config] Set CONFIG_BHI to enabled (auto)
>
>  Documentation/admin-guide/hw-vuln/spectre.rst |  51 +++-
>  .../admin-guide/kernel-parameters.txt         |  12 +
>  arch/x86/Kconfig                              |  25 ++
>  arch/x86/entry/common.c                       |   6 +-
>  arch/x86/entry/entry_64.S                     |  61 +++++
>  arch/x86/entry/entry_64_compat.S              |   3 +
>  arch/x86/entry/syscall_32.c                   |  21 +-
>  arch/x86/entry/syscall_64.c                   |  19 +-
>  arch/x86/entry/syscall_x32.c                  |  10 +-
>  arch/x86/include/asm/cpufeatures.h            |  12 +
>  arch/x86/include/asm/msr-index.h              |   9 +-
>  arch/x86/include/asm/nospec-branch.h          |  17 ++
>  arch/x86/include/asm/syscall.h                |  10 +-
>  arch/x86/kernel/cpu/bugs.c                    | 218 +++++++++++++-----
>  arch/x86/kernel/cpu/common.c                  |  24 +-
>  arch/x86/kernel/cpu/scattered.c               |   1 +
>  arch/x86/kvm/cpuid.c                          |  29 ++-
>  arch/x86/kvm/reverse_cpuid.h                  |  45 +++-
>  arch/x86/kvm/vmx/vmenter.S                    |   2 +
>  arch/x86/kvm/x86.c                            |   3 +-
>  debian.master/config/annotations              |   3 +
>  21 files changed, 470 insertions(+), 111 deletions(-)
>
> --
> 2.34.1
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240417/f0035673/attachment.html>

More information about the kernel-team mailing list