| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 8 Apr 2022 17:38:13 +0100
From: James Morse <james.morse@....com>
To: Will Deacon <will@...nel.org>
Cc: linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
gregkh@...uxfoundation.org, maz@...nel.org,
catalin.marinas@....com, mark.rutland@....com
Subject: Re: arm64 spectre-bhb backports break boot on stable kernels <= v5.4
Hi Will,
On 08/04/2022 17:21, Will Deacon wrote:
> On Fri, Apr 08, 2022 at 05:08:00PM +0100, James Morse wrote:
>> On 08/04/2022 13:00, Will Deacon wrote:
>>> Booting stable kernels <= v5.4 on arm64 with CONFIG_HARDEN_BRANCH_PREDICTOR=n
>>> results in a NULL pointer dereference during boot due to kvm_get_hyp_vector()
>>> dereferencing a NULL pointer from arm64_get_bp_hardening_data():
>>>
>>> [ 2.384444] Internal error: Oops: 96000004 [#1] PREEMPT SMP
>>> [ 2.384461] pstate: 20400085 (nzCv daIf +PAN -UAO)
>>> [ 2.384472] pc : cpu_hyp_reinit+0x114/0x30c
>>> [ 2.384476] lr : cpu_hyp_reinit+0x80/0x30c
>>> [ 2.385171] Kernel panic - not syncing: Fatal exception in interrupt
>>
>> Yikes!
>>
>> Interesting to know that stuff behind CONFIG_EXPERT has someone who cares about it.
>> (I was going to propose dropping the Kconfig option after a while).
> Yup! FWIW, the hardening options are enabled in Android (GKI), but this was
> reported to us externally by somebody using a custom config.
>>> I can bodge this as below (untested), but it's pretty grotty.
>>
>> I wanted to keep the detection code even if the feature is disabled so the sysfs reporting
>> is always correct.
>
> Makes sense. Another option is to check for ARM64_HARDEN_BRANCH_PREDICTOR in
> spectre_bhb_enable_mitigation(), but then I think the KVM code would need
> to query the mitigation state rather than just the cap.
It already does, but as you say KVM is only using the cap here.
>>> Please can you take a look?
>>
>> Ugh, arm64_get_bp_hardening_data() returns NULL with that Kconfig setup.
>>
>>
>> For v5.4, this fixes it for me:
>> --------------------%<--------------------
>> diff --git a/arch/arm64/include/asm/kvm_mmu.h b/arch/arm64/include/asm/kvm_mmu.h
>> index 78d110667c0c..ffe0aad96b17 100644
>> --- a/arch/arm64/include/asm/kvm_mmu.h
>> +++ b/arch/arm64/include/asm/kvm_mmu.h
>> @@ -479,7 +479,8 @@ static inline void *kvm_get_hyp_vector(void)
>> int slot = -1;
>>
>> if ((cpus_have_const_cap(ARM64_HARDEN_BRANCH_PREDICTOR) ||
>> - cpus_have_const_cap(ARM64_SPECTRE_BHB)) && data->template_start) {
>> + cpus_have_const_cap(ARM64_SPECTRE_BHB)) &&
>> + data && data->template_start) {
>> vect = kern_hyp_va(kvm_ksym_ref(__bp_harden_hyp_vecs_start));
>> slot = data->hyp_vectors_slot;
>> }
>
> That'll work, but will sysfs report that BHB is mitigated even if
> !ARM64_HARDEN_BRANCH_PREDICTOR?
The (!IS_ENABLED(CONFIG_HARDEN_BRANCH_PREDICTOR) in check_branch_predictor() will set
__hardenbp_enab to false, which get_spectre_v2_workaround_state() picks up and causes
spectre_bhb_enable_mitigation() to skip all the mitigations, leaving state =
SPECTRE_VULNERABLE.
(The interactions with the other Spectre mitigations across the stable kernels
were/continue-to-be a pain in the neck)
>> --------------------%<--------------------
>>
>> I'll check the other versions and post patches to the stable list. Earlier stable
>> backports grew a dependency between these features as it wasn't possible to unpick the
>> dependencies.
>
> Cheers. I know 4.19 is busted too, but I didn't check 4.14.
Yup, I've just reproduced that one. I suspect v4.14 is where I added the Kconfig dependency.
Thanks,
James
Powered by blists - more mailing lists