From patchwork Wed Aug 30 14:38:28 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
X-Patchwork-Id: 1827816
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=r+haQrTw;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4RbRkq37Zqz1ygP
	for <incoming@patchwork.ozlabs.org>; Thu, 31 Aug 2023 00:39:14 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1qbMLN-0006jO-KS; Wed, 30 Aug 2023 14:38:53 +0000
Received: from smtp-relay-canonical-1.internal ([10.131.114.174]
 helo=smtp-relay-canonical-1.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <cascardo@canonical.com>)
 id 1qbMLG-0006ho-3v
 for kernel-team@lists.ubuntu.com; Wed, 30 Aug 2023 14:38:47 +0000
Received: from quatroqueijos.lan (1.general.cascardo.us.vpn [10.172.70.58])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id 095CF3F2A2
 for <kernel-team@lists.ubuntu.com>; Wed, 30 Aug 2023 14:38:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1693406325;
 bh=hC8XN9gAY6SP4UGrTHsamPeNool9giJSsLPqhDNqg08=;
 h=From:To:Subject:Date:Message-Id:MIME-Version;
 b=r+haQrTwLWpXwhNPNYW//PZVyOjWPCqzRmsasRfg6Ud5uj/vYx7PokNmJhPKNO81S
 soNofS5quuCMEWNXnmEc+hI78VgKyRNDFwOPZnFQcT0+6pV2R76XcO2WxQQG3rjXkD
 4J591iaVhhQ7SxliG89x9KJkhFE7NIQD25ByMfFF9OmpmuyYGaV0RQlDOPTEJLGHtS
 QOZunexSbBru7O8KCYq5cnRQvBxshBFajqAJc6HdDGJbpYKviDQD6McO0OeIf1WH05
 54ISFVAhO9+3a/8aTrm2zk3481rRzFYw4C3UInUVkfDFUIsGUds1DbGlE7ggVk4Y47
 ue10qXRjCYzaw==
From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU Focal,Jammy,OEM-6.1,Lunar 0/3] CVE-2023-20588
Date: Wed, 30 Aug 2023 11:38:28 -0300
Message-Id: <20230830143837.220465-1-cascardo@canonical.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

[Impact]
 A division-by-zero error on some AMD processors can potentially return
 speculative data resulting in loss of confidentiality.

[Backport]
There were some minimal conflicts resulting in this being backported before
the SRSO mitigation.

But for 5.4 kernels, the entry code has been changed. And instead of
adopting those changes and introducing new code here, I opted to not touch
that divide error entry code since the added function call added in the
second patch is removed in the third patch. Then, the places where it is
called have moved and I had to manually place them in their equivalent
spots.

[Test case]
The test case here was looking at dmesg for the following line in one
affected part:

"AMD Zen1 DIV0 bug detected. Disable SMT for full protection."

I also tested that an integer division by zero in userspace doesn't cause
any crashes or hiccups in the kernel.

[Potential regression]
Booting on affected parts may be affected. Kernel exit and SVM may be
affected too. Also CPU vulnerability reporting may be affected.

Borislav Petkov (AMD) (3):
  x86/bugs: Increase the x86 bugs vector size to two u32s
  x86/CPU/AMD: Do not leak quotient data after a division by 0
  x86/CPU/AMD: Fix the DIV(0) initial fix attempt

 arch/x86/entry/common.c                  |  1 +
 arch/x86/include/asm/cpufeatures.h       |  4 +++-
 arch/x86/include/asm/processor.h         |  2 ++
 arch/x86/kernel/cpu/amd.c                | 20 ++++++++++++++++++++
 arch/x86/kvm/svm.c                       |  2 ++
 tools/arch/x86/include/asm/cpufeatures.h |  2 +-
 6 files changed, 29 insertions(+), 2 deletions(-)
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Cengiz Can <cengiz.can@canonical.com>