| Message ID | 20240806225033.4181439-1-yuxuan.luo@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2024-25744 | expand |
On Tue, Aug 06, 2024 at 06:50:25PM -0400, Yuxuan Luo wrote: > The v1 patch would make Jammy vulnerable to CVE-2024-2201 Native BHI > again, this v2 patch solves this issue. > > [Impact] > In x86 environment, untrusted virtual machines are able to send > interrupt that will be mistakenly interpretted by host as INT80 > interrupt sent from host userspace programs, posessing threat to > the host's confidentiality. > > [Backport] > For Jammy, a prerequisite, 1da5c9bc119d (“x86: Introduce > ia32_enabled()”), for the patch set is needed as denoted in the fix > commit message. And a follow-up fix, 32f5f73b79ff (“x86/fred: Fix INT80 > emulation for FRED”), can be ignored because it is FRED specific and > FRED is yet to be introduced by 14619d912b65 (“x86/fred: FRED entry/exit > and dispatch code”). > > Since this fix also touches the same code base where the Native BHI fix > modified, 7390db8aea0d ("x86/bhi: Add support for clearing branch > history at syscall entry") needs to be backported again to adjust > certain context, which requires f34f0d3c10eb (“x86/entry: Add > do_SYSENTER_32() prototype“) as a prerequisite. > > [Test] > Compile and boot tested in a VM. > > [Where things could go wrong] > It affects users running x32 operating system VMs on confidential > computing VMMs. > > Arnd Bergmann (1): > x86/entry: Add do_SYSENTER_32() prototype > > Kirill A. Shutemov (1): > x86/coco: Disable 32-bit emulation by default on TDX and SEV > > Kuppuswamy Sathyanarayanan (1): > x86/sev: Rename mem_encrypt.c to mem_encrypt_amd.c > > Lukas Bulwahn (1): > x86: Fix misspelled Kconfig symbols > > Nikolay Borisov (1): > x86: Introduce ia32_enabled() > > Pawan Gupta (1): > x86/bhi: Add support for clearing branch history at syscall entry > > Thomas Gleixner (2): > x86/entry: Convert INT 0x80 emulation to IDTENTRY > x86/entry: Do not allow external 0x80 interrupts > > arch/x86/entry/common.c | 97 ++++++++++++++- > arch/x86/entry/entry_64_compat.S | 114 ++---------------- > arch/x86/include/asm/ia32.h | 23 +++- > arch/x86/include/asm/idtentry.h | 4 + > arch/x86/include/asm/irq_stack.h | 2 +- > arch/x86/include/asm/nospec-branch.h | 4 + > arch/x86/include/asm/page_32.h | 2 +- > arch/x86/include/asm/proto.h | 4 - > arch/x86/include/asm/syscall.h | 7 +- > arch/x86/include/asm/uaccess.h | 2 +- > arch/x86/kernel/idt.c | 2 +- > arch/x86/mm/Makefile | 8 +- > .../mm/{mem_encrypt.c => mem_encrypt_amd.c} | 11 ++ > arch/x86/xen/enlighten_pv.c | 2 +- > arch/x86/xen/xen-asm.S | 2 +- > 15 files changed, 164 insertions(+), 120 deletions(-) > rename arch/x86/mm/{mem_encrypt.c => mem_encrypt_amd.c} (97%) Acked-by: Aaron Jauregui <aaron.jauregui@canonical.com>
On Tue, Aug 06, 2024 at 06:50:25PM -0400, Yuxuan Luo wrote: > The v1 patch would make Jammy vulnerable to CVE-2024-2201 Native BHI > again, this v2 patch solves this issue. > > [Impact] > In x86 environment, untrusted virtual machines are able to send > interrupt that will be mistakenly interpretted by host as INT80 > interrupt sent from host userspace programs, posessing threat to > the host's confidentiality. > > [Backport] > For Jammy, a prerequisite, 1da5c9bc119d (“x86: Introduce > ia32_enabled()”), for the patch set is needed as denoted in the fix > commit message. And a follow-up fix, 32f5f73b79ff (“x86/fred: Fix INT80 > emulation for FRED”), can be ignored because it is FRED specific and > FRED is yet to be introduced by 14619d912b65 (“x86/fred: FRED entry/exit > and dispatch code”). > > Since this fix also touches the same code base where the Native BHI fix > modified, 7390db8aea0d ("x86/bhi: Add support for clearing branch > history at syscall entry") needs to be backported again to adjust > certain context, which requires f34f0d3c10eb (“x86/entry: Add > do_SYSENTER_32() prototype“) as a prerequisite. > > [Test] > Compile and boot tested in a VM. > > [Where things could go wrong] > It affects users running x32 operating system VMs on confidential > computing VMMs. > > Arnd Bergmann (1): > x86/entry: Add do_SYSENTER_32() prototype > > Kirill A. Shutemov (1): > x86/coco: Disable 32-bit emulation by default on TDX and SEV > > Kuppuswamy Sathyanarayanan (1): > x86/sev: Rename mem_encrypt.c to mem_encrypt_amd.c > > Lukas Bulwahn (1): > x86: Fix misspelled Kconfig symbols > > Nikolay Borisov (1): > x86: Introduce ia32_enabled() > > Pawan Gupta (1): > x86/bhi: Add support for clearing branch history at syscall entry > > Thomas Gleixner (2): > x86/entry: Convert INT 0x80 emulation to IDTENTRY > x86/entry: Do not allow external 0x80 interrupts > > arch/x86/entry/common.c | 97 ++++++++++++++- > arch/x86/entry/entry_64_compat.S | 114 ++---------------- > arch/x86/include/asm/ia32.h | 23 +++- > arch/x86/include/asm/idtentry.h | 4 + > arch/x86/include/asm/irq_stack.h | 2 +- > arch/x86/include/asm/nospec-branch.h | 4 + > arch/x86/include/asm/page_32.h | 2 +- > arch/x86/include/asm/proto.h | 4 - > arch/x86/include/asm/syscall.h | 7 +- > arch/x86/include/asm/uaccess.h | 2 +- > arch/x86/kernel/idt.c | 2 +- > arch/x86/mm/Makefile | 8 +- > .../mm/{mem_encrypt.c => mem_encrypt_amd.c} | 11 ++ > arch/x86/xen/enlighten_pv.c | 2 +- > arch/x86/xen/xen-asm.S | 2 +- > 15 files changed, 164 insertions(+), 120 deletions(-) > rename arch/x86/mm/{mem_encrypt.c => mem_encrypt_amd.c} (97%) Acked-by: Kuan-Ying Lee <kuan-ying.lee@canonical.com>
On 07/08/2024 00:50, Yuxuan Luo wrote: > The v1 patch would make Jammy vulnerable to CVE-2024-2201 Native BHI > again, this v2 patch solves this issue. > > [Impact] > In x86 environment, untrusted virtual machines are able to send > interrupt that will be mistakenly interpretted by host as INT80 > interrupt sent from host userspace programs, posessing threat to > the host's confidentiality. > > [Backport] > For Jammy, a prerequisite, 1da5c9bc119d (“x86: Introduce > ia32_enabled()”), for the patch set is needed as denoted in the fix > commit message. And a follow-up fix, 32f5f73b79ff (“x86/fred: Fix INT80 > emulation for FRED”), can be ignored because it is FRED specific and > FRED is yet to be introduced by 14619d912b65 (“x86/fred: FRED entry/exit > and dispatch code”). > > Since this fix also touches the same code base where the Native BHI fix > modified, 7390db8aea0d ("x86/bhi: Add support for clearing branch > history at syscall entry") needs to be backported again to adjust > certain context, which requires f34f0d3c10eb (“x86/entry: Add > do_SYSENTER_32() prototype“) as a prerequisite. > > [Test] > Compile and boot tested in a VM. > > [Where things could go wrong] > It affects users running x32 operating system VMs on confidential > computing VMMs. > > Arnd Bergmann (1): > x86/entry: Add do_SYSENTER_32() prototype > > Kirill A. Shutemov (1): > x86/coco: Disable 32-bit emulation by default on TDX and SEV > > Kuppuswamy Sathyanarayanan (1): > x86/sev: Rename mem_encrypt.c to mem_encrypt_amd.c > > Lukas Bulwahn (1): > x86: Fix misspelled Kconfig symbols > > Nikolay Borisov (1): > x86: Introduce ia32_enabled() > > Pawan Gupta (1): > x86/bhi: Add support for clearing branch history at syscall entry > > Thomas Gleixner (2): > x86/entry: Convert INT 0x80 emulation to IDTENTRY > x86/entry: Do not allow external 0x80 interrupts > > arch/x86/entry/common.c | 97 ++++++++++++++- > arch/x86/entry/entry_64_compat.S | 114 ++---------------- > arch/x86/include/asm/ia32.h | 23 +++- > arch/x86/include/asm/idtentry.h | 4 + > arch/x86/include/asm/irq_stack.h | 2 +- > arch/x86/include/asm/nospec-branch.h | 4 + > arch/x86/include/asm/page_32.h | 2 +- > arch/x86/include/asm/proto.h | 4 - > arch/x86/include/asm/syscall.h | 7 +- > arch/x86/include/asm/uaccess.h | 2 +- > arch/x86/kernel/idt.c | 2 +- > arch/x86/mm/Makefile | 8 +- > .../mm/{mem_encrypt.c => mem_encrypt_amd.c} | 11 ++ > arch/x86/xen/enlighten_pv.c | 2 +- > arch/x86/xen/xen-asm.S | 2 +- > 15 files changed, 164 insertions(+), 120 deletions(-) > rename arch/x86/mm/{mem_encrypt.c => mem_encrypt_amd.c} (97%) > Applied to jammy:linux master-next branch. Thanks!
On 07/08/2024 00:50, Yuxuan Luo wrote: > The v1 patch would make Jammy vulnerable to CVE-2024-2201 Native BHI > again, this v2 patch solves this issue. > > [Impact] > In x86 environment, untrusted virtual machines are able to send > interrupt that will be mistakenly interpretted by host as INT80 > interrupt sent from host userspace programs, posessing threat to > the host's confidentiality. > > [Backport] > For Jammy, a prerequisite, 1da5c9bc119d (“x86: Introduce > ia32_enabled()”), for the patch set is needed as denoted in the fix > commit message. And a follow-up fix, 32f5f73b79ff (“x86/fred: Fix INT80 > emulation for FRED”), can be ignored because it is FRED specific and > FRED is yet to be introduced by 14619d912b65 (“x86/fred: FRED entry/exit > and dispatch code”). > > Since this fix also touches the same code base where the Native BHI fix > modified, 7390db8aea0d ("x86/bhi: Add support for clearing branch > history at syscall entry") needs to be backported again to adjust > certain context, which requires f34f0d3c10eb (“x86/entry: Add > do_SYSENTER_32() prototype“) as a prerequisite. > > [Test] > Compile and boot tested in a VM. > > [Where things could go wrong] > It affects users running x32 operating system VMs on confidential > computing VMMs. > > Arnd Bergmann (1): > x86/entry: Add do_SYSENTER_32() prototype > > Kirill A. Shutemov (1): > x86/coco: Disable 32-bit emulation by default on TDX and SEV > > Kuppuswamy Sathyanarayanan (1): > x86/sev: Rename mem_encrypt.c to mem_encrypt_amd.c > > Lukas Bulwahn (1): > x86: Fix misspelled Kconfig symbols > > Nikolay Borisov (1): > x86: Introduce ia32_enabled() > > Pawan Gupta (1): > x86/bhi: Add support for clearing branch history at syscall entry > > Thomas Gleixner (2): > x86/entry: Convert INT 0x80 emulation to IDTENTRY > x86/entry: Do not allow external 0x80 interrupts > > arch/x86/entry/common.c | 97 ++++++++++++++- > arch/x86/entry/entry_64_compat.S | 114 ++---------------- > arch/x86/include/asm/ia32.h | 23 +++- > arch/x86/include/asm/idtentry.h | 4 + > arch/x86/include/asm/irq_stack.h | 2 +- > arch/x86/include/asm/nospec-branch.h | 4 + > arch/x86/include/asm/page_32.h | 2 +- > arch/x86/include/asm/proto.h | 4 - > arch/x86/include/asm/syscall.h | 7 +- > arch/x86/include/asm/uaccess.h | 2 +- > arch/x86/kernel/idt.c | 2 +- > arch/x86/mm/Makefile | 8 +- > .../mm/{mem_encrypt.c => mem_encrypt_amd.c} | 11 ++ > arch/x86/xen/enlighten_pv.c | 2 +- > arch/x86/xen/xen-asm.S | 2 +- > 15 files changed, 164 insertions(+), 120 deletions(-) > rename arch/x86/mm/{mem_encrypt.c => mem_encrypt_amd.c} (97%) > I dropped these from jammy. Please address the comments from previous reply and send a v2.
The v1 patch would make Jammy vulnerable to CVE-2024-2201 Native BHI again, this v2 patch solves this issue. [Impact] In x86 environment, untrusted virtual machines are able to send interrupt that will be mistakenly interpretted by host as INT80 interrupt sent from host userspace programs, posessing threat to the host's confidentiality. [Backport] For Jammy, a prerequisite, 1da5c9bc119d (“x86: Introduce ia32_enabled()”), for the patch set is needed as denoted in the fix commit message. And a follow-up fix, 32f5f73b79ff (“x86/fred: Fix INT80 emulation for FRED”), can be ignored because it is FRED specific and FRED is yet to be introduced by 14619d912b65 (“x86/fred: FRED entry/exit and dispatch code”). Since this fix also touches the same code base where the Native BHI fix modified, 7390db8aea0d ("x86/bhi: Add support for clearing branch history at syscall entry") needs to be backported again to adjust certain context, which requires f34f0d3c10eb (“x86/entry: Add do_SYSENTER_32() prototype“) as a prerequisite. [Test] Compile and boot tested in a VM. [Where things could go wrong] It affects users running x32 operating system VMs on confidential computing VMMs. Arnd Bergmann (1): x86/entry: Add do_SYSENTER_32() prototype Kirill A. Shutemov (1): x86/coco: Disable 32-bit emulation by default on TDX and SEV Kuppuswamy Sathyanarayanan (1): x86/sev: Rename mem_encrypt.c to mem_encrypt_amd.c Lukas Bulwahn (1): x86: Fix misspelled Kconfig symbols Nikolay Borisov (1): x86: Introduce ia32_enabled() Pawan Gupta (1): x86/bhi: Add support for clearing branch history at syscall entry Thomas Gleixner (2): x86/entry: Convert INT 0x80 emulation to IDTENTRY x86/entry: Do not allow external 0x80 interrupts arch/x86/entry/common.c | 97 ++++++++++++++- arch/x86/entry/entry_64_compat.S | 114 ++---------------- arch/x86/include/asm/ia32.h | 23 +++- arch/x86/include/asm/idtentry.h | 4 + arch/x86/include/asm/irq_stack.h | 2 +- arch/x86/include/asm/nospec-branch.h | 4 + arch/x86/include/asm/page_32.h | 2 +- arch/x86/include/asm/proto.h | 4 - arch/x86/include/asm/syscall.h | 7 +- arch/x86/include/asm/uaccess.h | 2 +- arch/x86/kernel/idt.c | 2 +- arch/x86/mm/Makefile | 8 +- .../mm/{mem_encrypt.c => mem_encrypt_amd.c} | 11 ++ arch/x86/xen/enlighten_pv.c | 2 +- arch/x86/xen/xen-asm.S | 2 +- 15 files changed, 164 insertions(+), 120 deletions(-) rename arch/x86/mm/{mem_encrypt.c => mem_encrypt_amd.c} (97%)