lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 23 May 2024 14:59:21 +0200
From: Alexandre Chartre <alexandre.chartre@...cle.com>
To: Andrew Cooper <andrew.cooper3@...rix.com>, x86@...nel.org,
        kvm@...r.kernel.org
Cc: alexandre.chartre@...cle.com, linux-kernel@...r.kernel.org,
        daniel.sneddon@...ux.intel.com, pawan.kumar.gupta@...ux.intel.com,
        tglx@...utronix.de, konrad.wilk@...cle.com, peterz@...radead.org,
        gregkh@...uxfoundation.org, seanjc@...gle.com,
        dave.hansen@...ux.intel.com, nik.borisov@...e.com, kpsingh@...nel.org,
        longman@...hat.com, bp@...en8.de, pbonzini@...hat.com,
        "Kaplan, David" <david.kaplan@....com>
Subject: Re: [PATCH] x86/bhi: BHI mitigation can trigger warning in #DB
 handler



On 5/23/24 14:42, Andrew Cooper wrote:
> On 23/05/2024 1:33 pm, Alexandre Chartre wrote:
>> diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
>> index 11c9b8efdc4c..7fa04edc87e9 100644
>> --- a/arch/x86/entry/entry_64_compat.S
>> +++ b/arch/x86/entry/entry_64_compat.S
>> @@ -91,7 +91,6 @@ SYM_INNER_LABEL(entry_SYSENTER_compat_after_hwframe, SYM_L_GLOBAL)
>>   
>>   	IBRS_ENTER
>>   	UNTRAIN_RET
>> -	CLEAR_BRANCH_HISTORY
>>   
>>   	/*
>>   	 * SYSENTER doesn't filter flags, so we need to clear NT and AC
>> @@ -116,6 +115,12 @@ SYM_INNER_LABEL(entry_SYSENTER_compat_after_hwframe, SYM_L_GLOBAL)
>>   	jnz	.Lsysenter_fix_flags
>>   .Lsysenter_flags_fixed:
>>   
>> +	/*
>> +	 * CLEAR_BRANCH_HISTORY can call other functions. It should be invoked
>> +	 * after making sure TF is cleared because single-step is ignored only
>> +	 * for instructions inside the entry_SYSENTER_compat function.
>> +	 */
>> +	CLEAR_BRANCH_HISTORY
> 
> Exactly the same is true of UNTRAIN_RET, although it will only manifest
> in i386 builds running on AMD hardware (SYSENTER is #UD on AMD hardware
> in Long mode.)
> 
> #DB is IST so does handle it's own speculation safety.  It should be
> safe to move all the speculation safety logic in the sysenter handler to
> after .Lsysenter_flags_fixed:, I think?
> 

Right, so something like this:

--- a/arch/x86/entry/entry_64_compat.S
+++ b/arch/x86/entry/entry_64_compat.S
@@ -89,10 +89,6 @@ SYM_INNER_LABEL(entry_SYSENTER_compat_after_hwframe, SYM_L_GLOBAL)
  
         cld
  
-       IBRS_ENTER
-       UNTRAIN_RET
-       CLEAR_BRANCH_HISTORY
-
         /*
          * SYSENTER doesn't filter flags, so we need to clear NT and AC
          * ourselves.  To save a few cycles, we can check whether
@@ -116,6 +112,15 @@ SYM_INNER_LABEL(entry_SYSENTER_compat_after_hwframe, SYM_L_GLOBAL)
         jnz     .Lsysenter_fix_flags
  .Lsysenter_flags_fixed:
  
+       /*
+        * CPU bugs mitigations mechanisms can call other functions. They
+        * should be invoked after making sure TF is cleared because
+        * single-step is ignored only for instructions inside the
+        * entry_SYSENTER_compat function.
+        */
+       IBRS_ENTER
+       UNTRAIN_RET
+       CLEAR_BRANCH_HISTORY
         movq    %rsp, %rdi
         call    do_SYSENTER_32
         jmp     sysret32_from_system_call


alex.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ