lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALCETrXiQkR+k8Dz9-sOpU_J7VK1uokC0Tor3dw704n=jMepMA@mail.gmail.com>
Date:   Mon, 23 Jul 2018 19:31:55 -0700
From:   Andy Lutomirski <luto@...nel.org>
To:     Greg KH <gregkh@...uxfoundation.org>
Cc:     Andy Lutomirski <luto@...nel.org>, X86 ML <x86@...nel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Borislav Petkov <bp@...en8.de>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Brian Gerst <brgerst@...il.com>,
        Dominik Brodowski <linux@...inikbrodowski.net>,
        Ingo Molnar <mingo@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Boris Ostrovsky <boris.ostrovsky@...cle.com>,
        Juergen Gross <jgross@...e.com>,
        xen-devel@...ts.xenproject.org, stable <stable@...r.kernel.org>
Subject: Re: [PATCH] x86/entry/64: Remove %ebx handling from error_entry/exit

On Mon, Jul 23, 2018 at 12:25 AM, Greg KH <gregkh@...uxfoundation.org> wrote:
> On Sun, Jul 22, 2018 at 11:05:09AM -0700, Andy Lutomirski wrote:
>> error_entry and error_exit communicate the user vs kernel status of
>> the frame using %ebx.  This is unnecessary -- the information is in
>> regs->cs.  Just use regs->cs.
>>
>> This makes error_entry simpler and makes error_exit more robust.
>>
>> It also fixes a nasty bug.  Before all the Spectre nonsense, The
>> xen_failsafe_callback entry point returned like this:
>>
>>         ALLOC_PT_GPREGS_ON_STACK
>>         SAVE_C_REGS
>>         SAVE_EXTRA_REGS
>>         ENCODE_FRAME_POINTER
>>         jmp     error_exit
>>
>> And it did not go through error_entry.  This was bogus: RBX
>> contained garbage, and error_exit expected a flag in RBX.
>> Fortunately, it generally contained *nonzero* garbage, so the
>> correct code path was used.  As part of the Spectre fixes, code was
>> added to clear RBX to mitigate certain speculation attacks.  Now,
>> depending on kernel configuration, RBX got zeroed and, when running
>> some Wine workloads, the kernel crashes.  This was introduced by:
>>
>>     commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for
>>     exceptions/interrupts, to reduce speculation attack surface")
>>
>> With this patch applied, RBX is no longer needed as a flag, and the
>> problem goes away.
>>
>> I suspect that malicious userspace could use this bug to crash the
>> kernel even without the offending patch applied, though.
>>
>> [Historical note: I wrote this patch as a cleanup before I was aware
>>  of the bug it fixed.]
>>
>> [Note to stable maintainers: this should probably get applied to all
>>  kernels.  If you're nervous about that, a more conservative fix to
>>  add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should
>>  also fix the problem.]
>>
>> Cc: Brian Gerst <brgerst@...il.com>
>> Cc: Borislav Petkov <bp@...en8.de>
>> Cc: Dominik Brodowski <linux@...inikbrodowski.net>
>> Cc: Ingo Molnar <mingo@...hat.com>
>> Cc: "H. Peter Anvin" <hpa@...or.com>
>> Cc: Thomas Gleixner <tglx@...utronix.de>
>> Cc: Boris Ostrovsky <boris.ostrovsky@...cle.com>
>> Cc: Juergen Gross <jgross@...e.com>
>> Cc: xen-devel@...ts.xenproject.org
>> Cc: x86@...nel.org
>> Cc: stable@...r.kernel.org
>> Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface")
>> Reported-and-tested-by: "M. Vefa Bicakci" <m.v.b@...box.com>
>> Signed-off-by: Andy Lutomirski <luto@...nel.org>
>> ---
>>
>> I could also submit the conservative fix tagged for -stable and respin
>> this on top of it.  Ingo, Greg, what do you prefer?
>
> I don't care, this patch looks good to me to take as-is for the stable
> trees.  If you trust it in Linus's tree, it should be fine for others :)
>

My concern is more that something may work differently in older
kernels and there might be some subtle issue.  I'd be surprised, but
still.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ