| Message ID | 20180727154328.29137-1-juergh@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [SRU,Trusty] UBUNTU: SAUCE: Fix "x86/retpoline/entry: Convert entry assembler indirect jumps" | expand |
On 27.07.2018 17:43, Juerg Haefliger wrote: > CVE-2017-5715 (Spectre v2 retpoline) > > For whatever reason, our backport of "x86/retpoline/entry: Convert entry > assembler indirect jumps" added "#ifdef RETPOLINE" in entry_64.S when it > should be "#ifdef CONFIG_RETPOLINE". Although this doesn't make a fuctional > difference for the Ubuntu kernel, fix it to be formally correct and > equivalent to upstream. > > Also, the backport is incomplete (doesn't convert the indirect jumps > through the syscall table in ia32entry.S) and also introduces whitespaces > instead of tabs. Fix that too, to be in line with upstream stable 3.16 and > to prevent potential future conflicts when cherry picking patches that > modify these areas. > > Fixes: b12de0b8b316 ("x86/retpoline/entry: Convert entry assembler indirect jumps") > Signed-off-by: Juerg Haefliger <juergh@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > arch/x86/ia32/ia32entry.S | 18 +++++++++++++++++- > arch/x86/kernel/entry_32.S | 6 +++--- > arch/x86/kernel/entry_64.S | 14 +++++++------- > 3 files changed, 27 insertions(+), 11 deletions(-) > > diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S > index aedd4b526243..cc9fa083175d 100644 > --- a/arch/x86/ia32/ia32entry.S > +++ b/arch/x86/ia32/ia32entry.S > @@ -20,6 +20,7 @@ > #include <asm/spec_ctrl.h> > #include <linux/linkage.h> > #include <linux/err.h> > +#include <asm/nospec-branch.h> > > /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */ > #include <linux/elf-em.h> > @@ -176,7 +177,12 @@ sysenter_flags_fixed: > sysenter_do_call: > IA32_ARG_FIXUP > sysenter_dispatch: > +#ifdef CONFIG_RETPOLINE > + movq ia32_sys_call_table(,%rax,8),%rax > + call __x86_indirect_thunk_rax > +#else > call *ia32_sys_call_table(,%rax,8) > +#endif > movq %rax,RAX-ARGOFFSET(%rsp) > DISABLE_INTERRUPTS(CLBR_NONE) > TRACE_IRQS_OFF > @@ -344,7 +350,12 @@ ENTRY(ia32_cstar_target) > cstar_do_call: > IA32_ARG_FIXUP 1 > cstar_dispatch: > +#ifdef CONFIG_RETPOLINE > + movq ia32_sys_call_table(,%rax,8),%rax > + call __x86_indirect_thunk_rax > +#else > call *ia32_sys_call_table(,%rax,8) > +#endif > movq %rax,RAX-ARGOFFSET(%rsp) > DISABLE_INTERRUPTS(CLBR_NONE) > TRACE_IRQS_OFF > @@ -458,7 +469,12 @@ ENTRY(ia32_syscall) > ja ia32_badsys > ia32_do_call: > IA32_ARG_FIXUP > +#ifdef CONFIG_RETPOLINE > + movq ia32_sys_call_table(,%rax,8),%rax > + call __x86_indirect_thunk_rax > +#else > call *ia32_sys_call_table(,%rax,8) # xxx: rip relative > +#endif > ia32_sysret: > movq %rax,RAX-ARGOFFSET(%rsp) > ia32_ret_from_sys_call: > @@ -524,7 +540,7 @@ ia32_ptregs_common: > CFI_REL_OFFSET rsp,RSP-ARGOFFSET > /* CFI_REL_OFFSET ss,SS-ARGOFFSET*/ > SAVE_REST > - call *%rax > + CALL_NOSPEC %rax > RESTORE_REST > jmp ia32_sysret /* misbalances the return cache */ > CFI_ENDPROC > diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S > index afab84e0e50e..a250f31c0093 100644 > --- a/arch/x86/kernel/entry_32.S > +++ b/arch/x86/kernel/entry_32.S > @@ -309,7 +309,7 @@ ENTRY(ret_from_kernel_thread) > pushl_cfi $0x0202 # Reset kernel eflags > popfl_cfi > movl PT_EBP(%esp),%eax > - movl PT_EBX(%esp),%edx > + movl PT_EBX(%esp), %edx > CALL_NOSPEC %edx > movl $0,PT_EAX(%esp) > jmp syscall_exit > @@ -435,7 +435,7 @@ sysenter_do_call: > cmpl $(NR_syscalls), %eax > jae sysenter_badsys > #ifdef CONFIG_RETPOLINE > - movl sys_call_table(,%eax,4), %eax > + movl sys_call_table(,%eax,4),%eax > call __x86_indirect_thunk_eax > #else > call *sys_call_table(,%eax,4) > @@ -521,7 +521,7 @@ ENTRY(system_call) > jae syscall_badsys > syscall_call: > #ifdef CONFIG_RETPOLINE > - movl sys_call_table(,%eax,4), %eax > + movl sys_call_table(,%eax,4),%eax > call __x86_indirect_thunk_eax > #else > call *sys_call_table(,%eax,4) > diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S > index 3b9377790eca..8cf5cfa4a8a2 100644 > --- a/arch/x86/kernel/entry_64.S > +++ b/arch/x86/kernel/entry_64.S > @@ -61,8 +61,8 @@ > #include <asm/pgtable_types.h> > #include <asm/kaiser.h> > #include <asm/spec_ctrl.h> > -#include <linux/err.h> > #include <asm/nospec-branch.h> > +#include <linux/err.h> > > /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */ > #include <linux/elf-em.h> > @@ -709,9 +709,9 @@ system_call_fastpath: > #endif > ja badsys > movq %r10,%rcx > -#ifdef RETPOLINE > - movq sys_call_table(, %rax, 8), %rax > - call __x86_indirect_thunk_rax > +#ifdef CONFIG_RETPOLINE > + movq sys_call_table(, %rax, 8), %rax > + call __x86_indirect_thunk_rax > #else > call *sys_call_table(,%rax,8) # XXX: rip relative > #endif > @@ -842,9 +842,9 @@ tracesys: > #endif > ja int_ret_from_sys_call /* RAX(%rsp) set to -ENOSYS above */ > movq %r10,%rcx /* fixup for C */ > -#ifdef RETPOLINE > - movq sys_call_table(, %rax, 8), %rax > - call __x86_indirect_thunk_rax > +#ifdef CONFIG_RETPOLINE > + movq sys_call_table(, %rax, 8), %rax > + call __x86_indirect_thunk_rax > #else > call *sys_call_table(,%rax,8) > #endif >
On 07/27/18 17:43, Juerg Haefliger wrote: > CVE-2017-5715 (Spectre v2 retpoline) > > For whatever reason, our backport of "x86/retpoline/entry: Convert entry > assembler indirect jumps" added "#ifdef RETPOLINE" in entry_64.S when it > should be "#ifdef CONFIG_RETPOLINE". Although this doesn't make a fuctional > difference for the Ubuntu kernel, fix it to be formally correct and > equivalent to upstream. > > Also, the backport is incomplete (doesn't convert the indirect jumps > through the syscall table in ia32entry.S) and also introduces whitespaces > instead of tabs. Fix that too, to be in line with upstream stable 3.16 and > to prevent potential future conflicts when cherry picking patches that > modify these areas. > > Fixes: b12de0b8b316 ("x86/retpoline/entry: Convert entry assembler indirect jumps") > Signed-off-by: Juerg Haefliger <juergh@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > arch/x86/ia32/ia32entry.S | 18 +++++++++++++++++- > arch/x86/kernel/entry_32.S | 6 +++--- > arch/x86/kernel/entry_64.S | 14 +++++++------- > 3 files changed, 27 insertions(+), 11 deletions(-) > > diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S > index aedd4b526243..cc9fa083175d 100644 > --- a/arch/x86/ia32/ia32entry.S > +++ b/arch/x86/ia32/ia32entry.S > @@ -20,6 +20,7 @@ > #include <asm/spec_ctrl.h> > #include <linux/linkage.h> > #include <linux/err.h> > +#include <asm/nospec-branch.h> > > /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */ > #include <linux/elf-em.h> > @@ -176,7 +177,12 @@ sysenter_flags_fixed: > sysenter_do_call: > IA32_ARG_FIXUP > sysenter_dispatch: > +#ifdef CONFIG_RETPOLINE > + movq ia32_sys_call_table(,%rax,8),%rax > + call __x86_indirect_thunk_rax > +#else > call *ia32_sys_call_table(,%rax,8) > +#endif > movq %rax,RAX-ARGOFFSET(%rsp) > DISABLE_INTERRUPTS(CLBR_NONE) > TRACE_IRQS_OFF > @@ -344,7 +350,12 @@ ENTRY(ia32_cstar_target) > cstar_do_call: > IA32_ARG_FIXUP 1 > cstar_dispatch: > +#ifdef CONFIG_RETPOLINE > + movq ia32_sys_call_table(,%rax,8),%rax > + call __x86_indirect_thunk_rax > +#else > call *ia32_sys_call_table(,%rax,8) > +#endif > movq %rax,RAX-ARGOFFSET(%rsp) > DISABLE_INTERRUPTS(CLBR_NONE) > TRACE_IRQS_OFF > @@ -458,7 +469,12 @@ ENTRY(ia32_syscall) > ja ia32_badsys > ia32_do_call: > IA32_ARG_FIXUP > +#ifdef CONFIG_RETPOLINE > + movq ia32_sys_call_table(,%rax,8),%rax > + call __x86_indirect_thunk_rax > +#else > call *ia32_sys_call_table(,%rax,8) # xxx: rip relative > +#endif > ia32_sysret: > movq %rax,RAX-ARGOFFSET(%rsp) > ia32_ret_from_sys_call: > @@ -524,7 +540,7 @@ ia32_ptregs_common: > CFI_REL_OFFSET rsp,RSP-ARGOFFSET > /* CFI_REL_OFFSET ss,SS-ARGOFFSET*/ > SAVE_REST > - call *%rax > + CALL_NOSPEC %rax > RESTORE_REST > jmp ia32_sysret /* misbalances the return cache */ > CFI_ENDPROC > diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S > index afab84e0e50e..a250f31c0093 100644 > --- a/arch/x86/kernel/entry_32.S > +++ b/arch/x86/kernel/entry_32.S > @@ -309,7 +309,7 @@ ENTRY(ret_from_kernel_thread) > pushl_cfi $0x0202 # Reset kernel eflags > popfl_cfi > movl PT_EBP(%esp),%eax > - movl PT_EBX(%esp),%edx > + movl PT_EBX(%esp), %edx > CALL_NOSPEC %edx > movl $0,PT_EAX(%esp) > jmp syscall_exit > @@ -435,7 +435,7 @@ sysenter_do_call: > cmpl $(NR_syscalls), %eax > jae sysenter_badsys > #ifdef CONFIG_RETPOLINE > - movl sys_call_table(,%eax,4), %eax > + movl sys_call_table(,%eax,4),%eax > call __x86_indirect_thunk_eax > #else > call *sys_call_table(,%eax,4) > @@ -521,7 +521,7 @@ ENTRY(system_call) > jae syscall_badsys > syscall_call: > #ifdef CONFIG_RETPOLINE > - movl sys_call_table(,%eax,4), %eax > + movl sys_call_table(,%eax,4),%eax > call __x86_indirect_thunk_eax > #else > call *sys_call_table(,%eax,4) > diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S > index 3b9377790eca..8cf5cfa4a8a2 100644 > --- a/arch/x86/kernel/entry_64.S > +++ b/arch/x86/kernel/entry_64.S > @@ -61,8 +61,8 @@ > #include <asm/pgtable_types.h> > #include <asm/kaiser.h> > #include <asm/spec_ctrl.h> > -#include <linux/err.h> > #include <asm/nospec-branch.h> > +#include <linux/err.h> > > /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */ > #include <linux/elf-em.h> > @@ -709,9 +709,9 @@ system_call_fastpath: > #endif > ja badsys > movq %r10,%rcx > -#ifdef RETPOLINE > - movq sys_call_table(, %rax, 8), %rax > - call __x86_indirect_thunk_rax > +#ifdef CONFIG_RETPOLINE > + movq sys_call_table(, %rax, 8), %rax > + call __x86_indirect_thunk_rax > #else > call *sys_call_table(,%rax,8) # XXX: rip relative > #endif > @@ -842,9 +842,9 @@ tracesys: > #endif > ja int_ret_from_sys_call /* RAX(%rsp) set to -ENOSYS above */ > movq %r10,%rcx /* fixup for C */ > -#ifdef RETPOLINE > - movq sys_call_table(, %rax, 8), %rax > - call __x86_indirect_thunk_rax > +#ifdef CONFIG_RETPOLINE > + movq sys_call_table(, %rax, 8), %rax > + call __x86_indirect_thunk_rax > #else > call *sys_call_table(,%rax,8) > #endif >
On 07/27/18 17:43, Juerg Haefliger wrote: > CVE-2017-5715 (Spectre v2 retpoline) > > For whatever reason, our backport of "x86/retpoline/entry: Convert entry > assembler indirect jumps" added "#ifdef RETPOLINE" in entry_64.S when it > should be "#ifdef CONFIG_RETPOLINE". Although this doesn't make a fuctional > difference for the Ubuntu kernel, fix it to be formally correct and > equivalent to upstream. > > Also, the backport is incomplete (doesn't convert the indirect jumps > through the syscall table in ia32entry.S) and also introduces whitespaces > instead of tabs. Fix that too, to be in line with upstream stable 3.16 and > to prevent potential future conflicts when cherry picking patches that > modify these areas. > > Fixes: b12de0b8b316 ("x86/retpoline/entry: Convert entry assembler indirect jumps") > Signed-off-by: Juerg Haefliger <juergh@canonical.com> > --- > arch/x86/ia32/ia32entry.S | 18 +++++++++++++++++- > arch/x86/kernel/entry_32.S | 6 +++--- > arch/x86/kernel/entry_64.S | 14 +++++++------- > 3 files changed, 27 insertions(+), 11 deletions(-) > > diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S > index aedd4b526243..cc9fa083175d 100644 > --- a/arch/x86/ia32/ia32entry.S > +++ b/arch/x86/ia32/ia32entry.S > @@ -20,6 +20,7 @@ > #include <asm/spec_ctrl.h> > #include <linux/linkage.h> > #include <linux/err.h> > +#include <asm/nospec-branch.h> > > /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */ > #include <linux/elf-em.h> > @@ -176,7 +177,12 @@ sysenter_flags_fixed: > sysenter_do_call: > IA32_ARG_FIXUP > sysenter_dispatch: > +#ifdef CONFIG_RETPOLINE > + movq ia32_sys_call_table(,%rax,8),%rax > + call __x86_indirect_thunk_rax > +#else > call *ia32_sys_call_table(,%rax,8) > +#endif > movq %rax,RAX-ARGOFFSET(%rsp) > DISABLE_INTERRUPTS(CLBR_NONE) > TRACE_IRQS_OFF > @@ -344,7 +350,12 @@ ENTRY(ia32_cstar_target) > cstar_do_call: > IA32_ARG_FIXUP 1 > cstar_dispatch: > +#ifdef CONFIG_RETPOLINE > + movq ia32_sys_call_table(,%rax,8),%rax > + call __x86_indirect_thunk_rax > +#else > call *ia32_sys_call_table(,%rax,8) > +#endif > movq %rax,RAX-ARGOFFSET(%rsp) > DISABLE_INTERRUPTS(CLBR_NONE) > TRACE_IRQS_OFF > @@ -458,7 +469,12 @@ ENTRY(ia32_syscall) > ja ia32_badsys > ia32_do_call: > IA32_ARG_FIXUP > +#ifdef CONFIG_RETPOLINE > + movq ia32_sys_call_table(,%rax,8),%rax > + call __x86_indirect_thunk_rax > +#else > call *ia32_sys_call_table(,%rax,8) # xxx: rip relative > +#endif > ia32_sysret: > movq %rax,RAX-ARGOFFSET(%rsp) > ia32_ret_from_sys_call: > @@ -524,7 +540,7 @@ ia32_ptregs_common: > CFI_REL_OFFSET rsp,RSP-ARGOFFSET > /* CFI_REL_OFFSET ss,SS-ARGOFFSET*/ > SAVE_REST > - call *%rax > + CALL_NOSPEC %rax > RESTORE_REST > jmp ia32_sysret /* misbalances the return cache */ > CFI_ENDPROC > diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S > index afab84e0e50e..a250f31c0093 100644 > --- a/arch/x86/kernel/entry_32.S > +++ b/arch/x86/kernel/entry_32.S > @@ -309,7 +309,7 @@ ENTRY(ret_from_kernel_thread) > pushl_cfi $0x0202 # Reset kernel eflags > popfl_cfi > movl PT_EBP(%esp),%eax > - movl PT_EBX(%esp),%edx > + movl PT_EBX(%esp), %edx > CALL_NOSPEC %edx > movl $0,PT_EAX(%esp) > jmp syscall_exit > @@ -435,7 +435,7 @@ sysenter_do_call: > cmpl $(NR_syscalls), %eax > jae sysenter_badsys > #ifdef CONFIG_RETPOLINE > - movl sys_call_table(,%eax,4), %eax > + movl sys_call_table(,%eax,4),%eax > call __x86_indirect_thunk_eax > #else > call *sys_call_table(,%eax,4) > @@ -521,7 +521,7 @@ ENTRY(system_call) > jae syscall_badsys > syscall_call: > #ifdef CONFIG_RETPOLINE > - movl sys_call_table(,%eax,4), %eax > + movl sys_call_table(,%eax,4),%eax > call __x86_indirect_thunk_eax > #else > call *sys_call_table(,%eax,4) > diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S > index 3b9377790eca..8cf5cfa4a8a2 100644 > --- a/arch/x86/kernel/entry_64.S > +++ b/arch/x86/kernel/entry_64.S > @@ -61,8 +61,8 @@ > #include <asm/pgtable_types.h> > #include <asm/kaiser.h> > #include <asm/spec_ctrl.h> > -#include <linux/err.h> > #include <asm/nospec-branch.h> > +#include <linux/err.h> > > /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */ > #include <linux/elf-em.h> > @@ -709,9 +709,9 @@ system_call_fastpath: > #endif > ja badsys > movq %r10,%rcx > -#ifdef RETPOLINE > - movq sys_call_table(, %rax, 8), %rax > - call __x86_indirect_thunk_rax > +#ifdef CONFIG_RETPOLINE > + movq sys_call_table(, %rax, 8), %rax > + call __x86_indirect_thunk_rax > #else > call *sys_call_table(,%rax,8) # XXX: rip relative > #endif > @@ -842,9 +842,9 @@ tracesys: > #endif > ja int_ret_from_sys_call /* RAX(%rsp) set to -ENOSYS above */ > movq %r10,%rcx /* fixup for C */ > -#ifdef RETPOLINE > - movq sys_call_table(, %rax, 8), %rax > - call __x86_indirect_thunk_rax > +#ifdef CONFIG_RETPOLINE > + movq sys_call_table(, %rax, 8), %rax > + call __x86_indirect_thunk_rax > #else > call *sys_call_table(,%rax,8) > #endif > Hi Juerg, The patch was applied to trusty/master-next branch, however some fuzzing was needed. It seems that the context had been changed by the backport we did for: x86/syscall: Sanitize syscall table de-references under speculation The results look good and I compiled-tested it, but if you could double check it we would be more confident about it. Thanks, Kleber
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S index aedd4b526243..cc9fa083175d 100644 --- a/arch/x86/ia32/ia32entry.S +++ b/arch/x86/ia32/ia32entry.S @@ -20,6 +20,7 @@ #include <asm/spec_ctrl.h> #include <linux/linkage.h> #include <linux/err.h> +#include <asm/nospec-branch.h> /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */ #include <linux/elf-em.h> @@ -176,7 +177,12 @@ sysenter_flags_fixed: sysenter_do_call: IA32_ARG_FIXUP sysenter_dispatch: +#ifdef CONFIG_RETPOLINE + movq ia32_sys_call_table(,%rax,8),%rax + call __x86_indirect_thunk_rax +#else call *ia32_sys_call_table(,%rax,8) +#endif movq %rax,RAX-ARGOFFSET(%rsp) DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF @@ -344,7 +350,12 @@ ENTRY(ia32_cstar_target) cstar_do_call: IA32_ARG_FIXUP 1 cstar_dispatch: +#ifdef CONFIG_RETPOLINE + movq ia32_sys_call_table(,%rax,8),%rax + call __x86_indirect_thunk_rax +#else call *ia32_sys_call_table(,%rax,8) +#endif movq %rax,RAX-ARGOFFSET(%rsp) DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF @@ -458,7 +469,12 @@ ENTRY(ia32_syscall) ja ia32_badsys ia32_do_call: IA32_ARG_FIXUP +#ifdef CONFIG_RETPOLINE + movq ia32_sys_call_table(,%rax,8),%rax + call __x86_indirect_thunk_rax +#else call *ia32_sys_call_table(,%rax,8) # xxx: rip relative +#endif ia32_sysret: movq %rax,RAX-ARGOFFSET(%rsp) ia32_ret_from_sys_call: @@ -524,7 +540,7 @@ ia32_ptregs_common: CFI_REL_OFFSET rsp,RSP-ARGOFFSET /* CFI_REL_OFFSET ss,SS-ARGOFFSET*/ SAVE_REST - call *%rax + CALL_NOSPEC %rax RESTORE_REST jmp ia32_sysret /* misbalances the return cache */ CFI_ENDPROC diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S index afab84e0e50e..a250f31c0093 100644 --- a/arch/x86/kernel/entry_32.S +++ b/arch/x86/kernel/entry_32.S @@ -309,7 +309,7 @@ ENTRY(ret_from_kernel_thread) pushl_cfi $0x0202 # Reset kernel eflags popfl_cfi movl PT_EBP(%esp),%eax - movl PT_EBX(%esp),%edx + movl PT_EBX(%esp), %edx CALL_NOSPEC %edx movl $0,PT_EAX(%esp) jmp syscall_exit @@ -435,7 +435,7 @@ sysenter_do_call: cmpl $(NR_syscalls), %eax jae sysenter_badsys #ifdef CONFIG_RETPOLINE - movl sys_call_table(,%eax,4), %eax + movl sys_call_table(,%eax,4),%eax call __x86_indirect_thunk_eax #else call *sys_call_table(,%eax,4) @@ -521,7 +521,7 @@ ENTRY(system_call) jae syscall_badsys syscall_call: #ifdef CONFIG_RETPOLINE - movl sys_call_table(,%eax,4), %eax + movl sys_call_table(,%eax,4),%eax call __x86_indirect_thunk_eax #else call *sys_call_table(,%eax,4) diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S index 3b9377790eca..8cf5cfa4a8a2 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -61,8 +61,8 @@ #include <asm/pgtable_types.h> #include <asm/kaiser.h> #include <asm/spec_ctrl.h> -#include <linux/err.h> #include <asm/nospec-branch.h> +#include <linux/err.h> /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */ #include <linux/elf-em.h> @@ -709,9 +709,9 @@ system_call_fastpath: #endif ja badsys movq %r10,%rcx -#ifdef RETPOLINE - movq sys_call_table(, %rax, 8), %rax - call __x86_indirect_thunk_rax +#ifdef CONFIG_RETPOLINE + movq sys_call_table(, %rax, 8), %rax + call __x86_indirect_thunk_rax #else call *sys_call_table(,%rax,8) # XXX: rip relative #endif @@ -842,9 +842,9 @@ tracesys: #endif ja int_ret_from_sys_call /* RAX(%rsp) set to -ENOSYS above */ movq %r10,%rcx /* fixup for C */ -#ifdef RETPOLINE - movq sys_call_table(, %rax, 8), %rax - call __x86_indirect_thunk_rax +#ifdef CONFIG_RETPOLINE + movq sys_call_table(, %rax, 8), %rax + call __x86_indirect_thunk_rax #else call *sys_call_table(,%rax,8) #endif
CVE-2017-5715 (Spectre v2 retpoline) For whatever reason, our backport of "x86/retpoline/entry: Convert entry assembler indirect jumps" added "#ifdef RETPOLINE" in entry_64.S when it should be "#ifdef CONFIG_RETPOLINE". Although this doesn't make a fuctional difference for the Ubuntu kernel, fix it to be formally correct and equivalent to upstream. Also, the backport is incomplete (doesn't convert the indirect jumps through the syscall table in ia32entry.S) and also introduces whitespaces instead of tabs. Fix that too, to be in line with upstream stable 3.16 and to prevent potential future conflicts when cherry picking patches that modify these areas. Fixes: b12de0b8b316 ("x86/retpoline/entry: Convert entry assembler indirect jumps") Signed-off-by: Juerg Haefliger <juergh@canonical.com> --- arch/x86/ia32/ia32entry.S | 18 +++++++++++++++++- arch/x86/kernel/entry_32.S | 6 +++--- arch/x86/kernel/entry_64.S | 14 +++++++------- 3 files changed, 27 insertions(+), 11 deletions(-)