| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 Jan 2018 09:07:08 +0000
From: "Woodhouse, David" <dwmw@...zon.co.uk>
To: Boris Petkov <bp@...en8.de>, Peter Zijlstra <peterz@...radead.org>,
"Thomas.Lendacky@....com" <Thomas.Lendacky@....com>
CC: "ak@...ux.intel.com" <ak@...ux.intel.com>,
"tim.c.chen@...ux.intel.com" <tim.c.chen@...ux.intel.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"torvalds@...ux-foundation.org" <torvalds@...ux-foundation.org>,
"tglx@...utronix.de" <tglx@...utronix.de>,
"x86@...nel.org" <x86@...nel.org>,
"riel@...hat.com" <riel@...hat.com>,
"keescook@...gle.com" <keescook@...gle.com>,
"gnomes@...rguk.ukuu.org.uk" <gnomes@...rguk.ukuu.org.uk>,
"pjt@...gle.com" <pjt@...gle.com>,
"Ghitulete, Razvan-alin" <rga@...zon.com>,
"dave.hansen@...el.com" <dave.hansen@...el.com>,
"luto@...capital.net" <luto@...capital.net>,
"jikos@...nel.org" <jikos@...nel.org>,
"gregkh@...ux-foundation.org" <gregkh@...ux-foundation.org>
Subject: Re: [PATCH] x86/retpoline: Fill return stack buffer on vmexit
On Thu, 2018-01-11 at 09:49 +0100, Boris Petkov wrote:
> On January 11, 2018 9:42:38 AM GMT+01:00, Peter Zijlstra wrote:
> >Or we teach the alternative thing to patch in a jmp to end instead of
> >NOP padding the entire thing as soon as the jmp (3 bytes) fits ?
>
> Or, even better: use alternative_call() to call functions instead of patching gazillion bytes.
For this one I kind of wanted to keep it as a macro so we can select
which register it uses. I've taken the bulk of it out of the
ALTERNATIVE, and just switch between the first 'mov' instruction and a
jmp over the whole lot.
Looks like this now...
From 302622182f56825b7cf2c39ce88ea8c462d587fe Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw@...zon.co.uk>
Date: Wed, 10 Jan 2018 22:32:24 +0000
Subject: [PATCH] x86/retpoline: Fill return stack buffer on vmexit
In accordance with the Intel and AMD documentation, we need to overwrite
all entries in the RSB on exiting a guest, to prevent malicious branch
target predictions from affecting the host kernel. This is needed both
for retpoline and for IBRS.
Signed-off-by: David Woodhouse <dwmw@...zon.co.uk>
---
arch/x86/include/asm/nospec-branch.h | 72 ++++++++++++++++++++++++++++++++++++
arch/x86/kvm/svm.c | 4 ++
arch/x86/kvm/vmx.c | 4 ++
3 files changed, 80 insertions(+)
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index 7d70ea9..8fbc8b9 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -7,6 +7,50 @@
#include <asm/alternative-asm.h>
#include <asm/cpufeatures.h>
+/*
+ * Fill the CPU return stack buffer.
+ *
+ * Each entry in the RSB, if used for a speculative 'ret', contains an
+ * infinite 'pause; jmp' loop to capture speculative execution.
+ *
+ * This is required in various cases for retpoline and IBRS-based
+ * mitigations for the Spectre variant 2 vulnerability. Sometimes to
+ * eliminate potentially bogus entries from the RSB, and sometimes
+ * purely to ensure that it doesn't get empty, which on some CPUs would
+ * allow predictions from other (unwanted!) sources to be used.
+ *
+ * We define a CPP macro such that it can be used from both .S files and
+ * inline assembly. It's possible to do a .macro and then include that
+ * from C via asm(".include <asm/nospec-branch.h>") but let's not go there
Powered by blists - more mailing lists