| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 Jun 2020 21:42:18 -0700
From: Florian Fainelli <f.fainelli@...il.com>
To: linux-arm-kernel@...ts.infradead.org
Cc: stable@...r.kernel.org, will@...nel.org,
Will Deacon <will.deacon@....com>,
Florian Fainelli <f.fainelli@...il.com>,
Catalin Marinas <catalin.marinas@....com>,
Paolo Bonzini <pbonzini@...hat.com>,
Radim Krčmář <rkrcmar@...hat.com>,
Christoffer Dall <christoffer.dall@...aro.org>,
Marc Zyngier <marc.zyngier@....com>,
linux-kernel@...r.kernel.org (open list),
kvm@...r.kernel.org (open list:KERNEL VIRTUAL MACHINE (KVM)),
kvmarm@...ts.cs.columbia.edu (open list:KERNEL VIRTUAL MACHINE FOR
ARM64 (KVM/arm64))
Subject: [PATCH stable 4.9] arm64: entry: Place an SB sequence following an ERET instruction
From: Will Deacon <will.deacon@....com>
commit 679db70801da9fda91d26caf13bf5b5ccc74e8e8 upstream
Some CPUs can speculate past an ERET instruction and potentially perform
speculative accesses to memory before processing the exception return.
Since the register state is often controlled by a lower privilege level
at the point of an ERET, this could potentially be used as part of a
side-channel attack.
This patch emits an SB sequence after each ERET so that speculation is
held up on exception return.
Signed-off-by: Will Deacon <will.deacon@....com>
[florian: Adjust hyp-entry.S to account for the label]
Signed-off-by: Florian Fainelli <f.fainelli@...il.com>
---
Will,
Can you confirm that for 4.9 these are the only places that require
patching? Thank you!
arch/arm64/kernel/entry.S | 2 ++
arch/arm64/kvm/hyp/entry.S | 1 +
arch/arm64/kvm/hyp/hyp-entry.S | 4 ++++
3 files changed, 7 insertions(+)
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index ca978d7d98eb..3408c782702c 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -255,6 +255,7 @@ alternative_insn eret, nop, ARM64_UNMAP_KERNEL_AT_EL0
.else
eret
.endif
+ sb
.endm
.macro get_thread_info, rd
@@ -945,6 +946,7 @@ __ni_sys_trace:
mrs x30, far_el1
.endif
eret
+ sb
.endm
.align 11
diff --git a/arch/arm64/kvm/hyp/entry.S b/arch/arm64/kvm/hyp/entry.S
index a360ac6e89e9..bc5c6cdb8538 100644
--- a/arch/arm64/kvm/hyp/entry.S
+++ b/arch/arm64/kvm/hyp/entry.S
@@ -83,6 +83,7 @@ ENTRY(__guest_enter)
// Do not touch any register after this!
eret
+ sb
ENDPROC(__guest_enter)
ENTRY(__guest_exit)
diff --git a/arch/arm64/kvm/hyp/hyp-entry.S b/arch/arm64/kvm/hyp/hyp-entry.S
index bf4988f9dae8..3675e7f0ab72 100644
--- a/arch/arm64/kvm/hyp/hyp-entry.S
+++ b/arch/arm64/kvm/hyp/hyp-entry.S
@@ -97,6 +97,7 @@ el1_sync: // Guest trapped into EL2
do_el2_call
2: eret
+ sb
el1_hvc_guest:
/*
@@ -147,6 +148,7 @@ wa_epilogue:
mov x0, xzr
add sp, sp, #16
eret
+ sb
el1_trap:
get_vcpu_ptr x1, x0
@@ -198,6 +200,7 @@ el2_error:
b.ne __hyp_panic
mov x0, #(1 << ARM_EXIT_WITH_SERROR_BIT)
eret
+ sb
ENTRY(__hyp_do_panic)
mov lr, #(PSR_F_BIT | PSR_I_BIT | PSR_A_BIT | PSR_D_BIT |\
@@ -206,6 +209,7 @@ ENTRY(__hyp_do_panic)
ldr lr, =panic
msr elr_el2, lr
eret
+ sb
ENDPROC(__hyp_do_panic)
ENTRY(__hyp_panic)
--
2.17.1
Powered by blists - more mailing lists