[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20240925211138.ccc6zodo7h5x3mvx@desk>
Date: Wed, 25 Sep 2024 14:11:38 -0700
From: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
To: Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>
Cc: linux-kernel@...r.kernel.org, x86@...nel.org,
Robert Gill <rtgill82@...il.com>,
Jari Ruusu <jariruusu@...tonmail.com>,
Brian Gerst <brgerst@...il.com>,
"Linux regression tracking (Thorsten Leemhuis)" <regressions@...mhuis.info>,
antonio.gomez.iglesias@...ux.intel.com,
daniel.sneddon@...ux.intel.com
Subject: Re: [PATCH v6 3/3] x86/bugs: Use stack segment selector for VERW
operand
On Thu, Sep 05, 2024 at 09:00:57AM -0700, Pawan Gupta wrote:
> Robert Gill reported below #GP in 32-bit mode when dosemu software was
> executing vm86() system call:
>
> general protection fault: 0000 [#1] PREEMPT SMP
> CPU: 4 PID: 4610 Comm: dosemu.bin Not tainted 6.6.21-gentoo-x86 #1
> Hardware name: Dell Inc. PowerEdge 1950/0H723K, BIOS 2.7.0 10/30/2010
> EIP: restore_all_switch_stack+0xbe/0xcf
> EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000
> ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: ff8affdc
> DS: 0000 ES: 0000 FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010046
> CR0: 80050033 CR2: 00c2101c CR3: 04b6d000 CR4: 000406d0
> Call Trace:
> show_regs+0x70/0x78
> die_addr+0x29/0x70
> exc_general_protection+0x13c/0x348
> exc_bounds+0x98/0x98
> handle_exception+0x14d/0x14d
> exc_bounds+0x98/0x98
> restore_all_switch_stack+0xbe/0xcf
> exc_bounds+0x98/0x98
> restore_all_switch_stack+0xbe/0xcf
>
> This only happens in 32-bit mode when VERW based mitigations like MDS/RFDS
> are enabled. This is because segment registers with an arbitrary user value
> can result in #GP when executing VERW. Intel SDM vol. 2C documents the
> following behavior for VERW instruction:
>
> #GP(0) - If a memory operand effective address is outside the CS, DS, ES,
> FS, or GS segment limit.
>
> CLEAR_CPU_BUFFERS macro executes VERW instruction before returning to user
> space. Use %ss selector to reference VERW operand. This ensures VERW will
> not #GP for an arbitrary user %ds.
>
> Fixes: a0e2dab44d22 ("x86/entry_32: Add VERW just before userspace transition")
> Cc: stable@...r.kernel.org # 5.10+
> Reported-by: Robert Gill <rtgill82@...il.com>
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218707
> Closes: https://lore.kernel.org/all/8c77ccfd-d561-45a1-8ed5-6b75212c7a58@leemhuis.info/
> Suggested-by: Dave Hansen <dave.hansen@...ux.intel.com>
> Suggested-by: Brian Gerst <brgerst@...il.com> # Use %ss
> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
> ---
> arch/x86/include/asm/nospec-branch.h | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
> index ff5f1ecc7d1e..aa5ed1a59cde 100644
> --- a/arch/x86/include/asm/nospec-branch.h
> +++ b/arch/x86/include/asm/nospec-branch.h
> @@ -318,12 +318,14 @@
> /*
> * Macro to execute VERW instruction that mitigate transient data sampling
> * attacks such as MDS. On affected systems a microcode update overloaded VERW
> - * instruction to also clear the CPU buffers. VERW clobbers CFLAGS.ZF.
> + * instruction to also clear the CPU buffers. VERW clobbers CFLAGS.ZF. Using %ss
> + * to reference VERW operand avoids a #GP fault for an arbitrary user %ds in
> + * 32-bit mode.
> *
> * Note: Only the memory operand variant of VERW clears the CPU buffers.
> */
> .macro CLEAR_CPU_BUFFERS
> - ALTERNATIVE "", __stringify(verw _ASM_RIP(mds_verw_sel)), X86_FEATURE_CLEAR_CPU_BUF
> + ALTERNATIVE "", __stringify(verw %ss:_ASM_RIP(mds_verw_sel)), X86_FEATURE_CLEAR_CPU_BUF
Kselftest ldt_gdt.c in 32-bit mode results in oops when using SS. Dave
suggested to use CS instead, as it can't be user controlled. Using CS is
also more intuitive because the operand for verw i.e. mds_verw_sel is in
code section. With this change no oops were observed running kselftests, I
will be sending the updated version soon.
Powered by blists - more mailing lists