From patchwork Fri Jul 27 15:43:28 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juerg Haefliger X-Patchwork-Id: 950267 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41cYCZ5Y73z9s0R; Sat, 28 Jul 2018 01:43:38 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1fj4tv-0002LK-LI; Fri, 27 Jul 2018 15:43:31 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1fj4tu-0002LE-Jp for kernel-team@lists.ubuntu.com; Fri, 27 Jul 2018 15:43:30 +0000 Received: from mail-wm0-f69.google.com ([74.125.82.69]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1fj4tu-0001zZ-CH for kernel-team@lists.ubuntu.com; Fri, 27 Jul 2018 15:43:30 +0000 Received: by mail-wm0-f69.google.com with SMTP id z11-v6so2906194wma.4 for ; Fri, 27 Jul 2018 08:43:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=0RVl5gIFLAXL1mskZ0uZKvz8iYNxsZlrmKH7n5ZGHiY=; b=CsXDY+hMWGS7+CATTsYL08L+5ejyQY5n4oew0m5pcLtwJyEuOTPQilOJXzBAFithB8 2U+h1adnuL0i5+vft5cUlFsXChcKMsZVUyjj0AW2bQ4e5r041wzWMHzdN4Art46gLBup hb/BBRLJNd/oJIB5KLxS9CvaCcuoGRDYiXXz98blCdDiRO8D7yO4LBpcE8Lc/TBhDE0h 1fRDIWGkfPcvb6s0jEdyQCfWvgjRrMfi5aYYNV9xfqWCFNkbZtUKx0q+jbV21RMMjP+F LBbWMBOXHynN4/HhFR4Etgx1K0mHP5jxtzARuJB87xzwtsdVJ11w4L2CCOhXTqla/GiK lvYw== X-Gm-Message-State: AOUpUlETGUpJJaX798ls8lxVyJQKm1rWVN/VcvbKj5NyoU+pA61SX53+ JUe5+l5xKSrkdKlublexVcb4xp3KdpfsDppsPz5SdMgYblTEKYStbiTjr9nac2GopQjEN6W/TWT xiGvYUELdfcsOXg6nfqdQlpYL6Ibj5/TXObLpHTzHMw== X-Received: by 2002:adf:f50e:: with SMTP id q14-v6mr4961612wro.241.1532706209840; Fri, 27 Jul 2018 08:43:29 -0700 (PDT) X-Google-Smtp-Source: AAOMgpdUoGL7+A28YtfOfBnM3C/i6jV2cbQ8byix5b7c6WMF0TBbFemL/BiM1o84J9VrzOvRJ2MEsw== X-Received: by 2002:adf:f50e:: with SMTP id q14-v6mr4961602wro.241.1532706209620; Fri, 27 Jul 2018 08:43:29 -0700 (PDT) Received: from gollum.fritz.box ([81.221.205.149]) by smtp.gmail.com with ESMTPSA id l15-v6sm3044723wrt.67.2018.07.27.08.43.28 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 27 Jul 2018 08:43:29 -0700 (PDT) From: Juerg Haefliger X-Google-Original-From: Juerg Haefliger To: kernel-team@lists.ubuntu.com Subject: [SRU][Trusty][PATCH] UBUNTU: SAUCE: Fix "x86/retpoline/entry: Convert entry assembler indirect jumps" Date: Fri, 27 Jul 2018 17:43:28 +0200 Message-Id: <20180727154328.29137-1-juergh@canonical.com> X-Mailer: git-send-email 2.17.1 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" CVE-2017-5715 (Spectre v2 retpoline) For whatever reason, our backport of "x86/retpoline/entry: Convert entry assembler indirect jumps" added "#ifdef RETPOLINE" in entry_64.S when it should be "#ifdef CONFIG_RETPOLINE". Although this doesn't make a fuctional difference for the Ubuntu kernel, fix it to be formally correct and equivalent to upstream. Also, the backport is incomplete (doesn't convert the indirect jumps through the syscall table in ia32entry.S) and also introduces whitespaces instead of tabs. Fix that too, to be in line with upstream stable 3.16 and to prevent potential future conflicts when cherry picking patches that modify these areas. Fixes: b12de0b8b316 ("x86/retpoline/entry: Convert entry assembler indirect jumps") Signed-off-by: Juerg Haefliger Acked-by: Stefan Bader Acked-by: Kleber Sacilotto de Souza --- arch/x86/ia32/ia32entry.S | 18 +++++++++++++++++- arch/x86/kernel/entry_32.S | 6 +++--- arch/x86/kernel/entry_64.S | 14 +++++++------- 3 files changed, 27 insertions(+), 11 deletions(-) diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S index aedd4b526243..cc9fa083175d 100644 --- a/arch/x86/ia32/ia32entry.S +++ b/arch/x86/ia32/ia32entry.S @@ -20,6 +20,7 @@ #include #include #include +#include /* Avoid __ASSEMBLER__'ifying just for this. */ #include @@ -176,7 +177,12 @@ sysenter_flags_fixed: sysenter_do_call: IA32_ARG_FIXUP sysenter_dispatch: +#ifdef CONFIG_RETPOLINE + movq ia32_sys_call_table(,%rax,8),%rax + call __x86_indirect_thunk_rax +#else call *ia32_sys_call_table(,%rax,8) +#endif movq %rax,RAX-ARGOFFSET(%rsp) DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF @@ -344,7 +350,12 @@ ENTRY(ia32_cstar_target) cstar_do_call: IA32_ARG_FIXUP 1 cstar_dispatch: +#ifdef CONFIG_RETPOLINE + movq ia32_sys_call_table(,%rax,8),%rax + call __x86_indirect_thunk_rax +#else call *ia32_sys_call_table(,%rax,8) +#endif movq %rax,RAX-ARGOFFSET(%rsp) DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF @@ -458,7 +469,12 @@ ENTRY(ia32_syscall) ja ia32_badsys ia32_do_call: IA32_ARG_FIXUP +#ifdef CONFIG_RETPOLINE + movq ia32_sys_call_table(,%rax,8),%rax + call __x86_indirect_thunk_rax +#else call *ia32_sys_call_table(,%rax,8) # xxx: rip relative +#endif ia32_sysret: movq %rax,RAX-ARGOFFSET(%rsp) ia32_ret_from_sys_call: @@ -524,7 +540,7 @@ ia32_ptregs_common: CFI_REL_OFFSET rsp,RSP-ARGOFFSET /* CFI_REL_OFFSET ss,SS-ARGOFFSET*/ SAVE_REST - call *%rax + CALL_NOSPEC %rax RESTORE_REST jmp ia32_sysret /* misbalances the return cache */ CFI_ENDPROC diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S index afab84e0e50e..a250f31c0093 100644 --- a/arch/x86/kernel/entry_32.S +++ b/arch/x86/kernel/entry_32.S @@ -309,7 +309,7 @@ ENTRY(ret_from_kernel_thread) pushl_cfi $0x0202 # Reset kernel eflags popfl_cfi movl PT_EBP(%esp),%eax - movl PT_EBX(%esp),%edx + movl PT_EBX(%esp), %edx CALL_NOSPEC %edx movl $0,PT_EAX(%esp) jmp syscall_exit @@ -435,7 +435,7 @@ sysenter_do_call: cmpl $(NR_syscalls), %eax jae sysenter_badsys #ifdef CONFIG_RETPOLINE - movl sys_call_table(,%eax,4), %eax + movl sys_call_table(,%eax,4),%eax call __x86_indirect_thunk_eax #else call *sys_call_table(,%eax,4) @@ -521,7 +521,7 @@ ENTRY(system_call) jae syscall_badsys syscall_call: #ifdef CONFIG_RETPOLINE - movl sys_call_table(,%eax,4), %eax + movl sys_call_table(,%eax,4),%eax call __x86_indirect_thunk_eax #else call *sys_call_table(,%eax,4) diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S index 3b9377790eca..8cf5cfa4a8a2 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -61,8 +61,8 @@ #include #include #include -#include #include +#include /* Avoid __ASSEMBLER__'ifying just for this. */ #include @@ -709,9 +709,9 @@ system_call_fastpath: #endif ja badsys movq %r10,%rcx -#ifdef RETPOLINE - movq sys_call_table(, %rax, 8), %rax - call __x86_indirect_thunk_rax +#ifdef CONFIG_RETPOLINE + movq sys_call_table(, %rax, 8), %rax + call __x86_indirect_thunk_rax #else call *sys_call_table(,%rax,8) # XXX: rip relative #endif @@ -842,9 +842,9 @@ tracesys: #endif ja int_ret_from_sys_call /* RAX(%rsp) set to -ENOSYS above */ movq %r10,%rcx /* fixup for C */ -#ifdef RETPOLINE - movq sys_call_table(, %rax, 8), %rax - call __x86_indirect_thunk_rax +#ifdef CONFIG_RETPOLINE + movq sys_call_table(, %rax, 8), %rax + call __x86_indirect_thunk_rax #else call *sys_call_table(,%rax,8) #endif