lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Oct 2022 18:44:43 -0700 From: "pawan.kumar.gupta@...ux.intel.com" <pawan.kumar.gupta@...ux.intel.com> To: Andrew Cooper <Andrew.Cooper3@...rix.com> Cc: Suraj Jitindar Singh <surajjs@...zon.com>, "kvm@...r.kernel.org" <kvm@...r.kernel.org>, "sjitindarsingh@...il.com" <sjitindarsingh@...il.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "x86@...nel.org" <x86@...nel.org>, "tglx@...utronix.de" <tglx@...utronix.de>, "mingo@...hat.com" <mingo@...hat.com>, "bp@...e.de" <bp@...e.de>, "dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>, "seanjc@...gle.com" <seanjc@...gle.com>, "pbonzini@...hat.com" <pbonzini@...hat.com>, "peterz@...radead.org" <peterz@...radead.org>, "jpoimboe@...nel.org" <jpoimboe@...nel.org>, "daniel.sneddon@...ux.intel.com" <daniel.sneddon@...ux.intel.com>, "benh@...nel.crashing.org" <benh@...nel.crashing.org>, "stable@...r.kernel.org" <stable@...r.kernel.org> Subject: Re: [PATCH] x86/speculation: Mitigate eIBRS PBRSB predictions with WRMSR On Thu, Oct 06, 2022 at 02:42:10AM +0000, Andrew Cooper wrote: >On 05/10/2022 23:02, Suraj Jitindar Singh wrote: >> == Solution == >> >> The WRMSR instruction can be used as a speculation barrier and a serialising >> instruction. Use this on the VM exit path instead to ensure that a CALL >> instruction (in this case the call to vmx_spec_ctrl_restore_host) has retired >> before the prediction of a following unbalanced RET. > >While both of these sentences are true statements, you've missed the >necessary safety property. > >One CALL has to retire before *any* RET can execute. > >There are several ways the frontend can end up eventually consuming the >bad RSB entry; they all stem from an execute (not prediction) of the >next RET instruction. > >As to the change, ... > >> diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c >> index c9b49a09e6b5..fdcd8e10c2ab 100644 >> --- a/arch/x86/kvm/vmx/vmx.c >> +++ b/arch/x86/kvm/vmx/vmx.c >> @@ -7049,8 +7049,13 @@ void noinstr vmx_spec_ctrl_restore_host(struct vcpu_vmx *vmx, > >... out of context above this hunk is: > > if (!cpu_feature_enabled(X86_FEATURE_MSR_SPEC_CTRL)) > return; > >meaning that there is a return instruction which is programmatically >reachable ahead of the WRMSR. > >Whether it is speculatively reachable depends on whether the frontend >can see through the _static_cpu_has(), as well as >X86_FEATURE_MSR_SPEC_CTRL never becoming compile time evaluable. In this case wouldn't _static_cpu_has() be runtime patched to a JMP (<+8> below) or a NOP? RET (at <+13>) should not be reachable even speculatively. What am I missing? Dump of assembler code for function vmx_spec_ctrl_restore_host: arch/x86/kvm/vmx/vmx.c: u64 hostval = this_cpu_read(x86_spec_ctrl_current); <+0>: mov %gs:0x7e022e60(%rip),%r8 # 0x1ad48 <x86_spec_ctrl_current> ./arch/x86/include/asm/cpufeature.h: asm_volatile_goto( <+8>: jmp <vmx_spec_ctrl_restore_host+14> <+10>: nopl (%rax) <+13>: ret arch/x86/kvm/vmx/vmx.c: if (flags & VMX_RUN_SAVE_SPEC_CTRL) <+14>: and $0x2,%esi <+17>: je <vmx_spec_ctrl_restore_host+40> [...]
Powered by blists - more mailing lists