lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <9bbcbaa7-b164-fcef-0588-7c5f25aa2440@molgen.mpg.de>
Date:   Thu, 10 Jan 2019 14:57:40 +0100
From:   Paul Menzel <pmenzel@...gen.mpg.de>
To:     Borislav Petkov <bp@...en8.de>
Cc:     Thomas Lendacky <Thomas.Lendacky@....com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Jiri Kosina <jikos@...nel.org>,
        "x86@...nel.org" <x86@...nel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Tim Chen <tim.c.chen@...ux.intel.com>
Subject: Re: General protection fault in `switch_mm_irqs_off()`

Dear Borislav,


On 01/09/19 22:11, Borislav Petkov wrote:
> On Wed, Jan 09, 2019 at 05:34:11PM +0100, Paul Menzel wrote:
>> Is there a way to trace the value of `boot_cpu_data` from
>> `arch/x86/include/asm/cpufeature.h` with some Linux Kernel magic?
>>
>>     #define boot_cpu_has(bit)       cpu_has(&boot_cpu_data, bit)
>>
>> Or is rebuilding with print statements the only solution?
> 
> Yes. Just apply this and catch output. It is a wild guess anyway as
> this whole deal looks really strange but at least it should not #GP the
> machine.
> 
> ---
> diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
> index dad12b767ba0..ec4688779900 100644
> --- a/arch/x86/include/asm/nospec-branch.h
> +++ b/arch/x86/include/asm/nospec-branch.h
> @@ -284,6 +284,9 @@ static inline void indirect_branch_prediction_barrier(void)
>  {
>  	u64 val = PRED_CMD_IBPB;
>  
> +	if (WARN_ON(boot_cpu_has(X86_FEATURE_USE_IBPB)))
> +		return;
> +
>  	alternative_msr_write(MSR_IA32_PRED_CMD, val, X86_FEATURE_USE_IBPB);
>  }
>  
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index 1de0f4170178..4ed4cc99a2c0 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -371,6 +371,8 @@ spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd)
>  	if (boot_cpu_has(X86_FEATURE_IBPB)) {
>  		setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
>  
> +		pr_err("%s: set X86_FEATURE_USE_IBPB\n", __func__);
> +
>  		switch (cmd) {
>  		case SPECTRE_V2_USER_CMD_FORCE:
>  		case SPECTRE_V2_USER_CMD_PRCTL_IBPB:

Thank you very much. Indeed, the machine does not crash. I used Linus’
master branch for testing, and applied your patch on top. Please find
the full log attached.

```
$ git describe --tags origin/master
v5.0-rc1-26-g500cf822f80f
$ dmesg
[…]
[    7.262018] microcode: CPU0: patch_level=0x0600063e
[…]
[    3.198107] Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier
[…]
[    8.786863] Run /init as init process
[    8.792006] WARNING: CPU: 1 PID: 0 at ./arch/x86/include/asm/nospec-branch.h:287 switch_mm_irqs_off+0x5ec/0x680
[    8.802384] Modules linked in:
[    8.805586] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.0.0-rc1.mx64.236-00027-ged01f563987a #1
[    8.814529] Hardware name: ASUS KGPE-D16/KGPE-D16, BIOS 4.9-213-gdb866ba200 01/08/2019
[    8.822677] RIP: 0010:switch_mm_irqs_off+0x5ec/0x680
[    8.827801] Code: 31 d2 31 f6 e8 95 4a da 00 49 8b 06 48 85 c0 75 e7 e8 88 ee 06 00 44 89 fe 48 c7 c7 c0 a1 46 82 e8 69 88 06 00 e9 57 fc ff ff <0f> 0b e9 d3 fa ff ff 0f 0b e9 6b ff ff ff 0f 0b e9 22 fe ff ff 0f
[    8.847001] RSP: 0018:ffffc900062bfe20 EFLAGS: 00010003
[    8.852374] RAX: 052a310401c13fff RBX: ffff88881b748800 RCX: 0000000000000000
[    8.859655] RDX: 0000000000000001 RSI: ffff88881caed080 RDI: ffff88881b748800
[    8.866952] RBP: ffffc900062bfe70 R08: 000000020c098c00 R09: 0000000000000000
[    8.874237] R10: ffffc900062bfe88 R11: 0000000000000000 R12: ffffffff8247e460
[    8.881529] R13: 0000000000000000 R14: 0000000000000001 R15: ffff88881db28f00
[    8.888810] FS:  0000000000000000(0000) GS:ffff88881fa40000(0000) knlGS:0000000000000000
[    8.897146] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    8.903066] CR2: 0000000000000000 CR3: 000000000240e000 CR4: 00000000000406e0
[    8.910398] Call Trace:
[    8.912994]  ? __schedule+0x1b9/0x7b0
[    8.916795]  __schedule+0x1b9/0x7b0
[    8.920436]  schedule_idle+0x1e/0x40
[    8.924155]  do_idle+0x146/0x200
[    8.927577]  cpu_startup_entry+0x19/0x20
[    8.931641]  start_secondary+0x183/0x1b0
[    8.935722]  secondary_startup_64+0xa4/0xb0
[    8.940066] ---[ end trace 948cf50690b0f4b1 ]---
```


Kind regards,

Paul

View attachment "coreboot-ucode-updates-0x0600063e-linux-5.0-rc1+-spectre_v2_user-auto.log" of type "text/x-log" (486372 bytes)

Download attachment "smime.p7s" of type "application/pkcs7-signature" (5174 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ