Message ID | 1535570260-9644-2-git-send-email-tyhicks@canonical.com |
---|---|
State | New |
Headers | show |
Series | CVE-2017-5715 - SpectreRSB sub-variant of Spectre v2 | expand |
On 29.08.2018 21:17, Tyler Hicks wrote: > From: Jiri Kosina <jkosina@suse.cz> > > The article "Spectre Returns! Speculation Attacks using the Return Stack > Buffer" [1] describes two new (sub-)variants of spectrev2-like attacks, > making use solely of the RSB contents even on CPUs that don't fallback to > BTB on RSB underflow (Skylake+). > > Mitigate userspace-userspace attacks by always unconditionally filling RSB on > context switch when the generic spectrev2 mitigation has been enabled. > > [1] https://arxiv.org/pdf/1807.07940.pdf > > Signed-off-by: Jiri Kosina <jkosina@suse.cz> > Signed-off-by: Thomas Gleixner <tglx@linutronix.de> > Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com> > Acked-by: Tim Chen <tim.c.chen@linux.intel.com> > Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> > Cc: Borislav Petkov <bp@suse.de> > Cc: David Woodhouse <dwmw@amazon.co.uk> > Cc: Peter Zijlstra <peterz@infradead.org> > Cc: Linus Torvalds <torvalds@linux-foundation.org> > Cc: stable@vger.kernel.org > Link: https://lkml.kernel.org/r/nycvar.YFH.7.76.1807261308190.997@cbobk.fhfr.pm > > CVE-2017-5715 (SpectreRSB sub-variant) CVE-2018-15572 (SpectreRSB) > > (cherry picked from commit fdf82a7856b32d905c39afc85e34364491e46346) > Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- With updated CVE number on commit. > arch/x86/kernel/cpu/bugs.c | 38 +++++++------------------------------- > 1 file changed, 7 insertions(+), 31 deletions(-) > > diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c > index 700b4c0a93a2..edfc64a8a154 100644 > --- a/arch/x86/kernel/cpu/bugs.c > +++ b/arch/x86/kernel/cpu/bugs.c > @@ -322,23 +322,6 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) > return cmd; > } > > -/* Check for Skylake-like CPUs (for RSB handling) */ > -static bool __init is_skylake_era(void) > -{ > - if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL && > - boot_cpu_data.x86 == 6) { > - switch (boot_cpu_data.x86_model) { > - case INTEL_FAM6_SKYLAKE_MOBILE: > - case INTEL_FAM6_SKYLAKE_DESKTOP: > - case INTEL_FAM6_SKYLAKE_X: > - case INTEL_FAM6_KABYLAKE_MOBILE: > - case INTEL_FAM6_KABYLAKE_DESKTOP: > - return true; > - } > - } > - return false; > -} > - > static void __init spectre_v2_select_mitigation(void) > { > enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); > @@ -399,22 +382,15 @@ static void __init spectre_v2_select_mitigation(void) > pr_info("%s\n", spectre_v2_strings[mode]); > > /* > - * If neither SMEP nor PTI are available, there is a risk of > - * hitting userspace addresses in the RSB after a context switch > - * from a shallow call stack to a deeper one. To prevent this fill > - * the entire RSB, even when using IBRS. > + * If spectre v2 protection has been enabled, unconditionally fill > + * RSB during a context switch; this protects against two independent > + * issues: > * > - * Skylake era CPUs have a separate issue with *underflow* of the > - * RSB, when they will predict 'ret' targets from the generic BTB. > - * The proper mitigation for this is IBRS. If IBRS is not supported > - * or deactivated in favour of retpolines the RSB fill on context > - * switch is required. > + * - RSB underflow (and switch to BTB) on Skylake+ > + * - SpectreRSB variant of spectre v2 on X86_BUG_SPECTRE_V2 CPUs > */ > - if ((!boot_cpu_has(X86_FEATURE_PTI) && > - !boot_cpu_has(X86_FEATURE_SMEP)) || is_skylake_era()) { > - setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); > - pr_info("Spectre v2 mitigation: Filling RSB on context switch\n"); > - } > + setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); > + pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n"); > > /* Initialize Indirect Branch Prediction Barrier if supported */ > if (boot_cpu_has(X86_FEATURE_IBPB)) { >
On 08/29/18 21:17, Tyler Hicks wrote: > From: Jiri Kosina <jkosina@suse.cz> > > The article "Spectre Returns! Speculation Attacks using the Return Stack > Buffer" [1] describes two new (sub-)variants of spectrev2-like attacks, > making use solely of the RSB contents even on CPUs that don't fallback to > BTB on RSB underflow (Skylake+). > > Mitigate userspace-userspace attacks by always unconditionally filling RSB on > context switch when the generic spectrev2 mitigation has been enabled. > > [1] https://arxiv.org/pdf/1807.07940.pdf > > Signed-off-by: Jiri Kosina <jkosina@suse.cz> > Signed-off-by: Thomas Gleixner <tglx@linutronix.de> > Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com> > Acked-by: Tim Chen <tim.c.chen@linux.intel.com> > Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> > Cc: Borislav Petkov <bp@suse.de> > Cc: David Woodhouse <dwmw@amazon.co.uk> > Cc: Peter Zijlstra <peterz@infradead.org> > Cc: Linus Torvalds <torvalds@linux-foundation.org> > Cc: stable@vger.kernel.org > Link: https://lkml.kernel.org/r/nycvar.YFH.7.76.1807261308190.997@cbobk.fhfr.pm > > CVE-2017-5715 (SpectreRSB sub-variant) CVE-2018-15572 > > (cherry picked from commit fdf82a7856b32d905c39afc85e34364491e46346) > Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > arch/x86/kernel/cpu/bugs.c | 38 +++++++------------------------------- > 1 file changed, 7 insertions(+), 31 deletions(-) > > diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c > index 700b4c0a93a2..edfc64a8a154 100644 > --- a/arch/x86/kernel/cpu/bugs.c > +++ b/arch/x86/kernel/cpu/bugs.c > @@ -322,23 +322,6 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) > return cmd; > } > > -/* Check for Skylake-like CPUs (for RSB handling) */ > -static bool __init is_skylake_era(void) > -{ > - if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL && > - boot_cpu_data.x86 == 6) { > - switch (boot_cpu_data.x86_model) { > - case INTEL_FAM6_SKYLAKE_MOBILE: > - case INTEL_FAM6_SKYLAKE_DESKTOP: > - case INTEL_FAM6_SKYLAKE_X: > - case INTEL_FAM6_KABYLAKE_MOBILE: > - case INTEL_FAM6_KABYLAKE_DESKTOP: > - return true; > - } > - } > - return false; > -} > - > static void __init spectre_v2_select_mitigation(void) > { > enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); > @@ -399,22 +382,15 @@ static void __init spectre_v2_select_mitigation(void) > pr_info("%s\n", spectre_v2_strings[mode]); > > /* > - * If neither SMEP nor PTI are available, there is a risk of > - * hitting userspace addresses in the RSB after a context switch > - * from a shallow call stack to a deeper one. To prevent this fill > - * the entire RSB, even when using IBRS. > + * If spectre v2 protection has been enabled, unconditionally fill > + * RSB during a context switch; this protects against two independent > + * issues: > * > - * Skylake era CPUs have a separate issue with *underflow* of the > - * RSB, when they will predict 'ret' targets from the generic BTB. > - * The proper mitigation for this is IBRS. If IBRS is not supported > - * or deactivated in favour of retpolines the RSB fill on context > - * switch is required. > + * - RSB underflow (and switch to BTB) on Skylake+ > + * - SpectreRSB variant of spectre v2 on X86_BUG_SPECTRE_V2 CPUs > */ > - if ((!boot_cpu_has(X86_FEATURE_PTI) && > - !boot_cpu_has(X86_FEATURE_SMEP)) || is_skylake_era()) { > - setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); > - pr_info("Spectre v2 mitigation: Filling RSB on context switch\n"); > - } > + setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); > + pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n"); > > /* Initialize Indirect Branch Prediction Barrier if supported */ > if (boot_cpu_has(X86_FEATURE_IBPB)) { >
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 700b4c0a93a2..edfc64a8a154 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -322,23 +322,6 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) return cmd; } -/* Check for Skylake-like CPUs (for RSB handling) */ -static bool __init is_skylake_era(void) -{ - if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL && - boot_cpu_data.x86 == 6) { - switch (boot_cpu_data.x86_model) { - case INTEL_FAM6_SKYLAKE_MOBILE: - case INTEL_FAM6_SKYLAKE_DESKTOP: - case INTEL_FAM6_SKYLAKE_X: - case INTEL_FAM6_KABYLAKE_MOBILE: - case INTEL_FAM6_KABYLAKE_DESKTOP: - return true; - } - } - return false; -} - static void __init spectre_v2_select_mitigation(void) { enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); @@ -399,22 +382,15 @@ static void __init spectre_v2_select_mitigation(void) pr_info("%s\n", spectre_v2_strings[mode]); /* - * If neither SMEP nor PTI are available, there is a risk of - * hitting userspace addresses in the RSB after a context switch - * from a shallow call stack to a deeper one. To prevent this fill - * the entire RSB, even when using IBRS. + * If spectre v2 protection has been enabled, unconditionally fill + * RSB during a context switch; this protects against two independent + * issues: * - * Skylake era CPUs have a separate issue with *underflow* of the - * RSB, when they will predict 'ret' targets from the generic BTB. - * The proper mitigation for this is IBRS. If IBRS is not supported - * or deactivated in favour of retpolines the RSB fill on context - * switch is required. + * - RSB underflow (and switch to BTB) on Skylake+ + * - SpectreRSB variant of spectre v2 on X86_BUG_SPECTRE_V2 CPUs */ - if ((!boot_cpu_has(X86_FEATURE_PTI) && - !boot_cpu_has(X86_FEATURE_SMEP)) || is_skylake_era()) { - setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); - pr_info("Spectre v2 mitigation: Filling RSB on context switch\n"); - } + setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); + pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n"); /* Initialize Indirect Branch Prediction Barrier if supported */ if (boot_cpu_has(X86_FEATURE_IBPB)) {