| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 30 Jul 2018 15:13:46 -0400
From: Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>
To: Tim Chen <tim.c.chen@...ux.intel.com>
Cc: Jiri Kosina <jikos@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...e.de>,
David Woodhouse <dwmw@...zon.co.uk>,
Peter Zijlstra <peterz@...radead.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
linux-kernel@...r.kernel.org, Josh Poimboeuf <jpoimboe@...hat.com>,
x86@...nel.org
Subject: Re: [PATCH v2] x86/bugs: protect against userspace-userspace
spectreRSB
On Mon, Jul 30, 2018 at 10:56:55AM -0700, Tim Chen wrote:
> On 07/26/2018 04:14 AM, Jiri Kosina wrote:
> > From: Jiri Kosina <jkosina@...e.cz>
> >
> > The article "Spectre Returns! Speculation Attacks using the Return Stack
> > Buffer" [1] describes two new (sub-)variants of spectrev2-like attack,
> > making use solely of the RSB contents even on CPUs that don't fallback to
> > BTB on RSB underflow (Skylake+).
> >
> > Mitigate userspace-userspace attacks by always unconditionally filling RSB on
> > context switch when generic spectrev2 mitigation has been enabled.
> >
> > [1] https://arxiv.org/pdf/1807.07940.pdf
> >
> > Reviewed-by: Josh Poimboeuf <jpoimboe@...hat.com>
> > Signed-off-by: Jiri Kosina <jkosina@...e.cz>
May I suggest:
CC: stable@...r.kernel.org ?
> > ---
> >
> > v1 -> v2:
> >
> > - Fixed typos/capatalization in SpectreRSB name
> > - Josh's Reviewed-by
> >
> > arch/x86/kernel/cpu/bugs.c | 38 +++++++-------------------------------
> > 1 file changed, 7 insertions(+), 31 deletions(-)
> >
> > diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> > index 5c0ea39311fe..bc8c43b22460 100644
> > --- a/arch/x86/kernel/cpu/bugs.c
> > +++ b/arch/x86/kernel/cpu/bugs.c
> > @@ -313,23 +313,6 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
> > return cmd;
> > }
> >
> > -/* Check for Skylake-like CPUs (for RSB handling) */
> > -static bool __init is_skylake_era(void)
> > -{
> > - if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL &&
> > - boot_cpu_data.x86 == 6) {
> > - switch (boot_cpu_data.x86_model) {
> > - case INTEL_FAM6_SKYLAKE_MOBILE:
> > - case INTEL_FAM6_SKYLAKE_DESKTOP:
> > - case INTEL_FAM6_SKYLAKE_X:
> > - case INTEL_FAM6_KABYLAKE_MOBILE:
> > - case INTEL_FAM6_KABYLAKE_DESKTOP:
> > - return true;
> > - }
> > - }
> > - return false;
> > -}
> > -
> > static void __init spectre_v2_select_mitigation(void)
> > {
> > enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
> > @@ -390,22 +373,15 @@ static void __init spectre_v2_select_mitigation(void)
> > pr_info("%s\n", spectre_v2_strings[mode]);
> >
> > /*
> > - * If neither SMEP nor PTI are available, there is a risk of
> > - * hitting userspace addresses in the RSB after a context switch
> > - * from a shallow call stack to a deeper one. To prevent this fill
> > - * the entire RSB, even when using IBRS.
> > + * If spectre v2 protection has been enabled, unconditionally fill
> > + * RSB during a context switch; this protects against two independent
> > + * issues:
> > *
> > - * Skylake era CPUs have a separate issue with *underflow* of the
> > - * RSB, when they will predict 'ret' targets from the generic BTB.
> > - * The proper mitigation for this is IBRS. If IBRS is not supported
> > - * or deactivated in favour of retpolines the RSB fill on context
> > - * switch is required.
> > + * - RSB underflow (and switch to BTB) on Skylake+
> > + * - SpectreRSB variant of spectre v2 on X86_BUG_SPECTRE_V2 CPUs
> > */
> > - if ((!boot_cpu_has(X86_FEATURE_PTI) &&
> > - !boot_cpu_has(X86_FEATURE_SMEP)) || is_skylake_era()) {
> > - setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
> > - pr_info("Spectre v2 mitigation: Filling RSB on context switch\n");
> > - }
> > + setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
> > + pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");
> >
> > /* Initialize Indirect Branch Prediction Barrier if supported */
> > if (boot_cpu_has(X86_FEATURE_IBPB)) {
> >
>
> Thanks for the patch. Looks good.
>
> Acked-by: Tim Chen <tim.c.chen@...ux.intel.com>
>
> Tim
Powered by blists - more mailing lists