[SRU][Focal][PATCH 00/11] CVE-2024-2201
Juerg Haefliger
juerg.haefliger at canonical.com
Tue Apr 30 14:24:51 UTC 2024
There's a bunch of follow-on fixes that we probably want/need. They're also
missing from jammy but should come in through a regular stable update.
ec9404e40e8f x86/bhi: Add BHI mitigation knob
69129794d94c x86/bugs: Fix BHI retpoline check
5f882f3b0a8b x86/bugs: Clarify that syscall hardening isn't a BHI mitigation
1cea8a280dfd x86/bugs: Fix BHI handling of RRSBA
cb2db5bb04d7 x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES
dfe648903f42 x86/bugs: Fix BHI documentation
...Juerg
On Wed, 17 Apr 2024 19:53:50 -0400
Yuxuan Luo <yuxuan.luo at canonical.com> wrote:
> [Impact]
> Native BHI attack, a Spectre v2 variant, allows local unprivileged attackers to
> obtain kernel memory information without the help of unprivileged eBPF, negating
> to the previous belief that unprivileged eBPF is the only real-world source of
> such an attack. Also, this vulnerability affects KVM as well.
>
> [Backport]
> [1/8] 0cd01ac5dcb1 (“x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs
> file”)
> - Since the prerequisite commit, 1d30800c0c0a (“x86/bugs: Use sysfs_emit()”),
> introduces more conflict yet it only solve a printing function conflict,
> manually substitute ',' with ';'.
>
> [2/8] 1e3ad78334a6 (“x86/syscall: Don't force use of indirect calls for system
> calls”)
> - (Details in the patch)
>
> [3/8] 7390db8aea0d (“x86/bhi: Add support for clearing branch history at syscall
> entry”)
> - Pick the stable/5.15.y backport since be5341eb0d43 (“x86/entry: Convert INT
> 0x80 emulation to IDTENTRY”) is not in the tree, changes made for common.h is
> discarded.
> - For entry_64.S, because bc7b11c04ee9 (“x86/asm/64: Change all ENTRY+END to
> SYM_CODE_*”) is not in the tree, substitute SYM_FUNC_START/SYM_FUNC_END with
> ENTRY/END.
> - Dependency issue occurs due to ANNOTATE_INTRA_FUNCTION_CALL not defined and
> STACK_FRAME_NON_STANDARD is not provided with an assembly code version, the
> following dependent commits should be backported:
> - 081df94301e3 (“objtool: Add asm version of STACK_FRAME_NON_STANDARD”)
> - introduced the needed asm version of STACK_FRAME_NON_STANDARD.
> - applied changes for include/linux/objtool.h to include/linux/frame.h and
> ignore tools/include/linux/objtool.h.
> - 5567c6c39f34 (“objtool: Only include valid definitions depending on source
> file type”)
> - adds __ASSEMBLY__ macros to differentiate C and ASM.
> - 8aa8eb2a8f5b (“objtool: Add support for intra-function calls”)
> - use stable/5.4.y: f8f25fde0cc680f6488aea6a0a1f80e689525e18
> - introduced ANNOTATE_INTRA_FUNCTION_CALL.
>
> [4/8] 0f4a837615ff (“x86/bhi: Define SPEC_CTRL_BHI_DIS_S“)
> - reverse_cpuid.h: since 4e66c0cb79b7 (“KVM: x86: Add support for reverse CPUID
> lookup of scattered features“) is not in the tree, there is no point
> backporting reverse_cpuid.h related changes.
>
> [5/8] be482ff95009 (“x86/bhi: Enumerate Branch History Injection (BHI) bug”)
> - Conflicts in both files can be ignored since they are all context difference.
>
> [6/8] ec9404e40e8f (“x86/bhi: Add BHI mitigation knob“)
> - This commit is backported in the same scheme as Jammy's.
>
> [7/8] 95a6ccbdc719 ("x86/bhi: Mitigate KVM by default")
> - Clean cherry pick.
>
> [8/8] ed2e8d49b54d (“KVM: x86: Add BHI_NO”)
> - Since 0204750bd4c6ccc2fb7417618477f10373b33f56 (“KVM: x86: Mask off
> unsupported and unknown bits of IA32_ARCH_CAPABILITIES“) is not in the tree,
> the feature is not supported, ignore this patch.
>
> [Test]
> Compiled only.
>
> [Where things could go wrong]
> This patch is more about enabling CPU features and reducing branch history
> exposed, therefore, that the system is able to boot and run should denote that
> it is not introducing any regression.
>
> For KVM, the most significant impact is the performance regression due to system
> call substitution since branch prediction probably won't perform as fast as the
> previous version for users who do not care about the mitigation.
>
> Alexandre Chartre (1):
> objtool: Add support for intra-function calls
>
> Daniel Sneddon (1):
> x86/bhi: Define SPEC_CTRL_BHI_DIS_S
>
> Josh Poimboeuf (2):
> objtool: Add asm version of STACK_FRAME_NON_STANDARD
> x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file
>
> Julien Thierry (1):
> objtool: Only include valid definitions depending on source file type
>
> Linus Torvalds (1):
> x86/syscall: Don't force use of indirect calls for system calls
>
> Pawan Gupta (4):
> x86/bhi: Add support for clearing branch history at syscall entry
> x86/bhi: Enumerate Branch History Injection (BHI) bug
> x86/bhi: Add BHI mitigation knob
> x86/bhi: Mitigate KVM by default
>
> Yuxuan Luo (1):
> UBUNTU: [Config] updateconfigs for CONFIG_BHI_{AUTO|OFF|ON}
>
> Documentation/admin-guide/hw-vuln/spectre.rst | 51 +++++++-
> .../admin-guide/kernel-parameters.txt | 12 ++
> arch/x86/Kconfig | 25 ++++
> arch/x86/entry/common.c | 11 +-
> arch/x86/entry/entry_64.S | 61 +++++++++
> arch/x86/entry/entry_64_compat.S | 3 +
> arch/x86/entry/syscall_32.c | 33 +++++
> arch/x86/entry/syscall_64.c | 27 ++++
> arch/x86/include/asm/cpufeatures.h | 12 ++
> arch/x86/include/asm/msr-index.h | 9 +-
> arch/x86/include/asm/nospec-branch.h | 17 +++
> arch/x86/include/asm/syscall.h | 4 +
> arch/x86/kernel/cpu/bugs.c | 121 ++++++++++++++++--
> arch/x86/kernel/cpu/common.c | 24 ++--
> arch/x86/kernel/cpu/scattered.c | 1 +
> arch/x86/kvm/vmx/vmenter.S | 2 +
> debian.master/config/annotations | 3 +
> include/linux/frame.h | 26 ++++
> .../Documentation/stack-validation.txt | 8 ++
> tools/objtool/arch/x86/decode.c | 6 +
> tools/objtool/check.c | 62 ++++++++-
> 21 files changed, 478 insertions(+), 40 deletions(-)
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240430/1bdb7254/attachment.sig>
More information about the kernel-team
mailing list