From patchwork Wed Aug 30 14:38:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1827818 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=IDFqkQjg; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RbRlB28Xvz1yZs for ; Thu, 31 Aug 2023 00:39:34 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qbMLj-0006se-BT; Wed, 30 Aug 2023 14:39:17 +0000 Received: from smtp-relay-canonical-1.internal ([10.131.114.174] helo=smtp-relay-canonical-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qbMLV-0006lZ-7P for kernel-team@lists.ubuntu.com; Wed, 30 Aug 2023 14:39:01 +0000 Received: from quatroqueijos.lan (1.general.cascardo.us.vpn [10.172.70.58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id 321BC3F2A2 for ; Wed, 30 Aug 2023 14:38:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1693406339; bh=63MYSZWkceikq/4CfrB7iitARziyd3NkFze6s/qxssE=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=IDFqkQjgsW5DJ2NI6yh8xUwDSqBjnydd6OxnnWan4Rj3OsJXwriy48g6ENeFvS1+u EtNLkOKZIwj9zWOHZ/ClkfUly0sJWc3A0vUShJu9UPsA/aTeZSWPQ47Jvluxc3MtjP MqfPtfL8q/NEP4kWBf47SIn7pjJuP8CAnKNK/2jnca/4xovtG9FOWI9tZx6OElGLSY dlY257LiAQyTQTmzNnjYqsaf4eMIRLaxXh4cS/y1ez+0ra2nAHA15EwnGoHsLI+ayR VGzOKzC6zBgZAo2R2TrpzsctMVlRr+w7hUuU4erVz8n9YrywCNz0+5XCpC0Gi/34S1 PRFAk6vjNSNtQ== From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [SRU Focal 3/3] x86/CPU/AMD: Fix the DIV(0) initial fix attempt Date: Wed, 30 Aug 2023 11:38:31 -0300 Message-Id: <20230830143837.220465-4-cascardo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230830143837.220465-1-cascardo@canonical.com> References: <20230830143837.220465-1-cascardo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: "Borislav Petkov (AMD)" Initially, it was thought that doing an innocuous division in the #DE handler would take care to prevent any leaking of old data from the divider but by the time the fault is raised, the speculation has already advanced too far and such data could already have been used by younger operations. Therefore, do the innocuous division on every exit to userspace so that userspace doesn't see any potentially old data from integer divisions in kernel space. Do the same before VMRUN too, to protect host data from leaking into the guest too. Fixes: 77245f1c3c64 ("x86/CPU/AMD: Do not leak quotient data after a division by 0") Signed-off-by: Borislav Petkov (AMD) Cc: Link: https://lore.kernel.org/r/20230811213824.10025-1-bp@alien8.de (backported from commit f58d6fbcb7c848b7f2469be339bc571f2e9d245b) [cascardo: context conflict fixup at arch/x86/kvm/svm/svm.c] [cascardo: call amd_clear_divider before vmload and at kernel exit] CVE-2023-20588 Signed-off-by: Thadeu Lima de Souza Cascardo --- arch/x86/entry/common.c | 1 + arch/x86/kernel/cpu/amd.c | 1 + arch/x86/kvm/svm.c | 2 ++ 3 files changed, 4 insertions(+) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index 3f8e22615812..721109c0cf99 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -218,6 +218,7 @@ __visible inline void prepare_exit_to_usermode(struct pt_regs *regs) user_enter_irqoff(); mds_user_clear_cpu_buffers(); + amd_clear_divider(); } #define SYSCALL_EXIT_WORK_FLAGS \ diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c index 5413f25cf9d7..d068bdfb3e56 100644 --- a/arch/x86/kernel/cpu/amd.c +++ b/arch/x86/kernel/cpu/amd.c @@ -1259,3 +1259,4 @@ void noinstr amd_clear_divider(void) asm volatile(ALTERNATIVE("", "div %2\n\t", X86_BUG_DIV0) :: "a" (0), "d" (0), "r" (1)); } +EXPORT_SYMBOL_GPL(amd_clear_divider); diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c index 7e66a2b1d4dd..c2885d4aa43d 100644 --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c @@ -5718,6 +5718,8 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) local_irq_enable(); + amd_clear_divider(); + asm volatile ( "push %%" _ASM_BP "; \n\t" "mov %c[rbx](%[svm]), %%" _ASM_BX " \n\t"