| Message ID | 20240826150125.1347359-1-yuxuan.luo@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2024-25744 | expand |
On Mon, Aug 26, 2024 at 11:01:17AM -0400, Yuxuan Luo wrote: > v2: The v1 patch would make Jammy vulnerable to CVE-2024-2201 Native BHI > again, this v2 patch solves this issue. > > v3: Solved some errors for [8/8]: duplicated parts of re-backporting > 7390db8aea0d ("x86/bhi: Add support for clearing branch history at > syscall entry") and conflicts with ac8b270b61d4 ("x86/bhi: Avoid warning > in #DB handler due to BHI mitigation"). > > [Impact] > In x86 environment, untrusted virtual machines are able to send > interrupt that will be mistakenly interpretted by host as INT80 > interrupt sent from host userspace programs, posessing threat to > the host's confidentiality. > > [Backport] > For Jammy, a prerequisite, 1da5c9bc119d (“x86: Introduce > ia32_enabled()”), for the patch set is needed as denoted in the fix > commit message. And a follow-up fix, 32f5f73b79ff (“x86/fred: Fix INT80 > emulation for FRED”), can be ignored because it is FRED specific and > FRED is yet to be introduced by 14619d912b65 (“x86/fred: FRED entry/exit > and dispatch code”). > > Since this fix also touches the same code base where the Native BHI fix > modified, 7390db8aea0d ("x86/bhi: Add support for clearing branch > history at syscall entry") needs to be backported again to adjust > certain context, which requires f34f0d3c10eb (“x86/entry: Add > do_SYSENTER_32() prototype“) as a prerequisite. > > [Test] > Compile and boot tested in a VM. > > [Where things could go wrong] > It affects users running x32 operating system VMs on confidential > computing VMMs. > > Arnd Bergmann (1): > x86/entry: Add do_SYSENTER_32() prototype > > Kirill A. Shutemov (1): > x86/coco: Disable 32-bit emulation by default on TDX and SEV > > Kuppuswamy Sathyanarayanan (1): > x86/sev: Rename mem_encrypt.c to mem_encrypt_amd.c > > Lukas Bulwahn (1): > x86: Fix misspelled Kconfig symbols > > Nikolay Borisov (1): > x86: Introduce ia32_enabled() > > Pawan Gupta (1): > x86/bhi: Add support for clearing branch history at syscall entry > > Thomas Gleixner (2): > x86/entry: Convert INT 0x80 emulation to IDTENTRY > x86/entry: Do not allow external 0x80 interrupts > > arch/x86/entry/common.c | 97 ++++++++++++++- > arch/x86/entry/entry_64_compat.S | 114 ++---------------- > arch/x86/include/asm/ia32.h | 23 +++- > arch/x86/include/asm/idtentry.h | 4 + > arch/x86/include/asm/irq_stack.h | 2 +- > arch/x86/include/asm/nospec-branch.h | 4 + > arch/x86/include/asm/page_32.h | 2 +- > arch/x86/include/asm/proto.h | 4 - > arch/x86/include/asm/syscall.h | 7 +- > arch/x86/include/asm/uaccess.h | 2 +- > arch/x86/kernel/idt.c | 2 +- > arch/x86/mm/Makefile | 8 +- > .../mm/{mem_encrypt.c => mem_encrypt_amd.c} | 11 ++ > arch/x86/xen/enlighten_pv.c | 2 +- > arch/x86/xen/xen-asm.S | 2 +- > 15 files changed, 164 insertions(+), 120 deletions(-) > rename arch/x86/mm/{mem_encrypt.c => mem_encrypt_amd.c} (97%) Acked-by: Aaron Jauregui <aaron.jauregui@canonical.com>
Acked-by: Philip Cox <philip.cox@canonical.com> On 2024-08-26 11:01 a.m., Yuxuan Luo wrote: > v2: The v1 patch would make Jammy vulnerable to CVE-2024-2201 Native BHI > again, this v2 patch solves this issue. > > v3: Solved some errors for [8/8]: duplicated parts of re-backporting > 7390db8aea0d ("x86/bhi: Add support for clearing branch history at > syscall entry") and conflicts with ac8b270b61d4 ("x86/bhi: Avoid warning > in #DB handler due to BHI mitigation"). > > [Impact] > In x86 environment, untrusted virtual machines are able to send > interrupt that will be mistakenly interpretted by host as INT80 > interrupt sent from host userspace programs, posessing threat to > the host's confidentiality. > > [Backport] > For Jammy, a prerequisite, 1da5c9bc119d (“x86: Introduce > ia32_enabled()”), for the patch set is needed as denoted in the fix > commit message. And a follow-up fix, 32f5f73b79ff (“x86/fred: Fix INT80 > emulation for FRED”), can be ignored because it is FRED specific and > FRED is yet to be introduced by 14619d912b65 (“x86/fred: FRED entry/exit > and dispatch code”). > > Since this fix also touches the same code base where the Native BHI fix > modified, 7390db8aea0d ("x86/bhi: Add support for clearing branch > history at syscall entry") needs to be backported again to adjust > certain context, which requires f34f0d3c10eb (“x86/entry: Add > do_SYSENTER_32() prototype“) as a prerequisite. > > [Test] > Compile and boot tested in a VM. > > [Where things could go wrong] > It affects users running x32 operating system VMs on confidential > computing VMMs. > > Arnd Bergmann (1): > x86/entry: Add do_SYSENTER_32() prototype > > Kirill A. Shutemov (1): > x86/coco: Disable 32-bit emulation by default on TDX and SEV > > Kuppuswamy Sathyanarayanan (1): > x86/sev: Rename mem_encrypt.c to mem_encrypt_amd.c > > Lukas Bulwahn (1): > x86: Fix misspelled Kconfig symbols > > Nikolay Borisov (1): > x86: Introduce ia32_enabled() > > Pawan Gupta (1): > x86/bhi: Add support for clearing branch history at syscall entry > > Thomas Gleixner (2): > x86/entry: Convert INT 0x80 emulation to IDTENTRY > x86/entry: Do not allow external 0x80 interrupts > > arch/x86/entry/common.c | 97 ++++++++++++++- > arch/x86/entry/entry_64_compat.S | 114 ++---------------- > arch/x86/include/asm/ia32.h | 23 +++- > arch/x86/include/asm/idtentry.h | 4 + > arch/x86/include/asm/irq_stack.h | 2 +- > arch/x86/include/asm/nospec-branch.h | 4 + > arch/x86/include/asm/page_32.h | 2 +- > arch/x86/include/asm/proto.h | 4 - > arch/x86/include/asm/syscall.h | 7 +- > arch/x86/include/asm/uaccess.h | 2 +- > arch/x86/kernel/idt.c | 2 +- > arch/x86/mm/Makefile | 8 +- > .../mm/{mem_encrypt.c => mem_encrypt_amd.c} | 11 ++ > arch/x86/xen/enlighten_pv.c | 2 +- > arch/x86/xen/xen-asm.S | 2 +- > 15 files changed, 164 insertions(+), 120 deletions(-) > rename arch/x86/mm/{mem_encrypt.c => mem_encrypt_amd.c} (97%) >
On 26.08.24 17:01, Yuxuan Luo wrote: > v2: The v1 patch would make Jammy vulnerable to CVE-2024-2201 Native BHI > again, this v2 patch solves this issue. > > v3: Solved some errors for [8/8]: duplicated parts of re-backporting > 7390db8aea0d ("x86/bhi: Add support for clearing branch history at > syscall entry") and conflicts with ac8b270b61d4 ("x86/bhi: Avoid warning > in #DB handler due to BHI mitigation"). > > [Impact] > In x86 environment, untrusted virtual machines are able to send > interrupt that will be mistakenly interpretted by host as INT80 > interrupt sent from host userspace programs, posessing threat to > the host's confidentiality. > > [Backport] > For Jammy, a prerequisite, 1da5c9bc119d (“x86: Introduce > ia32_enabled()”), for the patch set is needed as denoted in the fix > commit message. And a follow-up fix, 32f5f73b79ff (“x86/fred: Fix INT80 > emulation for FRED”), can be ignored because it is FRED specific and > FRED is yet to be introduced by 14619d912b65 (“x86/fred: FRED entry/exit > and dispatch code”). > > Since this fix also touches the same code base where the Native BHI fix > modified, 7390db8aea0d ("x86/bhi: Add support for clearing branch > history at syscall entry") needs to be backported again to adjust > certain context, which requires f34f0d3c10eb (“x86/entry: Add > do_SYSENTER_32() prototype“) as a prerequisite. > > [Test] > Compile and boot tested in a VM. > > [Where things could go wrong] > It affects users running x32 operating system VMs on confidential > computing VMMs. > > Arnd Bergmann (1): > x86/entry: Add do_SYSENTER_32() prototype > > Kirill A. Shutemov (1): > x86/coco: Disable 32-bit emulation by default on TDX and SEV > > Kuppuswamy Sathyanarayanan (1): > x86/sev: Rename mem_encrypt.c to mem_encrypt_amd.c > > Lukas Bulwahn (1): > x86: Fix misspelled Kconfig symbols > > Nikolay Borisov (1): > x86: Introduce ia32_enabled() > > Pawan Gupta (1): > x86/bhi: Add support for clearing branch history at syscall entry > > Thomas Gleixner (2): > x86/entry: Convert INT 0x80 emulation to IDTENTRY > x86/entry: Do not allow external 0x80 interrupts > > arch/x86/entry/common.c | 97 ++++++++++++++- > arch/x86/entry/entry_64_compat.S | 114 ++---------------- > arch/x86/include/asm/ia32.h | 23 +++- > arch/x86/include/asm/idtentry.h | 4 + > arch/x86/include/asm/irq_stack.h | 2 +- > arch/x86/include/asm/nospec-branch.h | 4 + > arch/x86/include/asm/page_32.h | 2 +- > arch/x86/include/asm/proto.h | 4 - > arch/x86/include/asm/syscall.h | 7 +- > arch/x86/include/asm/uaccess.h | 2 +- > arch/x86/kernel/idt.c | 2 +- > arch/x86/mm/Makefile | 8 +- > .../mm/{mem_encrypt.c => mem_encrypt_amd.c} | 11 ++ > arch/x86/xen/enlighten_pv.c | 2 +- > arch/x86/xen/xen-asm.S | 2 +- > 15 files changed, 164 insertions(+), 120 deletions(-) > rename arch/x86/mm/{mem_encrypt.c => mem_encrypt_amd.c} (97%) > Applied to jammy:linux/master-next. Thanks. -Stefan
v2: The v1 patch would make Jammy vulnerable to CVE-2024-2201 Native BHI again, this v2 patch solves this issue. v3: Solved some errors for [8/8]: duplicated parts of re-backporting 7390db8aea0d ("x86/bhi: Add support for clearing branch history at syscall entry") and conflicts with ac8b270b61d4 ("x86/bhi: Avoid warning in #DB handler due to BHI mitigation"). [Impact] In x86 environment, untrusted virtual machines are able to send interrupt that will be mistakenly interpretted by host as INT80 interrupt sent from host userspace programs, posessing threat to the host's confidentiality. [Backport] For Jammy, a prerequisite, 1da5c9bc119d (“x86: Introduce ia32_enabled()”), for the patch set is needed as denoted in the fix commit message. And a follow-up fix, 32f5f73b79ff (“x86/fred: Fix INT80 emulation for FRED”), can be ignored because it is FRED specific and FRED is yet to be introduced by 14619d912b65 (“x86/fred: FRED entry/exit and dispatch code”). Since this fix also touches the same code base where the Native BHI fix modified, 7390db8aea0d ("x86/bhi: Add support for clearing branch history at syscall entry") needs to be backported again to adjust certain context, which requires f34f0d3c10eb (“x86/entry: Add do_SYSENTER_32() prototype“) as a prerequisite. [Test] Compile and boot tested in a VM. [Where things could go wrong] It affects users running x32 operating system VMs on confidential computing VMMs. Arnd Bergmann (1): x86/entry: Add do_SYSENTER_32() prototype Kirill A. Shutemov (1): x86/coco: Disable 32-bit emulation by default on TDX and SEV Kuppuswamy Sathyanarayanan (1): x86/sev: Rename mem_encrypt.c to mem_encrypt_amd.c Lukas Bulwahn (1): x86: Fix misspelled Kconfig symbols Nikolay Borisov (1): x86: Introduce ia32_enabled() Pawan Gupta (1): x86/bhi: Add support for clearing branch history at syscall entry Thomas Gleixner (2): x86/entry: Convert INT 0x80 emulation to IDTENTRY x86/entry: Do not allow external 0x80 interrupts arch/x86/entry/common.c | 97 ++++++++++++++- arch/x86/entry/entry_64_compat.S | 114 ++---------------- arch/x86/include/asm/ia32.h | 23 +++- arch/x86/include/asm/idtentry.h | 4 + arch/x86/include/asm/irq_stack.h | 2 +- arch/x86/include/asm/nospec-branch.h | 4 + arch/x86/include/asm/page_32.h | 2 +- arch/x86/include/asm/proto.h | 4 - arch/x86/include/asm/syscall.h | 7 +- arch/x86/include/asm/uaccess.h | 2 +- arch/x86/kernel/idt.c | 2 +- arch/x86/mm/Makefile | 8 +- .../mm/{mem_encrypt.c => mem_encrypt_amd.c} | 11 ++ arch/x86/xen/enlighten_pv.c | 2 +- arch/x86/xen/xen-asm.S | 2 +- 15 files changed, 164 insertions(+), 120 deletions(-) rename arch/x86/mm/{mem_encrypt.c => mem_encrypt_amd.c} (97%)