| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 23 Jul 2018 19:31:55 -0700
From: Andy Lutomirski <luto@...nel.org>
To: Greg KH <gregkh@...uxfoundation.org>
Cc: Andy Lutomirski <luto@...nel.org>, X86 ML <x86@...nel.org>,
LKML <linux-kernel@...r.kernel.org>,
Borislav Petkov <bp@...en8.de>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Brian Gerst <brgerst@...il.com>,
Dominik Brodowski <linux@...inikbrodowski.net>,
Ingo Molnar <mingo@...hat.com>,
"H. Peter Anvin" <hpa@...or.com>,
Thomas Gleixner <tglx@...utronix.de>,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
Juergen Gross <jgross@...e.com>,
xen-devel@...ts.xenproject.org, stable <stable@...r.kernel.org>
Subject: Re: [PATCH] x86/entry/64: Remove %ebx handling from error_entry/exit
On Mon, Jul 23, 2018 at 12:25 AM, Greg KH <gregkh@...uxfoundation.org> wrote:
> On Sun, Jul 22, 2018 at 11:05:09AM -0700, Andy Lutomirski wrote:
>> error_entry and error_exit communicate the user vs kernel status of
>> the frame using %ebx. This is unnecessary -- the information is in
>> regs->cs. Just use regs->cs.
>>
>> This makes error_entry simpler and makes error_exit more robust.
>>
>> It also fixes a nasty bug. Before all the Spectre nonsense, The
>> xen_failsafe_callback entry point returned like this:
>>
>> ALLOC_PT_GPREGS_ON_STACK
>> SAVE_C_REGS
>> SAVE_EXTRA_REGS
>> ENCODE_FRAME_POINTER
>> jmp error_exit
>>
>> And it did not go through error_entry. This was bogus: RBX
>> contained garbage, and error_exit expected a flag in RBX.
>> Fortunately, it generally contained *nonzero* garbage, so the
>> correct code path was used. As part of the Spectre fixes, code was
>> added to clear RBX to mitigate certain speculation attacks. Now,
>> depending on kernel configuration, RBX got zeroed and, when running
>> some Wine workloads, the kernel crashes. This was introduced by:
>>
>> commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for
>> exceptions/interrupts, to reduce speculation attack surface")
>>
>> With this patch applied, RBX is no longer needed as a flag, and the
>> problem goes away.
>>
>> I suspect that malicious userspace could use this bug to crash the
>> kernel even without the offending patch applied, though.
>>
>> [Historical note: I wrote this patch as a cleanup before I was aware
>> of the bug it fixed.]
>>
>> [Note to stable maintainers: this should probably get applied to all
>> kernels. If you're nervous about that, a more conservative fix to
>> add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should
>> also fix the problem.]
>>
>> Cc: Brian Gerst <brgerst@...il.com>
>> Cc: Borislav Petkov <bp@...en8.de>
>> Cc: Dominik Brodowski <linux@...inikbrodowski.net>
>> Cc: Ingo Molnar <mingo@...hat.com>
>> Cc: "H. Peter Anvin" <hpa@...or.com>
>> Cc: Thomas Gleixner <tglx@...utronix.de>
>> Cc: Boris Ostrovsky <boris.ostrovsky@...cle.com>
>> Cc: Juergen Gross <jgross@...e.com>
>> Cc: xen-devel@...ts.xenproject.org
>> Cc: x86@...nel.org
>> Cc: stable@...r.kernel.org
>> Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface")
>> Reported-and-tested-by: "M. Vefa Bicakci" <m.v.b@...box.com>
>> Signed-off-by: Andy Lutomirski <luto@...nel.org>
>> ---
>>
>> I could also submit the conservative fix tagged for -stable and respin
>> this on top of it. Ingo, Greg, what do you prefer?
>
> I don't care, this patch looks good to me to take as-is for the stable
> trees. If you trust it in Linus's tree, it should be fine for others :)
>
My concern is more that something may work differently in older
kernels and there might be some subtle issue. I'd be surprised, but
still.
Powered by blists - more mailing lists