From patchwork Tue Aug 6 22:50:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1969709 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WdpSD6Fzbz1yfh for ; Wed, 7 Aug 2024 08:50:52 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sbT0s-0005bs-D8; Tue, 06 Aug 2024 22:50:42 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sbT0q-0005bJ-I1 for kernel-team@lists.ubuntu.com; Tue, 06 Aug 2024 22:50:40 +0000 Received: from mail-qk1-f199.google.com (mail-qk1-f199.google.com [209.85.222.199]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 6A84D3F287 for ; Tue, 6 Aug 2024 22:50:40 +0000 (UTC) Received: by mail-qk1-f199.google.com with SMTP id af79cd13be357-79efb1181ddso108614585a.1 for ; Tue, 06 Aug 2024 15:50:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722984638; x=1723589438; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UzNBmxnZBQznJl8AkOO/aPMinGHAEqPMwebWJdRqdFo=; b=K3maZDoV7iXtEaKBeBOLypGVi+i1ieevCgZ6beE1nJ4Z1894pdyNoNZV74B+l4N17u K1SePHu65jnyt7OfyYU9egUrOmsj9cRb6nFyvk3yJPDUx2dtQFEYZ4ksaJVgA2kLwlDJ AblPdmKv2JRlf9lYybGtwbqT3bo5xlSsafhbBBSfHoyIWdXMy5YWA6ueijxQFPMzTr9R hH/eukA6PyYJ4ZsE5NtAkGv6t4BEInYcXAlSQpFkLkAI0+uCy18nAo+3v6b0ErYlBnbM 5K9X264APs/tSr0fFVM6lQCewBDzmA67lFF3E+UEP/2E/j0bKBouruwT95no5Rx1neFC cb1Q== X-Gm-Message-State: AOJu0YxIiz1jo7VcJxJqRFqZaYrphCYgAXr5BIAtJPCKBrDfwzPMVkSo KLTZ1Vc5Ra884o5bo8zdS2VeFVdedsI8o/JyiTqDOmUQU52JKd06yKcIkNpCvCke0FMQIj5/SZO PMzpYoYkkPqapIe9cP9I02qbMB1S8EbGIppLLCEJsXWIrNKLsQLSCy1F4FXFA6WN8LIpqz9RKmX nt25BM7GdmhgrR X-Received: by 2002:a05:620a:3915:b0:79f:329:6790 with SMTP id af79cd13be357-7a34efca0demr2180447485a.66.1722984638337; Tue, 06 Aug 2024 15:50:38 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGhAeQIimQw8BvVbhT3nQPG/G/EGJ87L7FIWUQsEzDvEWM/v9dhMzc/okjidPyJUiWOLOcMWA== X-Received: by 2002:a05:620a:3915:b0:79f:329:6790 with SMTP id af79cd13be357-7a34efca0demr2180445985a.66.1722984637922; Tue, 06 Aug 2024 15:50:37 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7a3785e5c54sm4550885a.48.2024.08.06.15.50.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Aug 2024 15:50:37 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/8] x86: Fix misspelled Kconfig symbols Date: Tue, 6 Aug 2024 18:50:26 -0400 Message-Id: <20240806225033.4181439-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240806225033.4181439-1-yuxuan.luo@canonical.com> References: <20240806225033.4181439-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Lukas Bulwahn Fix misspelled Kconfig symbols as detected by scripts/checkkconfigsymbols.py. [ bp: Combine into a single patch. ] Signed-off-by: Lukas Bulwahn Signed-off-by: Borislav Petkov Link: https://lkml.kernel.org/r/20210803113531.30720-7-lukas.bulwahn@gmail.com (cherry picked from commit 6bf8a55d8344df1f61a29b18c398bcdf3539e163) CVE-2024-25744 Signed-off-by: Yuxuan Luo --- arch/x86/include/asm/ia32.h | 2 +- arch/x86/include/asm/irq_stack.h | 2 +- arch/x86/include/asm/page_32.h | 2 +- arch/x86/include/asm/uaccess.h | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/x86/include/asm/ia32.h b/arch/x86/include/asm/ia32.h index 2c5f7861d373c..fada857f0a1ed 100644 --- a/arch/x86/include/asm/ia32.h +++ b/arch/x86/include/asm/ia32.h @@ -68,6 +68,6 @@ extern void ia32_pick_mmap_layout(struct mm_struct *mm); #endif -#endif /* !CONFIG_IA32_SUPPORT */ +#endif /* CONFIG_IA32_EMULATION */ #endif /* _ASM_X86_IA32_H */ diff --git a/arch/x86/include/asm/irq_stack.h b/arch/x86/include/asm/irq_stack.h index e087cd7837c31..22c5aa03ac77b 100644 --- a/arch/x86/include/asm/irq_stack.h +++ b/arch/x86/include/asm/irq_stack.h @@ -58,7 +58,7 @@ * the output constraints to make the compiler aware that R11 cannot be * reused after the asm() statement. * - * For builds with CONFIG_UNWIND_FRAME_POINTER ASM_CALL_CONSTRAINT is + * For builds with CONFIG_UNWINDER_FRAME_POINTER, ASM_CALL_CONSTRAINT is * required as well as this prevents certain creative GCC variants from * misplacing the ASM code. * diff --git a/arch/x86/include/asm/page_32.h b/arch/x86/include/asm/page_32.h index 94dbd51df58f8..b13f8488ac854 100644 --- a/arch/x86/include/asm/page_32.h +++ b/arch/x86/include/asm/page_32.h @@ -43,7 +43,7 @@ static inline void copy_page(void *to, void *from) { memcpy(to, from, PAGE_SIZE); } -#endif /* CONFIG_X86_3DNOW */ +#endif /* CONFIG_X86_USE_3DNOW */ #endif /* !__ASSEMBLY__ */ #endif /* _ASM_X86_PAGE_32_H */ diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index 3616fd4ba3953..09b4958f5e474 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -412,7 +412,7 @@ do { \ : [umem] "m" (__m(addr)), \ [efault] "i" (-EFAULT), "0" (err)) -#endif // CONFIG_CC_ASM_GOTO_OUTPUT +#endif // CONFIG_CC_HAS_ASM_GOTO_OUTPUT #ifdef CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT #define __try_cmpxchg_user_asm(itype, ltype, _ptr, _pold, _new, label) ({ \ From patchwork Tue Aug 6 22:50:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1969708 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WdpSD5QQkz1ybS for ; Wed, 7 Aug 2024 08:50:52 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sbT0t-0005c3-I5; Tue, 06 Aug 2024 22:50:43 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sbT0r-0005bf-Gt for kernel-team@lists.ubuntu.com; Tue, 06 Aug 2024 22:50:41 +0000 Received: from mail-yw1-f200.google.com (mail-yw1-f200.google.com [209.85.128.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 58C2D3F287 for ; Tue, 6 Aug 2024 22:50:41 +0000 (UTC) Received: by mail-yw1-f200.google.com with SMTP id 00721157ae682-66628e9ec89so26663997b3.1 for ; Tue, 06 Aug 2024 15:50:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722984639; x=1723589439; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5zrYeyYzZiVJKRpQCsluhQotfktaDC5YkgAsBgsGuuM=; b=dFGmZg09RUeIqpIxodQ+2FkuqRzah4m4yxrkwoJc5TXJykiHX0nZcBb6TrjtUWHn/5 xLA2Pv8PfYD6w6RGG4lAxBQhjOsYPN1Z2UVQVvJ1PYLNsR/E00/lPnXuZrQVrHcPuBSL weUXuQZXmz8DgT+vj4+9WCAqyEw08EruPeWl3K/S4UjuqbhbkUWx+fCyuFkhsrM8SgWg 9szNi/EuwJaWu4KqWlcaDqatKBIUVtYXPdy0GEdGWiCYPnOgvvohntUvuQCp80JkKoEm JEP6LGxbSKptAi+h7p/2CFzzEoHxZE8jw2M1BZiTnmHlZkE+8YaC2Bi87k+rwEL3LfW6 64oQ== X-Gm-Message-State: AOJu0YwofrOy6cdksh7MjVfHPPfSJl8Vp/g0spsA8kYE/rst4LisVRnK Q3Po9iB7Z+Gq3P+zZlRPPt0KqXnCHBf3n6cSfxuAASGPP1qWap41Q+H4WTOTCNgtVh+ikRSRPaw TKQlNI2qlBW/qkF+TSq6FGc/RZmM6CBUpz561b1oJSbVfDZM4AgsHdcMvrgV5cBX4e5kMhGNn8S qhVQK+Qo0NRa1l X-Received: by 2002:a05:6902:1692:b0:e0b:eb96:fd95 with SMTP id 3f1490d57ef6-e0beb96ff07mr16083416276.19.1722984639417; Tue, 06 Aug 2024 15:50:39 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEIk6Aic5MEHsV7gTNOjlm1huCeVaiGkeWjOQ1A4aPhAPpC/AgXYi8ZqlVMS8fmt8IJxB70CA== X-Received: by 2002:a05:6902:1692:b0:e0b:eb96:fd95 with SMTP id 3f1490d57ef6-e0beb96ff07mr16083398276.19.1722984639067; Tue, 06 Aug 2024 15:50:39 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7a3785e5c54sm4550885a.48.2024.08.06.15.50.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Aug 2024 15:50:38 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 2/8] x86: Introduce ia32_enabled() Date: Tue, 6 Aug 2024 18:50:27 -0400 Message-Id: <20240806225033.4181439-3-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240806225033.4181439-1-yuxuan.luo@canonical.com> References: <20240806225033.4181439-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Nikolay Borisov IA32 support on 64bit kernels depends on whether CONFIG_IA32_EMULATION is selected or not. As it is a compile time option it doesn't provide the flexibility to have distributions set their own policy for IA32 support and give the user the flexibility to override it. As a first step introduce ia32_enabled() which abstracts whether IA32 compat is turned on or off. Upcoming patches will implement the ability to set IA32 compat state at boot time. Signed-off-by: Nikolay Borisov Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/r/20230623111409.3047467-2-nik.borisov@suse.com (cherry picked from commit 1da5c9bc119d3a749b519596b93f9b2667e93c4a) CVE-2024-25744 Signed-off-by: Yuxuan Luo --- arch/x86/entry/common.c | 4 ++++ arch/x86/include/asm/ia32.h | 16 +++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index e160f502d1dcf..3ea32cbca6513 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -96,6 +96,10 @@ static __always_inline int syscall_32_enter(struct pt_regs *regs) return (int)regs->orig_ax; } +#ifdef CONFIG_IA32_EMULATION +bool __ia32_enabled __ro_after_init = true; +#endif + /* * Invoke a 32-bit syscall. Called with IRQs on in CONTEXT_KERNEL. */ diff --git a/arch/x86/include/asm/ia32.h b/arch/x86/include/asm/ia32.h index fada857f0a1ed..5a2ae24b1204f 100644 --- a/arch/x86/include/asm/ia32.h +++ b/arch/x86/include/asm/ia32.h @@ -68,6 +68,20 @@ extern void ia32_pick_mmap_layout(struct mm_struct *mm); #endif -#endif /* CONFIG_IA32_EMULATION */ +extern bool __ia32_enabled; + +static inline bool ia32_enabled(void) +{ + return __ia32_enabled; +} + +#else /* !CONFIG_IA32_EMULATION */ + +static inline bool ia32_enabled(void) +{ + return IS_ENABLED(CONFIG_X86_32); +} + +#endif #endif /* _ASM_X86_IA32_H */ From patchwork Tue Aug 6 22:50:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1969707 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WdpSD5YXvz1yfM for ; Wed, 7 Aug 2024 08:50:52 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sbT0v-0005dD-O7; Tue, 06 Aug 2024 22:50:45 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sbT0t-0005cG-VR for kernel-team@lists.ubuntu.com; Tue, 06 Aug 2024 22:50:43 +0000 Received: from mail-oa1-f70.google.com (mail-oa1-f70.google.com [209.85.160.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id ACBEC3F0E9 for ; Tue, 6 Aug 2024 22:50:43 +0000 (UTC) Received: by mail-oa1-f70.google.com with SMTP id 586e51a60fabf-26491cf432dso1122706fac.2 for ; Tue, 06 Aug 2024 15:50:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722984641; x=1723589441; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HdfmysK79gWCdWjEyBD/294pXSh3Bcwah9zZqlLzla4=; b=TIcZ9UchzX7qMGkT+NhwnyF+x2lcQ+j+O8awCs9+TeZ0sQQN08SrL6T+X/gBfjGVCR tvgrZb1iD66vTFITq/hQdXdmDHcmGBQ2ZnD1p7cdiuhiTl8P9S9AP30nnVFLyv6sY/kU a0tOGenH5J5MivmEaAB/zGrg0GSPLi173ODNGRis+7XiSUSLe1uqnixbFT+ixnPMOPvq wA6OPkbF4xSzDvuixqyqviIhdAp8XWtSQmiA3CiNfBqw+yVyxJkkJFnyokdYGN1y/1DW zQO5k5Mq+i/B2L8pOj/j25PyI8wto281aYtj/1GaadZwAWv76+SEEkVaPHofR7u/RVgd 0ilg== X-Gm-Message-State: AOJu0YwtOFhW/zS/bujqhUeyONfCLE5sB8isvLdvgrkhYsiqq4F6CkFM YFGBRhTYxuYUeAQ9xORBQxFuT8+hzshGqJtXjfs3V1PIZNjFythHHxZfh0cTRBeU4O9s0olA+Yx AMFgLOLOVRdjbBRWVDaHDLfvymI7UU6AJFgs9O9cIQy5az0v1MgyK5jy3JidSnENJTkxXSz2s6H fhRHVkdyCAUWHX X-Received: by 2002:a05:6870:56a3:b0:261:88b:36fe with SMTP id 586e51a60fabf-26891af0ff9mr16657607fac.15.1722984641398; Tue, 06 Aug 2024 15:50:41 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFqSQB7rBWhQQCtW4oe1O6aVnr59oVigE5ETvxQkGjkAJUwcOYZdM8Decu+T1lb0Y06xgVehw== X-Received: by 2002:a05:6870:56a3:b0:261:88b:36fe with SMTP id 586e51a60fabf-26891af0ff9mr16657591fac.15.1722984640962; Tue, 06 Aug 2024 15:50:40 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7a3785e5c54sm4550885a.48.2024.08.06.15.50.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Aug 2024 15:50:39 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 3/8] x86/sev: Rename mem_encrypt.c to mem_encrypt_amd.c Date: Tue, 6 Aug 2024 18:50:28 -0400 Message-Id: <20240806225033.4181439-4-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240806225033.4181439-1-yuxuan.luo@canonical.com> References: <20240806225033.4181439-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Kuppuswamy Sathyanarayanan Both Intel TDX and AMD SEV implement memory encryption features. But the bulk of the code in mem_encrypt.c is AMD-specific. Rename the file to mem_encrypt_amd.c. A subsequent patch will extract the parts that can be shared by both TDX and AMD SEV/SME into a generic file. No functional changes. Signed-off-by: Kuppuswamy Sathyanarayanan Signed-off-by: Kirill A. Shutemov Signed-off-by: Borislav Petkov Reviewed-by: Tony Luck Reviewed-by: Tom Lendacky Tested-by: Tom Lendacky Link: https://lore.kernel.org/r/20211206135505.75045-3-kirill.shutemov@linux.intel.com (cherry picked from commit dbca5e1a04f8b30aea4e2c91e5045ee6e7c3ef43) CVE-2024-25744 Signed-off-by: Yuxuan Luo --- arch/x86/mm/Makefile | 8 ++++---- arch/x86/mm/{mem_encrypt.c => mem_encrypt_amd.c} | 0 2 files changed, 4 insertions(+), 4 deletions(-) rename arch/x86/mm/{mem_encrypt.c => mem_encrypt_amd.c} (100%) diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile index 5864219221ca8..c9c4806411536 100644 --- a/arch/x86/mm/Makefile +++ b/arch/x86/mm/Makefile @@ -1,10 +1,10 @@ # SPDX-License-Identifier: GPL-2.0 # Kernel does not boot with instrumentation of tlb.c and mem_encrypt*.c KCOV_INSTRUMENT_tlb.o := n -KCOV_INSTRUMENT_mem_encrypt.o := n +KCOV_INSTRUMENT_mem_encrypt_amd.o := n KCOV_INSTRUMENT_mem_encrypt_identity.o := n -KASAN_SANITIZE_mem_encrypt.o := n +KASAN_SANITIZE_mem_encrypt_amd.o := n KASAN_SANITIZE_mem_encrypt_identity.o := n # Disable KCSAN entirely, because otherwise we get warnings that some functions @@ -12,7 +12,7 @@ KASAN_SANITIZE_mem_encrypt_identity.o := n KCSAN_SANITIZE := n ifdef CONFIG_FUNCTION_TRACER -CFLAGS_REMOVE_mem_encrypt.o = -pg +CFLAGS_REMOVE_mem_encrypt_amd.o = -pg CFLAGS_REMOVE_mem_encrypt_identity.o = -pg endif @@ -52,6 +52,6 @@ obj-$(CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS) += pkeys.o obj-$(CONFIG_RANDOMIZE_MEMORY) += kaslr.o obj-$(CONFIG_PAGE_TABLE_ISOLATION) += pti.o -obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt.o +obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt_amd.o obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt_identity.o obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt_boot.o diff --git a/arch/x86/mm/mem_encrypt.c b/arch/x86/mm/mem_encrypt_amd.c similarity index 100% rename from arch/x86/mm/mem_encrypt.c rename to arch/x86/mm/mem_encrypt_amd.c From patchwork Tue Aug 6 22:50:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1969711 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WdpSD6XYfz20Mt for ; Wed, 7 Aug 2024 08:50:52 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sbT0v-0005dR-Up; Tue, 06 Aug 2024 22:50:45 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sbT0u-0005cZ-Af for kernel-team@lists.ubuntu.com; Tue, 06 Aug 2024 22:50:44 +0000 Received: from mail-qk1-f197.google.com (mail-qk1-f197.google.com [209.85.222.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 270573F287 for ; Tue, 6 Aug 2024 22:50:44 +0000 (UTC) Received: by mail-qk1-f197.google.com with SMTP id af79cd13be357-79efb1181ddso108617185a.1 for ; Tue, 06 Aug 2024 15:50:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722984642; x=1723589442; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jHVnfsOnMxcdk85mZlR3zrQYUHo1NpdH1SYE3/sgtdc=; b=PyybetZPZxfDUSGzgQMbbw8TNWtEoa2ifqf4zO+ZaU36ePgQ2e/rTZ9w+TLpQ6BXBL 4bgnSRWjerGmcTyxiz+gP3P7OAqy1jg3yPyjGpr2/sh9SN2QPaMWt0BZHBSPee+mg+IG 19YNjArNg1jEXhPtSnAWGqUW/dRQP8/tyHE5cMaflKQ0e2Lmm2JUdZVirGe488mDAeg3 sd84Pw/atn0tODxf0/z3gB1jDIJ1YmHgD3rCl0hSbrbKBn7Y51nzd0mkBUPzuZHW4/zJ 7f+xGu6ij7FIRzvkJYuNH4Tpf47TBs5yuFKaPhBOn5hO7oNT30U7wNpadO4GtPaQ7eay adHA== X-Gm-Message-State: AOJu0YyNzkUsXJYmUQHyaXHUPn9hlRACLfsLBVuDNnmdyV3pwW81gN1g g98ldC+6nz4K7Q5lnS8sKSkWzlWYayGt+RoKZG0a2mgcXLS9QuUVm/I/2iBK8WuEiLsqiNtFGrs ZMloHAo+PogK+ayAckdmZnLy0879z36KAG5n/a2Ej6c6VTq2slyZRAKJ3GbjwxULneypLOZ3hwi EDZ7EscFm/VBXh X-Received: by 2002:a05:620a:4105:b0:79c:fbf:6381 with SMTP id af79cd13be357-7a34efcac6dmr1719365085a.70.1722984642214; Tue, 06 Aug 2024 15:50:42 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEUZgl5xdPXaweuMAmG7pmJdRcS2uHpcqwWMt8RHzELEPD66JplCJoI85HESrTDGuhv2IAIgQ== X-Received: by 2002:a05:620a:4105:b0:79c:fbf:6381 with SMTP id af79cd13be357-7a34efcac6dmr1719363485a.70.1722984641823; Tue, 06 Aug 2024 15:50:41 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7a3785e5c54sm4550885a.48.2024.08.06.15.50.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Aug 2024 15:50:41 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 4/8] x86/coco: Disable 32-bit emulation by default on TDX and SEV Date: Tue, 6 Aug 2024 18:50:29 -0400 Message-Id: <20240806225033.4181439-5-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240806225033.4181439-1-yuxuan.luo@canonical.com> References: <20240806225033.4181439-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: "Kirill A. Shutemov" The INT 0x80 instruction is used for 32-bit x86 Linux syscalls. The kernel expects to receive a software interrupt as a result of the INT 0x80 instruction. However, an external interrupt on the same vector triggers the same handler. The kernel interprets an external interrupt on vector 0x80 as a 32-bit system call that came from userspace. A VMM can inject external interrupts on any arbitrary vector at any time. This remains true even for TDX and SEV guests where the VMM is untrusted. Put together, this allows an untrusted VMM to trigger int80 syscall handling at any given point. The content of the guest register file at that moment defines what syscall is triggered and its arguments. It opens the guest OS to manipulation from the VMM side. Disable 32-bit emulation by default for TDX and SEV. User can override it with the ia32_emulation=y command line option. [ dhansen: reword the changelog ] Reported-by: Supraja Sridhara Reported-by: Benedict Schlüter Reported-by: Mark Kuhne Reported-by: Andrin Bertschi Reported-by: Shweta Shinde Signed-off-by: Kirill A. Shutemov Signed-off-by: Dave Hansen Reviewed-by: Thomas Gleixner Reviewed-by: Borislav Petkov (AMD) Cc: # v6.0+: 1da5c9b x86: Introduce ia32_enabled() Cc: # v6.0+ (backported from commit b82a8dbd3d2f4563156f7150c6f2ecab6e960b30) [yuxuan.luo: - mem_encrypt_amd.c: - two trivial conflicts are hard to solve, ignore them and apply the fix. - tdx.c: - Drop the change since TDX is not supported in the tree. ] CVE-2024-25744 Signed-off-by: Yuxuan Luo --- arch/x86/include/asm/ia32.h | 7 +++++++ arch/x86/mm/mem_encrypt_amd.c | 11 +++++++++++ 2 files changed, 18 insertions(+) diff --git a/arch/x86/include/asm/ia32.h b/arch/x86/include/asm/ia32.h index 5a2ae24b1204f..9805629479d96 100644 --- a/arch/x86/include/asm/ia32.h +++ b/arch/x86/include/asm/ia32.h @@ -75,6 +75,11 @@ static inline bool ia32_enabled(void) return __ia32_enabled; } +static inline void ia32_disable(void) +{ + __ia32_enabled = false; +} + #else /* !CONFIG_IA32_EMULATION */ static inline bool ia32_enabled(void) @@ -82,6 +87,8 @@ static inline bool ia32_enabled(void) return IS_ENABLED(CONFIG_X86_32); } +static inline void ia32_disable(void) {} + #endif #endif /* _ASM_X86_IA32_H */ diff --git a/arch/x86/mm/mem_encrypt_amd.c b/arch/x86/mm/mem_encrypt_amd.c index e29b1418d00c7..20a96183ae7ec 100644 --- a/arch/x86/mm/mem_encrypt_amd.c +++ b/arch/x86/mm/mem_encrypt_amd.c @@ -31,6 +31,7 @@ #include #include #include +#include #include "mm_internal.h" @@ -196,6 +197,16 @@ void __init sme_early_init(void) if (sev_active()) swiotlb_force = SWIOTLB_FORCE; + + /* + * The VMM is capable of injecting interrupt 0x80 and triggering the + * compatibility syscall path. + * + * By default, the 32-bit emulation is disabled in order to ensure + * the safety of the VM. + */ + if (sev_status & MSR_AMD64_SEV_ENABLED) + ia32_disable(); } void __init sev_setup_arch(void) From patchwork Tue Aug 6 22:50:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1969712 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WdpSF4TK9z1ybS for ; Wed, 7 Aug 2024 08:50:53 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sbT0y-0005gN-9B; Tue, 06 Aug 2024 22:50:48 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sbT0w-0005dr-2j for kernel-team@lists.ubuntu.com; Tue, 06 Aug 2024 22:50:46 +0000 Received: from mail-vk1-f197.google.com (mail-vk1-f197.google.com [209.85.221.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id EF9DF3F287 for ; Tue, 6 Aug 2024 22:50:45 +0000 (UTC) Received: by mail-vk1-f197.google.com with SMTP id 71dfb90a1353d-4f7082b8822so284238e0c.0 for ; Tue, 06 Aug 2024 15:50:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722984644; x=1723589444; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eD4CVbtMPRZzjqNsDaaqYoSCzS7lLhVAhQ+K1sswNVA=; b=RdrxFnuVrNZ1OeO4ghtJlVG1cL9E1qncIN3yQ3/HKg2Q0vtK1zqyCJpW/Nder9mQbM Ha5nzs+iFxPr/b/+/A53N/+KaKUyG3Az6sSlQre2Ku4/WzimE+OrP/tYyFjIKe0YUo/k KT2xuK36bqyIoYAArX+1BvZPVfDJectSH0L60Orw9Mfr1y3Y+eFPJN82IlCgtLSOCc8d DYRIC2rFngh9hAQgq5pPyLcOKhleNnJydeHTwM0wder4qq34Tcu4r+o8Wl4B09yn+v5+ wYUlu/O9fvZNwvB0yzcR1E9XzC80VJXNiXLzuwMNnH/+1QDmz87tjYfXUqCyu0KEcZkO pLtg== X-Gm-Message-State: AOJu0YzTYqEE/QKum+PuCsEeLyb706JsqF8gs36zBBLkRv8u1U7uFgiI D6S+TQjxq45XajcWPSWf8xoe/MPe8fOb+k6XZ9PoI89BJMvH9kQPOCSWWJ+Ma6zchzWpR+6mT/i baLW/rLifBa8eXZ1Si/JeHzf52JPTHI9VxAGeDlXqRtCCuV4DfXfOZ7KpPXaT6Hl7tArZ9oTD8O VJnkI0lJprvGVd X-Received: by 2002:a05:6122:d97:b0:4f2:f139:b2dc with SMTP id 71dfb90a1353d-4f89ff9a83fmr17289252e0c.8.1722984644374; Tue, 06 Aug 2024 15:50:44 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG6S1gS9dgCvqOIVlxETwIab00P1WOUsyUPFJUN4ZrLuQ4k+xSXudsECsvmFueRHyC6chzDdw== X-Received: by 2002:a05:6122:d97:b0:4f2:f139:b2dc with SMTP id 71dfb90a1353d-4f89ff9a83fmr17289229e0c.8.1722984643774; Tue, 06 Aug 2024 15:50:43 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7a3785e5c54sm4550885a.48.2024.08.06.15.50.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Aug 2024 15:50:42 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 5/8] x86/entry: Convert INT 0x80 emulation to IDTENTRY Date: Tue, 6 Aug 2024 18:50:30 -0400 Message-Id: <20240806225033.4181439-6-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240806225033.4181439-1-yuxuan.luo@canonical.com> References: <20240806225033.4181439-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Thomas Gleixner There is no real reason to have a separate ASM entry point implementation for the legacy INT 0x80 syscall emulation on 64-bit. IDTENTRY provides all the functionality needed with the only difference that it does not: - save the syscall number (AX) into pt_regs::orig_ax - set pt_regs::ax to -ENOSYS Both can be done safely in the C code of an IDTENTRY before invoking any of the syscall related functions which depend on this convention. Aside of ASM code reduction this prepares for detecting and handling a local APIC injected vector 0x80. [ kirill.shutemov: More verbose comments ] Suggested-by: Linus Torvalds Signed-off-by: Thomas Gleixner Signed-off-by: Kirill A. Shutemov Signed-off-by: Dave Hansen Reviewed-by: Borislav Petkov (AMD) Cc: # v6.0+ (backported from commit be5341eb0d43b1e754799498bd2e8756cc167a41) [yuxuan.luo: - entry_64_compat.S: ignore the conflict and remove the macro. - proto.h: ignore the conflict and remove the declarations. ] CVE-2024-25744 Signed-off-by: Yuxuan Luo --- arch/x86/entry/common.c | 58 ++++++++++++++++- arch/x86/entry/entry_64_compat.S | 106 ------------------------------- arch/x86/include/asm/idtentry.h | 4 ++ arch/x86/include/asm/proto.h | 4 -- arch/x86/kernel/idt.c | 2 +- arch/x86/xen/enlighten_pv.c | 2 +- arch/x86/xen/xen-asm.S | 2 +- 7 files changed, 64 insertions(+), 114 deletions(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index 3ea32cbca6513..5adc7a17f37c9 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -119,7 +119,62 @@ static __always_inline void do_syscall_32_irqs_on(struct pt_regs *regs, int nr) } } -/* Handles int $0x80 */ +#ifdef CONFIG_IA32_EMULATION +/** + * int80_emulation - 32-bit legacy syscall entry + * + * This entry point can be used by 32-bit and 64-bit programs to perform + * 32-bit system calls. Instances of INT $0x80 can be found inline in + * various programs and libraries. It is also used by the vDSO's + * __kernel_vsyscall fallback for hardware that doesn't support a faster + * entry method. Restarted 32-bit system calls also fall back to INT + * $0x80 regardless of what instruction was originally used to do the + * system call. + * + * This is considered a slow path. It is not used by most libc + * implementations on modern hardware except during process startup. + * + * The arguments for the INT $0x80 based syscall are on stack in the + * pt_regs structure: + * eax: system call number + * ebx, ecx, edx, esi, edi, ebp: arg1 - arg 6 + */ +DEFINE_IDTENTRY_RAW(int80_emulation) +{ + int nr; + + /* Establish kernel context. */ + enter_from_user_mode(regs); + + instrumentation_begin(); + add_random_kstack_offset(); + + /* + * The low level idtentry code pushed -1 into regs::orig_ax + * and regs::ax contains the syscall number. + * + * User tracing code (ptrace or signal handlers) might assume + * that the regs::orig_ax contains a 32-bit number on invoking + * a 32-bit syscall. + * + * Establish the syscall convention by saving the 32bit truncated + * syscall number in regs::orig_ax and by invalidating regs::ax. + */ + regs->orig_ax = regs->ax & GENMASK(31, 0); + regs->ax = -ENOSYS; + + nr = syscall_32_enter(regs); + + local_irq_enable(); + nr = syscall_enter_from_user_mode_work(regs, nr); + do_syscall_32_irqs_on(regs, nr); + + instrumentation_end(); + syscall_exit_to_user_mode(regs); +} +#else /* CONFIG_IA32_EMULATION */ + +/* Handles int $0x80 on a 32bit kernel */ __visible noinstr void do_int80_syscall_32(struct pt_regs *regs) { int nr = syscall_32_enter(regs); @@ -138,6 +193,7 @@ __visible noinstr void do_int80_syscall_32(struct pt_regs *regs) instrumentation_end(); syscall_exit_to_user_mode(regs); } +#endif /* !CONFIG_IA32_EMULATION */ static noinstr bool __do_fast_syscall_32(struct pt_regs *regs) { diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S index 4f67e01febc4f..118df23c28d45 100644 --- a/arch/x86/entry/entry_64_compat.S +++ b/arch/x86/entry/entry_64_compat.S @@ -330,109 +330,3 @@ sysret32_from_system_call: CLEAR_CPU_BUFFERS sysretl SYM_CODE_END(entry_SYSCALL_compat) - -/* - * 32-bit legacy system call entry. - * - * 32-bit x86 Linux system calls traditionally used the INT $0x80 - * instruction. INT $0x80 lands here. - * - * This entry point can be used by 32-bit and 64-bit programs to perform - * 32-bit system calls. Instances of INT $0x80 can be found inline in - * various programs and libraries. It is also used by the vDSO's - * __kernel_vsyscall fallback for hardware that doesn't support a faster - * entry method. Restarted 32-bit system calls also fall back to INT - * $0x80 regardless of what instruction was originally used to do the - * system call. - * - * This is considered a slow path. It is not used by most libc - * implementations on modern hardware except during process startup. - * - * Arguments: - * eax system call number - * ebx arg1 - * ecx arg2 - * edx arg3 - * esi arg4 - * edi arg5 - * ebp arg6 - */ -SYM_CODE_START(entry_INT80_compat) - UNWIND_HINT_ENTRY - /* - * Interrupts are off on entry. - */ - ASM_CLAC /* Do this early to minimize exposure */ - SWAPGS - - /* - * User tracing code (ptrace or signal handlers) might assume that - * the saved RAX contains a 32-bit number when we're invoking a 32-bit - * syscall. Just in case the high bits are nonzero, zero-extend - * the syscall number. (This could almost certainly be deleted - * with no ill effects.) - */ - movl %eax, %eax - - /* switch to thread stack expects orig_ax and rdi to be pushed */ - pushq %rax /* pt_regs->orig_ax */ - pushq %rdi /* pt_regs->di */ - - /* Need to switch before accessing the thread stack. */ - SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi - - /* In the Xen PV case we already run on the thread stack. */ - ALTERNATIVE "", "jmp .Lint80_keep_stack", X86_FEATURE_XENPV - - movq %rsp, %rdi - movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp - - pushq 6*8(%rdi) /* regs->ss */ - pushq 5*8(%rdi) /* regs->rsp */ - pushq 4*8(%rdi) /* regs->eflags */ - pushq 3*8(%rdi) /* regs->cs */ - pushq 2*8(%rdi) /* regs->ip */ - pushq 1*8(%rdi) /* regs->orig_ax */ - pushq (%rdi) /* pt_regs->di */ -.Lint80_keep_stack: - - pushq %rsi /* pt_regs->si */ - xorl %esi, %esi /* nospec si */ - pushq %rdx /* pt_regs->dx */ - xorl %edx, %edx /* nospec dx */ - pushq %rcx /* pt_regs->cx */ - xorl %ecx, %ecx /* nospec cx */ - pushq $-ENOSYS /* pt_regs->ax */ - pushq %r8 /* pt_regs->r8 */ - xorl %r8d, %r8d /* nospec r8 */ - pushq %r9 /* pt_regs->r9 */ - xorl %r9d, %r9d /* nospec r9 */ - pushq %r10 /* pt_regs->r10*/ - xorl %r10d, %r10d /* nospec r10 */ - pushq %r11 /* pt_regs->r11 */ - xorl %r11d, %r11d /* nospec r11 */ - pushq %rbx /* pt_regs->rbx */ - xorl %ebx, %ebx /* nospec rbx */ - pushq %rbp /* pt_regs->rbp */ - xorl %ebp, %ebp /* nospec rbp */ - pushq %r12 /* pt_regs->r12 */ - xorl %r12d, %r12d /* nospec r12 */ - pushq %r13 /* pt_regs->r13 */ - xorl %r13d, %r13d /* nospec r13 */ - pushq %r14 /* pt_regs->r14 */ - xorl %r14d, %r14d /* nospec r14 */ - pushq %r15 /* pt_regs->r15 */ - xorl %r15d, %r15d /* nospec r15 */ - - UNWIND_HINT_REGS - - cld - - IBRS_ENTER - UNTRAIN_RET - CLEAR_BRANCH_HISTORY - - movq %rsp, %rdi - call do_int80_syscall_32 - jmp swapgs_restore_regs_and_return_to_usermode -SYM_CODE_END(entry_INT80_compat) diff --git a/arch/x86/include/asm/idtentry.h b/arch/x86/include/asm/idtentry.h index 1345088e99025..2ab668956741d 100644 --- a/arch/x86/include/asm/idtentry.h +++ b/arch/x86/include/asm/idtentry.h @@ -567,6 +567,10 @@ DECLARE_IDTENTRY_RAW(X86_TRAP_UD, exc_invalid_op); DECLARE_IDTENTRY_RAW(X86_TRAP_BP, exc_int3); DECLARE_IDTENTRY_RAW_ERRORCODE(X86_TRAP_PF, exc_page_fault); +#if defined(CONFIG_IA32_EMULATION) +DECLARE_IDTENTRY_RAW(IA32_SYSCALL_VECTOR, int80_emulation); +#endif + #ifdef CONFIG_X86_MCE #ifdef CONFIG_X86_64 DECLARE_IDTENTRY_MCE(X86_TRAP_MC, exc_machine_check); diff --git a/arch/x86/include/asm/proto.h b/arch/x86/include/asm/proto.h index feed36d44d044..c4d331fe65ffd 100644 --- a/arch/x86/include/asm/proto.h +++ b/arch/x86/include/asm/proto.h @@ -28,10 +28,6 @@ void entry_SYSENTER_compat(void); void __end_entry_SYSENTER_compat(void); void entry_SYSCALL_compat(void); void entry_SYSCALL_compat_safe_stack(void); -void entry_INT80_compat(void); -#ifdef CONFIG_XEN_PV -void xen_entry_INT80_compat(void); -#endif #endif void x86_configure_nx(void); diff --git a/arch/x86/kernel/idt.c b/arch/x86/kernel/idt.c index df0fa695bb09c..b9e806ac1de77 100644 --- a/arch/x86/kernel/idt.c +++ b/arch/x86/kernel/idt.c @@ -109,7 +109,7 @@ static const __initconst struct idt_data def_idts[] = { SYSG(X86_TRAP_OF, asm_exc_overflow), #if defined(CONFIG_IA32_EMULATION) - SYSG(IA32_SYSCALL_VECTOR, entry_INT80_compat), + SYSG(IA32_SYSCALL_VECTOR, asm_int80_emulation), #elif defined(CONFIG_X86_32) SYSG(IA32_SYSCALL_VECTOR, entry_INT80_32), #endif diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c index 998db0257e2ad..47aabc173b108 100644 --- a/arch/x86/xen/enlighten_pv.c +++ b/arch/x86/xen/enlighten_pv.c @@ -609,7 +609,7 @@ static struct trap_array_entry trap_array[] = { TRAP_ENTRY(exc_int3, false ), TRAP_ENTRY(exc_overflow, false ), #ifdef CONFIG_IA32_EMULATION - { entry_INT80_compat, xen_entry_INT80_compat, false }, + TRAP_ENTRY(int80_emulation, false ), #endif TRAP_ENTRY(exc_page_fault, false ), TRAP_ENTRY(exc_divide_error, false ), diff --git a/arch/x86/xen/xen-asm.S b/arch/x86/xen/xen-asm.S index 1b757a1ee1bb6..56f2407564c2a 100644 --- a/arch/x86/xen/xen-asm.S +++ b/arch/x86/xen/xen-asm.S @@ -151,7 +151,7 @@ xen_pv_trap asm_xenpv_exc_machine_check #endif /* CONFIG_X86_MCE */ xen_pv_trap asm_exc_simd_coprocessor_error #ifdef CONFIG_IA32_EMULATION -xen_pv_trap entry_INT80_compat +xen_pv_trap asm_int80_emulation #endif xen_pv_trap asm_exc_xen_unknown_trap xen_pv_trap asm_exc_xen_hypervisor_callback From patchwork Tue Aug 6 22:50:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1969713 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WdpSJ0ZMvz1ybS for ; Wed, 7 Aug 2024 08:50:56 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sbT10-0005jv-FJ; Tue, 06 Aug 2024 22:50:50 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sbT0x-0005ep-4e for kernel-team@lists.ubuntu.com; Tue, 06 Aug 2024 22:50:47 +0000 Received: from mail-yb1-f199.google.com (mail-yb1-f199.google.com [209.85.219.199]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id E52FE3F0E9 for ; Tue, 6 Aug 2024 22:50:46 +0000 (UTC) Received: by mail-yb1-f199.google.com with SMTP id 3f1490d57ef6-e02a4de4f4eso2223907276.1 for ; Tue, 06 Aug 2024 15:50:46 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722984645; x=1723589445; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EcBO7ZS7O/0U2CWD0eytewGghZzO2bx2R7QB4uw8sHg=; b=hV7S+XbH6hAs5Ya0Euv8uQlNhcZJr33OZ4nJiFObdfNLFYvioVovCIYsFXhUaGYGLK jn7ArmKq59Tc8NSRZ2xW2JfqCOv3WrsgeWyhOpKUhpG//CTfrI5CmuumFQXK43ejgd+S aoG3wyFMNx7JmQFiEsGjZrMquzbDrdxp198i2gIeGkeHW55pUTOVpDW5xXOPgxrfIffP kffuPRwxSINdXMi/5oWp4xPZr6FgKCn8lmoKD2oDDe/IwjAg6I+4oTmVdQjozat6GTnQ SfR3IChvprOYbN6fygstLdhO+Ef0jLTxMZmLMmeW06TMIVydDd0LVKPYwNBGKbnC78kp iRCw== X-Gm-Message-State: AOJu0YxVl5O6kYm4hdETFpiSRm0jEJ8XMtFiFVTmJDbilhbCeOVv4eGC cxMQwEX5VPuvr3NGnWWrWbMPtLSRGyNU0kZZ917KXvqRo2Vjg4Gj40idK5uzlJvIgPdFrEbHEbb UlW+zsO9eTWPAC2+QmtaQXlrS/4OMO5CS+a+QHN95zGbzFipTgce8YlSp9VxHm0pxEuxIecfT8K uKyvliP1sqZvuW X-Received: by 2002:a05:6902:a8a:b0:e0b:4774:4756 with SMTP id 3f1490d57ef6-e0bde51f8acmr13079608276.56.1722984644985; Tue, 06 Aug 2024 15:50:44 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFEA+6Wzefx9R7ZT+TSy4B669gN3lBSZRVA16d74OXSeQFwYugcwpiEClQ+MWIpyYoBwz523Q== X-Received: by 2002:a05:6902:a8a:b0:e0b:4774:4756 with SMTP id 3f1490d57ef6-e0bde51f8acmr13079597276.56.1722984644607; Tue, 06 Aug 2024 15:50:44 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7a3785e5c54sm4550885a.48.2024.08.06.15.50.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Aug 2024 15:50:44 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 6/8] x86/entry: Do not allow external 0x80 interrupts Date: Tue, 6 Aug 2024 18:50:31 -0400 Message-Id: <20240806225033.4181439-7-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240806225033.4181439-1-yuxuan.luo@canonical.com> References: <20240806225033.4181439-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Thomas Gleixner The INT 0x80 instruction is used for 32-bit x86 Linux syscalls. The kernel expects to receive a software interrupt as a result of the INT 0x80 instruction. However, an external interrupt on the same vector also triggers the same codepath. An external interrupt on vector 0x80 will currently be interpreted as a 32-bit system call, and assuming that it was a user context. Panic on external interrupts on the vector. To distinguish software interrupts from external ones, the kernel checks the APIC ISR bit relevant to the 0x80 vector. For software interrupts, this bit will be 0. Signed-off-by: Thomas Gleixner Signed-off-by: Kirill A. Shutemov Signed-off-by: Dave Hansen Reviewed-by: Borislav Petkov (AMD) Cc: # v6.0+ (cherry picked from commit 55617fb991df535f953589586468612351575704) CVE-2024-25744 Signed-off-by: Yuxuan Luo --- arch/x86/entry/common.c | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index 5adc7a17f37c9..d1594b4acf485 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -25,6 +25,7 @@ #include #endif +#include #include #include #include @@ -120,6 +121,25 @@ static __always_inline void do_syscall_32_irqs_on(struct pt_regs *regs, int nr) } #ifdef CONFIG_IA32_EMULATION +static __always_inline bool int80_is_external(void) +{ + const unsigned int offs = (0x80 / 32) * 0x10; + const u32 bit = BIT(0x80 % 32); + + /* The local APIC on XENPV guests is fake */ + if (cpu_feature_enabled(X86_FEATURE_XENPV)) + return false; + + /* + * If vector 0x80 is set in the APIC ISR then this is an external + * interrupt. Either from broken hardware or injected by a VMM. + * + * Note: In guest mode this is only valid for secure guests where + * the secure module fully controls the vAPIC exposed to the guest. + */ + return apic_read(APIC_ISR + offs) & bit; +} + /** * int80_emulation - 32-bit legacy syscall entry * @@ -143,12 +163,27 @@ DEFINE_IDTENTRY_RAW(int80_emulation) { int nr; - /* Establish kernel context. */ + /* Kernel does not use INT $0x80! */ + if (unlikely(!user_mode(regs))) { + irqentry_enter(regs); + instrumentation_begin(); + panic("Unexpected external interrupt 0x80\n"); + } + + /* + * Establish kernel context for instrumentation, including for + * int80_is_external() below which calls into the APIC driver. + * Identical for soft and external interrupts. + */ enter_from_user_mode(regs); instrumentation_begin(); add_random_kstack_offset(); + /* Validate that this is a soft interrupt to the extent possible */ + if (unlikely(int80_is_external())) + panic("Unexpected external interrupt 0x80\n"); + /* * The low level idtentry code pushed -1 into regs::orig_ax * and regs::ax contains the syscall number. From patchwork Tue Aug 6 22:50:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1969714 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WdpSJ2SNRz1yfM for ; Wed, 7 Aug 2024 08:50:56 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sbT10-0005kN-MK; Tue, 06 Aug 2024 22:50:50 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sbT0y-0005gP-BP for kernel-team@lists.ubuntu.com; Tue, 06 Aug 2024 22:50:48 +0000 Received: from mail-qk1-f197.google.com (mail-qk1-f197.google.com [209.85.222.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 2DE583F0E9 for ; Tue, 6 Aug 2024 22:50:48 +0000 (UTC) Received: by mail-qk1-f197.google.com with SMTP id af79cd13be357-7a1d9a712bcso60689585a.1 for ; Tue, 06 Aug 2024 15:50:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722984647; x=1723589447; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CPTJDHrJvHzPXneXeuT8qJQOC++FS+eVLfQVutPsb+w=; b=EK1QfEEHQkDmxiV8Tspvor/N+4XOjTUcmJkyPAlka+R9OYIWBgrJv3ETa/JTThCrPC AMHSjN1Btj106djm0aaO+QEpbYGpVFJL2jyCVpML+cZWf8XhzPiM29m1EC4BV3RSC6Wk h8QhK8pT07XtMSXU7e9yU3UEULKOk9jgacOtVsbvTd27BqbEj0ruato9LrK6XUib/ZZY XLBym57TW31Fgrbuqg4FEFibRedTv7YSDY3dE/BeXz5dts1uavbGpzh7fnCKTwXsPaeO Bj43CgqBHcR6YY/ztx9G4vpW45VzUnPzy34YXxDwuJXePq5OVLKNkNR0DfBULVTZj4zX 0xMQ== X-Gm-Message-State: AOJu0YyotSlfM2EAvCmywLguVoIiZveXSX00rIUFbdKOF4yjQ/x/twT/ iYNA9TI15jOwSWv0r5fq9v/XHYrW27ZRIxVTgnCZ4mDqe9HQV1jqcaSCmwEo/A2bWgjHVdWC/oO flOCulFsyK0zuv2h6MILz0RKvDIeLMA/6YburK3Ituxc/kfY3ycWCUojgID7z+kux6Rs7+AMymn 1yJzz3My8yM20z X-Received: by 2002:a05:620a:a53:b0:7a2:1bc:be05 with SMTP id af79cd13be357-7a377c6079emr63535585a.31.1722984646729; Tue, 06 Aug 2024 15:50:46 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHJcYQ0VsXcUIoGJ7pveqlujyHkMrPsmA1sRXeUxUMUg/Yp6x3hkOl57dbtn0Lya9CKGHO2JA== X-Received: by 2002:a05:620a:a53:b0:7a2:1bc:be05 with SMTP id af79cd13be357-7a377c6079emr63533985a.31.1722984646394; Tue, 06 Aug 2024 15:50:46 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7a3785e5c54sm4550885a.48.2024.08.06.15.50.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Aug 2024 15:50:45 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 7/8] x86/entry: Add do_SYSENTER_32() prototype Date: Tue, 6 Aug 2024 18:50:32 -0400 Message-Id: <20240806225033.4181439-8-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240806225033.4181439-1-yuxuan.luo@canonical.com> References: <20240806225033.4181439-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Arnd Bergmann The 32-bit system call entry points can be called on both 32-bit and 64-bit kernels, but on the former the declarations are hidden: arch/x86/entry/common.c:238:24: error: no previous prototype for 'do_SYSENTER_32' [-Werror=missing-prototypes] Move them all out of the #ifdef block to avoid the warnings. Signed-off-by: Arnd Bergmann Signed-off-by: Dave Hansen Reviewed-by: Alexander Lobakin Link: https://lore.kernel.org/all/20230516193549.544673-12-arnd%40kernel.org (cherry picked from commit f34f0d3c10eb4d3160fc6fe7a2482cb78d3b0c12) CVE-2024-25744 Signed-off-by: Yuxuan Luo --- arch/x86/include/asm/syscall.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/syscall.h b/arch/x86/include/asm/syscall.h index 825528bf0daf5..e873e95ff6bfc 100644 --- a/arch/x86/include/asm/syscall.h +++ b/arch/x86/include/asm/syscall.h @@ -158,9 +158,11 @@ static inline int syscall_get_arch(struct task_struct *task) } void do_syscall_64(struct pt_regs *regs, int nr); -void do_int80_syscall_32(struct pt_regs *regs); -long do_fast_syscall_32(struct pt_regs *regs); #endif /* CONFIG_X86_32 */ +void do_int80_syscall_32(struct pt_regs *regs); +long do_fast_syscall_32(struct pt_regs *regs); +long do_SYSENTER_32(struct pt_regs *regs); + #endif /* _ASM_X86_SYSCALL_H */ From patchwork Tue Aug 6 22:50:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1969715 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WdpSK43xsz1ybS for ; Wed, 7 Aug 2024 08:50:57 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sbT11-0005nQ-UD; Tue, 06 Aug 2024 22:50:51 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sbT0z-0005in-O9 for kernel-team@lists.ubuntu.com; Tue, 06 Aug 2024 22:50:49 +0000 Received: from mail-qk1-f200.google.com (mail-qk1-f200.google.com [209.85.222.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 9FCDE3F287 for ; Tue, 6 Aug 2024 22:50:49 +0000 (UTC) Received: by mail-qk1-f200.google.com with SMTP id af79cd13be357-7a1d44099a3so145677085a.3 for ; Tue, 06 Aug 2024 15:50:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722984648; x=1723589448; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ULvw4Rjc7PQSipjyXSm15mDIqV7haCvfoGwYGJMJqk4=; b=nTxeL7amtr1XKu+iTLojGO0/+bcQNo0PYugANMrvsjVh6ohLx8qDW+gb+QrBzLy4vD hOfWfC6KPs4ZSNVg1OrLCPjWqKwCsyKVgcsKGb9CMpPuyjVsYVl2YlYRapMvPnfdaW6d R01/2PBZGwN1HDXqZiMtACwXHdPoFVosVe/d4BS7UMcUW/DZZnqvIDvVfiCsN3Nee6XZ QoruzbbfWDE1AYEsDOqSTI+384qPqqRJBOtAAIUjK2/Ts80irmCK3++bzKrcD0mgwOZ5 QPOqpQMhocGpAxTd6TbU9WZVmgYV/AjNoLKlhuH39AVZ+wh7T6CmC4o0mH5oNfeebDN8 fYHQ== X-Gm-Message-State: AOJu0YxQ6UuYPA8lNt456KgYM+Caxwar/3UO5cU4ErAjRBv1BBDVba/H mHULxiLONKFplsKhFkgyIY/4R4KMFAQ3ZQVMf4PexB/i9FJoxmmkJ9V82e61KQdAloU9DSI6NVt mXpDmsr9IfzjVdTdQjRp7LT4RYcCt722hWdGAqxLc1tq+S9DX6Vm7oXZR1cwelK68DlMeeMkadW LAUFNemB4eUfOk X-Received: by 2002:a05:620a:2495:b0:79d:6bba:4a61 with SMTP id af79cd13be357-7a34ed8d66fmr2024802085a.0.1722984647732; Tue, 06 Aug 2024 15:50:47 -0700 (PDT) X-Google-Smtp-Source: AGHT+IE30MAmvLdFvFtMqdjyYdRqvT6w+E2N8murWKtXhS5iXC0lHbHw1qZB1j3ra2jAUWz7H2+wrQ== X-Received: by 2002:a05:620a:2495:b0:79d:6bba:4a61 with SMTP id af79cd13be357-7a34ed8d66fmr2024800085a.0.1722984647249; Tue, 06 Aug 2024 15:50:47 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7a3785e5c54sm4550885a.48.2024.08.06.15.50.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Aug 2024 15:50:46 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 8/8] x86/bhi: Add support for clearing branch history at syscall entry Date: Tue, 6 Aug 2024 18:50:33 -0400 Message-Id: <20240806225033.4181439-9-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240806225033.4181439-1-yuxuan.luo@canonical.com> References: <20240806225033.4181439-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pawan Gupta Branch History Injection (BHI) attacks may allow a malicious application to influence indirect branch prediction in kernel by poisoning the branch history. eIBRS isolates indirect branch targets in ring0. The BHB can still influence the choice of indirect branch predictor entry, and although branch predictor entries are isolated between modes when eIBRS is enabled, the BHB itself is not isolated between modes. Alder Lake and new processors supports a hardware control BHI_DIS_S to mitigate BHI. For older processors Intel has released a software sequence to clear the branch history on parts that don't support BHI_DIS_S. Add support to execute the software sequence at syscall entry and VMexit to overwrite the branch history. For now, branch history is not cleared at interrupt entry, as malicious applications are not believed to have sufficient control over the registers, since previous register state is cleared at interrupt entry. Researchers continue to poke at this area and it may become necessary to clear at interrupt entry as well in the future. This mitigation is only defined here. It is enabled later. Signed-off-by: Pawan Gupta Co-developed-by: Daniel Sneddon Signed-off-by: Daniel Sneddon Signed-off-by: Thomas Gleixner Reviewed-by: Alexandre Chartre Reviewed-by: Josh Poimboeuf (cherry picked from commit 7390db8aea0d64e9deb28b8e1ce716f5020c7ee5) [yuxuan.luo: Backporting this commit again so that the fixes for CVE-2024-25744 will not make Jammy vulnerable to CVE-2024-2201 Native BHI again. ] CVE-2024-25744 Signed-off-by: Yuxuan Luo --- arch/x86/entry/common.c | 4 ++-- arch/x86/entry/entry_64_compat.S | 16 ++++++++++++++++ arch/x86/include/asm/nospec-branch.h | 4 ++++ arch/x86/include/asm/syscall.h | 1 + 4 files changed, 23 insertions(+), 2 deletions(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index d1594b4acf485..045e6615bf3b6 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -141,7 +141,7 @@ static __always_inline bool int80_is_external(void) } /** - * int80_emulation - 32-bit legacy syscall entry + * do_int80_emulation - 32-bit legacy syscall C entry from asm * * This entry point can be used by 32-bit and 64-bit programs to perform * 32-bit system calls. Instances of INT $0x80 can be found inline in @@ -159,7 +159,7 @@ static __always_inline bool int80_is_external(void) * eax: system call number * ebx, ecx, edx, esi, edi, ebp: arg1 - arg 6 */ -DEFINE_IDTENTRY_RAW(int80_emulation) +__visible noinstr void do_int80_emulation(struct pt_regs *regs) { int nr; diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S index 118df23c28d45..f5d0744241ce8 100644 --- a/arch/x86/entry/entry_64_compat.S +++ b/arch/x86/entry/entry_64_compat.S @@ -114,6 +114,8 @@ SYM_INNER_LABEL(entry_SYSENTER_compat_after_hwframe, SYM_L_GLOBAL) cld + CLEAR_BRANCH_HISTORY + /* * SYSENTER doesn't filter flags, so we need to clear NT and AC * ourselves. To save a few cycles, we can check whether @@ -330,3 +332,17 @@ sysret32_from_system_call: CLEAR_CPU_BUFFERS sysretl SYM_CODE_END(entry_SYSCALL_compat) + +/* + * int 0x80 is used by 32 bit mode as a system call entry. Normally idt entries + * point to C routines, however since this is a system call interface the branch + * history needs to be scrubbed to protect against BHI attacks, and that + * scrubbing needs to take place in assembly code prior to entering any C + * routines. + */ +SYM_CODE_START(int80_emulation) + ANNOTATE_NOENDBR + UNWIND_HINT_FUNC + CLEAR_BRANCH_HISTORY + jmp do_int80_emulation +SYM_CODE_END(int80_emulation) diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h index de97843bdeb80..da464ccdf2269 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -241,6 +241,10 @@ extern void srso_alias_untrain_ret(void); extern void entry_untrain_ret(void); extern void entry_ibpb(void); +#ifdef CONFIG_X86_64 +extern void clear_bhb_loop(void); +#endif + extern void (*x86_return_thunk)(void); #ifdef CONFIG_X86_64 diff --git a/arch/x86/include/asm/syscall.h b/arch/x86/include/asm/syscall.h index e873e95ff6bfc..250a01782d6a5 100644 --- a/arch/x86/include/asm/syscall.h +++ b/arch/x86/include/asm/syscall.h @@ -158,6 +158,7 @@ static inline int syscall_get_arch(struct task_struct *task) } void do_syscall_64(struct pt_regs *regs, int nr); +void do_int80_emulation(struct pt_regs *regs); #endif /* CONFIG_X86_32 */