| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20221007014443.flhhnzrtdmcsst3x@desk>
Date: Thu, 6 Oct 2022 18:44:43 -0700
From: "pawan.kumar.gupta@...ux.intel.com"
<pawan.kumar.gupta@...ux.intel.com>
To: Andrew Cooper <Andrew.Cooper3@...rix.com>
Cc: Suraj Jitindar Singh <surajjs@...zon.com>,
"kvm@...r.kernel.org" <kvm@...r.kernel.org>,
"sjitindarsingh@...il.com" <sjitindarsingh@...il.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"x86@...nel.org" <x86@...nel.org>,
"tglx@...utronix.de" <tglx@...utronix.de>,
"mingo@...hat.com" <mingo@...hat.com>, "bp@...e.de" <bp@...e.de>,
"dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>,
"seanjc@...gle.com" <seanjc@...gle.com>,
"pbonzini@...hat.com" <pbonzini@...hat.com>,
"peterz@...radead.org" <peterz@...radead.org>,
"jpoimboe@...nel.org" <jpoimboe@...nel.org>,
"daniel.sneddon@...ux.intel.com" <daniel.sneddon@...ux.intel.com>,
"benh@...nel.crashing.org" <benh@...nel.crashing.org>,
"stable@...r.kernel.org" <stable@...r.kernel.org>
Subject: Re: [PATCH] x86/speculation: Mitigate eIBRS PBRSB predictions with
WRMSR
On Thu, Oct 06, 2022 at 02:42:10AM +0000, Andrew Cooper wrote:
>On 05/10/2022 23:02, Suraj Jitindar Singh wrote:
>> == Solution ==
>>
>> The WRMSR instruction can be used as a speculation barrier and a serialising
>> instruction. Use this on the VM exit path instead to ensure that a CALL
>> instruction (in this case the call to vmx_spec_ctrl_restore_host) has retired
>> before the prediction of a following unbalanced RET.
>
>While both of these sentences are true statements, you've missed the
>necessary safety property.
>
>One CALL has to retire before *any* RET can execute.
>
>There are several ways the frontend can end up eventually consuming the
>bad RSB entry; they all stem from an execute (not prediction) of the
>next RET instruction.
>
>As to the change, ...
>
>> diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
>> index c9b49a09e6b5..fdcd8e10c2ab 100644
>> --- a/arch/x86/kvm/vmx/vmx.c
>> +++ b/arch/x86/kvm/vmx/vmx.c
>> @@ -7049,8 +7049,13 @@ void noinstr vmx_spec_ctrl_restore_host(struct vcpu_vmx *vmx,
>
>... out of context above this hunk is:
>
> if (!cpu_feature_enabled(X86_FEATURE_MSR_SPEC_CTRL))
> return;
>
>meaning that there is a return instruction which is programmatically
>reachable ahead of the WRMSR.
>
>Whether it is speculatively reachable depends on whether the frontend
>can see through the _static_cpu_has(), as well as
>X86_FEATURE_MSR_SPEC_CTRL never becoming compile time evaluable.
In this case wouldn't _static_cpu_has() be runtime patched to a JMP
(<+8> below) or a NOP? RET (at <+13>) should not be reachable even
speculatively. What am I missing?
Dump of assembler code for function vmx_spec_ctrl_restore_host:
arch/x86/kvm/vmx/vmx.c:
u64 hostval = this_cpu_read(x86_spec_ctrl_current);
<+0>: mov %gs:0x7e022e60(%rip),%r8 # 0x1ad48 <x86_spec_ctrl_current>
./arch/x86/include/asm/cpufeature.h:
asm_volatile_goto(
<+8>: jmp <vmx_spec_ctrl_restore_host+14>
<+10>: nopl (%rax)
<+13>: ret
arch/x86/kvm/vmx/vmx.c:
if (flags & VMX_RUN_SAVE_SPEC_CTRL)
<+14>: and $0x2,%esi
<+17>: je <vmx_spec_ctrl_restore_host+40>
[...]
Powered by blists - more mailing lists