From patchwork Mon Aug 26 15:01:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1976872 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wsv5s2vnnz1yZd for ; Tue, 27 Aug 2024 01:01:52 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sibDz-00027B-VS; Mon, 26 Aug 2024 15:01:44 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sibDx-00026e-MS for kernel-team@lists.ubuntu.com; Mon, 26 Aug 2024 15:01:41 +0000 Received: from mail-pl1-f198.google.com (mail-pl1-f198.google.com [209.85.214.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 427E83F6B5 for ; Mon, 26 Aug 2024 15:01:41 +0000 (UTC) Received: by mail-pl1-f198.google.com with SMTP id d9443c01a7336-203a142c31dso36319475ad.3 for ; Mon, 26 Aug 2024 08:01:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724684498; x=1725289298; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UzNBmxnZBQznJl8AkOO/aPMinGHAEqPMwebWJdRqdFo=; b=ky2JmQp0dygMDlf1ebsgIUBgsqU2fy90tAkoF2g34NSr2m/hbRMXFcGG/yKhuS1g5z cEfXZ2Y7xvMZALKmRKJoYaKGMHY/KiEbPYUS1osQk8r7FlfczufvK0ICVlvYe+F3CWSP G34YokZP6GKSk5QFkVPU+050/XwlBMeDD9qDHvvfHg0LZQzoKnw8lB/hbRHLTpg96FA7 G9iFHALX5xd8cKEK0qVeiv/oRVKVLfJnzPlk4GQX3OQ1byCx/09IBQwTDnH66v2rPOf3 dGEvJCHNs9TCELqVLWe8Imoe/Mko4B9hSCqlsQ/n2s8IlDEvvP7N/GTCQILgmTkgPDvf CEnQ== X-Gm-Message-State: AOJu0Yzf9TFH3KcfwjkyjuJcol48KpLMAu2N8HKMWySCVMjyLUUAt5j1 v/Yevi6KtPF4nbdnHxX+c7cv3wBNcx9h7Y5huMC6DRHdO9ZRJNIMAVtQN6FKq9x+OcvCIZdVAK1 iYo2jmKxOIqLB0KnjQOjWXvF3TxEzB018imwg1MpOx0WZw++BC3UEikV2ecW5tA5hk3wHBzc2Tl eltoA4woU6bTZa X-Received: by 2002:a17:903:32d0:b0:202:49ea:b6f4 with SMTP id d9443c01a7336-2039e4dc06fmr110042105ad.37.1724684498519; Mon, 26 Aug 2024 08:01:38 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFvC2HwE6jWg83uLjuZpyLgVAmuLTwCeI82x3G8v1ne7BkDFFvKovyhiznfxkCaeP0Gwjya6w== X-Received: by 2002:a17:903:32d0:b0:202:49ea:b6f4 with SMTP id d9443c01a7336-2039e4dc06fmr110041705ad.37.1724684497922; Mon, 26 Aug 2024 08:01:37 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2038556667bsm68731295ad.7.2024.08.26.08.01.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Aug 2024 08:01:37 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/8] x86: Fix misspelled Kconfig symbols Date: Mon, 26 Aug 2024 11:01:18 -0400 Message-Id: <20240826150125.1347359-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240826150125.1347359-1-yuxuan.luo@canonical.com> References: <20240826150125.1347359-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Lukas Bulwahn Fix misspelled Kconfig symbols as detected by scripts/checkkconfigsymbols.py. [ bp: Combine into a single patch. ] Signed-off-by: Lukas Bulwahn Signed-off-by: Borislav Petkov Link: https://lkml.kernel.org/r/20210803113531.30720-7-lukas.bulwahn@gmail.com (cherry picked from commit 6bf8a55d8344df1f61a29b18c398bcdf3539e163) CVE-2024-25744 Signed-off-by: Yuxuan Luo --- arch/x86/include/asm/ia32.h | 2 +- arch/x86/include/asm/irq_stack.h | 2 +- arch/x86/include/asm/page_32.h | 2 +- arch/x86/include/asm/uaccess.h | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/x86/include/asm/ia32.h b/arch/x86/include/asm/ia32.h index 2c5f7861d373c..fada857f0a1ed 100644 --- a/arch/x86/include/asm/ia32.h +++ b/arch/x86/include/asm/ia32.h @@ -68,6 +68,6 @@ extern void ia32_pick_mmap_layout(struct mm_struct *mm); #endif -#endif /* !CONFIG_IA32_SUPPORT */ +#endif /* CONFIG_IA32_EMULATION */ #endif /* _ASM_X86_IA32_H */ diff --git a/arch/x86/include/asm/irq_stack.h b/arch/x86/include/asm/irq_stack.h index e087cd7837c31..22c5aa03ac77b 100644 --- a/arch/x86/include/asm/irq_stack.h +++ b/arch/x86/include/asm/irq_stack.h @@ -58,7 +58,7 @@ * the output constraints to make the compiler aware that R11 cannot be * reused after the asm() statement. * - * For builds with CONFIG_UNWIND_FRAME_POINTER ASM_CALL_CONSTRAINT is + * For builds with CONFIG_UNWINDER_FRAME_POINTER, ASM_CALL_CONSTRAINT is * required as well as this prevents certain creative GCC variants from * misplacing the ASM code. * diff --git a/arch/x86/include/asm/page_32.h b/arch/x86/include/asm/page_32.h index 94dbd51df58f8..b13f8488ac854 100644 --- a/arch/x86/include/asm/page_32.h +++ b/arch/x86/include/asm/page_32.h @@ -43,7 +43,7 @@ static inline void copy_page(void *to, void *from) { memcpy(to, from, PAGE_SIZE); } -#endif /* CONFIG_X86_3DNOW */ +#endif /* CONFIG_X86_USE_3DNOW */ #endif /* !__ASSEMBLY__ */ #endif /* _ASM_X86_PAGE_32_H */ diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index 3616fd4ba3953..09b4958f5e474 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -412,7 +412,7 @@ do { \ : [umem] "m" (__m(addr)), \ [efault] "i" (-EFAULT), "0" (err)) -#endif // CONFIG_CC_ASM_GOTO_OUTPUT +#endif // CONFIG_CC_HAS_ASM_GOTO_OUTPUT #ifdef CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT #define __try_cmpxchg_user_asm(itype, ltype, _ptr, _pold, _new, label) ({ \ From patchwork Mon Aug 26 15:01:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1976874 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wsv5x25FTz1yZd for ; Tue, 27 Aug 2024 01:01:57 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sibE4-00028x-Dx; Mon, 26 Aug 2024 15:01:48 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sibE1-00027i-GW for kernel-team@lists.ubuntu.com; Mon, 26 Aug 2024 15:01:45 +0000 Received: from mail-pl1-f199.google.com (mail-pl1-f199.google.com [209.85.214.199]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id CE0713F453 for ; Mon, 26 Aug 2024 15:01:44 +0000 (UTC) Received: by mail-pl1-f199.google.com with SMTP id d9443c01a7336-201f464e3e8so46768055ad.3 for ; Mon, 26 Aug 2024 08:01:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724684502; x=1725289302; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5zrYeyYzZiVJKRpQCsluhQotfktaDC5YkgAsBgsGuuM=; b=VcxVwWy8QQKO1K5YTD/h/pBCxLrmwNn8ZOcDA51sqjEM0TyKhBwkmjNJoYyOfCzEBo 5CGYiP6ox/bGUW6NnkhJvuinb0IDwlZNpNEVGPI6Y7ABUvz7Ar6kkJUvc9uef2Z0zKnj B6ph/jxEk+k75HJZfnU5QqLtjaYzRyR6IvwOhoULdg75Dc9U3nodGahphH6J9/Eepuf/ w7NHeIVEKZBL2LgzZxem/jsGTq7nC1XTQnbZINUi/K0Oig3HNpHU1OPfbC63Kp9XCln7 AXETxTwxOqw3ONAfxsxnKEhbFjol1uSZ3uvqwevPlLpN2zPWtspk2z2Y+/4i+We0Qj1g nMRQ== X-Gm-Message-State: AOJu0YzBATtkQ+qsPdn//Af+xm9jpoVbK+qaJjL1qs+ja2eAeGrglt/u It33Pir/bq+EbSa+8yvNM7mgNYNIgAoeKuiDirRtKjJ3XOCNBTPBacgIBON9InX2m794RRZ9+0C ghfbdTPxvQ0PhXGD0CfH2aIB1e+CTesZp1spZkA24yL5mQO0PbSCEhm9ILST9XUg1EWS+I35gUB IfxijYxK9tKtfS X-Received: by 2002:a17:902:ecc6:b0:202:671:e5bc with SMTP id d9443c01a7336-2039e4ef402mr113822275ad.42.1724684501896; Mon, 26 Aug 2024 08:01:41 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEVEgdAXNpKwaTE1IBCmVOpFSqdT7HB2lrJ3j2pnR/5DRX4ZETR1t1sFbSpl9iflHWJ3O3o4g== X-Received: by 2002:a17:902:ecc6:b0:202:671:e5bc with SMTP id d9443c01a7336-2039e4ef402mr113821805ad.42.1724684501426; Mon, 26 Aug 2024 08:01:41 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2038556667bsm68731295ad.7.2024.08.26.08.01.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Aug 2024 08:01:39 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 2/8] x86: Introduce ia32_enabled() Date: Mon, 26 Aug 2024 11:01:19 -0400 Message-Id: <20240826150125.1347359-3-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240826150125.1347359-1-yuxuan.luo@canonical.com> References: <20240826150125.1347359-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Nikolay Borisov IA32 support on 64bit kernels depends on whether CONFIG_IA32_EMULATION is selected or not. As it is a compile time option it doesn't provide the flexibility to have distributions set their own policy for IA32 support and give the user the flexibility to override it. As a first step introduce ia32_enabled() which abstracts whether IA32 compat is turned on or off. Upcoming patches will implement the ability to set IA32 compat state at boot time. Signed-off-by: Nikolay Borisov Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/r/20230623111409.3047467-2-nik.borisov@suse.com (cherry picked from commit 1da5c9bc119d3a749b519596b93f9b2667e93c4a) CVE-2024-25744 Signed-off-by: Yuxuan Luo --- arch/x86/entry/common.c | 4 ++++ arch/x86/include/asm/ia32.h | 16 +++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index e160f502d1dcf..3ea32cbca6513 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -96,6 +96,10 @@ static __always_inline int syscall_32_enter(struct pt_regs *regs) return (int)regs->orig_ax; } +#ifdef CONFIG_IA32_EMULATION +bool __ia32_enabled __ro_after_init = true; +#endif + /* * Invoke a 32-bit syscall. Called with IRQs on in CONTEXT_KERNEL. */ diff --git a/arch/x86/include/asm/ia32.h b/arch/x86/include/asm/ia32.h index fada857f0a1ed..5a2ae24b1204f 100644 --- a/arch/x86/include/asm/ia32.h +++ b/arch/x86/include/asm/ia32.h @@ -68,6 +68,20 @@ extern void ia32_pick_mmap_layout(struct mm_struct *mm); #endif -#endif /* CONFIG_IA32_EMULATION */ +extern bool __ia32_enabled; + +static inline bool ia32_enabled(void) +{ + return __ia32_enabled; +} + +#else /* !CONFIG_IA32_EMULATION */ + +static inline bool ia32_enabled(void) +{ + return IS_ENABLED(CONFIG_X86_32); +} + +#endif #endif /* _ASM_X86_IA32_H */ From patchwork Mon Aug 26 15:01:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1976875 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wsv5x3nb1z1yfF for ; Tue, 27 Aug 2024 01:01:57 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sibE5-00029o-I5; Mon, 26 Aug 2024 15:01:49 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sibE3-00028O-M0 for kernel-team@lists.ubuntu.com; Mon, 26 Aug 2024 15:01:47 +0000 Received: from mail-pl1-f197.google.com (mail-pl1-f197.google.com [209.85.214.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 6E8B43F62B for ; Mon, 26 Aug 2024 15:01:47 +0000 (UTC) Received: by mail-pl1-f197.google.com with SMTP id d9443c01a7336-2025df5742aso40123165ad.1 for ; Mon, 26 Aug 2024 08:01:47 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724684505; x=1725289305; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HdfmysK79gWCdWjEyBD/294pXSh3Bcwah9zZqlLzla4=; b=luOzn5dsr4xSdoqH5C6I2aCv9+eqs0GjaSI7Kyq/hY2RhXBHt0xIIafD+3Ze+DqNkc bu7k/NP7/yLNdS1p4OcDGXqJfzdeCNopSx+Zv8Ha+Def399UoYT41LyJ5HDZtV8U1JF2 LGAD9mVIWdSMAzf/jUAbjtGh3zEdd0p1RYD3F1cf3+jmgOclofUw5rN4WF1cGfdfzOOF ugjij1Zi+9dmM+3OcCl/mNrL5msRaOkrT8UXKegGCUfgsXM0DRH8XIZYZTeodGFB+S+8 29aG/UTqnc3ICe8Tj46ouawvvnYCqytZTDufVzJky4TGCYqtyamvm/CN1BskxBhB48TV KieQ== X-Gm-Message-State: AOJu0Yw+X8sHf0zh4pSswqSXpXX4Pq6ii2iD6M+hga8D5y79NKCXi6+x ZiIxXMUkwcoBqbY/QVeRnxEH/fgWdU10EVSg88gJw9qZ7bOXFUcusjgxqCH/dit11T1mR9N97YH mvlxfu6yZP3GFM7WHd5650V6L+GxBzkqKwA8pUY/3RIDIeIBgOX2GbyP/5vRm8vGaqCKA6pTrbj 3OpyZ8uKp1SIYw X-Received: by 2002:a17:902:e5c4:b0:202:4317:79c1 with SMTP id d9443c01a7336-2039e4cc9afmr93891825ad.37.1724684505297; Mon, 26 Aug 2024 08:01:45 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFiuxtb0J/+TNB+k1dwws9DGC3pnQT1bcxxGB4n8tHRy7TtNjCHvMXZHLQorhx87J7e+y/hbQ== X-Received: by 2002:a17:902:e5c4:b0:202:4317:79c1 with SMTP id d9443c01a7336-2039e4cc9afmr93891445ad.37.1724684504796; Mon, 26 Aug 2024 08:01:44 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2038556667bsm68731295ad.7.2024.08.26.08.01.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Aug 2024 08:01:43 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 3/8] x86/sev: Rename mem_encrypt.c to mem_encrypt_amd.c Date: Mon, 26 Aug 2024 11:01:20 -0400 Message-Id: <20240826150125.1347359-4-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240826150125.1347359-1-yuxuan.luo@canonical.com> References: <20240826150125.1347359-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Kuppuswamy Sathyanarayanan Both Intel TDX and AMD SEV implement memory encryption features. But the bulk of the code in mem_encrypt.c is AMD-specific. Rename the file to mem_encrypt_amd.c. A subsequent patch will extract the parts that can be shared by both TDX and AMD SEV/SME into a generic file. No functional changes. Signed-off-by: Kuppuswamy Sathyanarayanan Signed-off-by: Kirill A. Shutemov Signed-off-by: Borislav Petkov Reviewed-by: Tony Luck Reviewed-by: Tom Lendacky Tested-by: Tom Lendacky Link: https://lore.kernel.org/r/20211206135505.75045-3-kirill.shutemov@linux.intel.com (cherry picked from commit dbca5e1a04f8b30aea4e2c91e5045ee6e7c3ef43) CVE-2024-25744 Signed-off-by: Yuxuan Luo --- arch/x86/mm/Makefile | 8 ++++---- arch/x86/mm/{mem_encrypt.c => mem_encrypt_amd.c} | 0 2 files changed, 4 insertions(+), 4 deletions(-) rename arch/x86/mm/{mem_encrypt.c => mem_encrypt_amd.c} (100%) diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile index 5864219221ca8..c9c4806411536 100644 --- a/arch/x86/mm/Makefile +++ b/arch/x86/mm/Makefile @@ -1,10 +1,10 @@ # SPDX-License-Identifier: GPL-2.0 # Kernel does not boot with instrumentation of tlb.c and mem_encrypt*.c KCOV_INSTRUMENT_tlb.o := n -KCOV_INSTRUMENT_mem_encrypt.o := n +KCOV_INSTRUMENT_mem_encrypt_amd.o := n KCOV_INSTRUMENT_mem_encrypt_identity.o := n -KASAN_SANITIZE_mem_encrypt.o := n +KASAN_SANITIZE_mem_encrypt_amd.o := n KASAN_SANITIZE_mem_encrypt_identity.o := n # Disable KCSAN entirely, because otherwise we get warnings that some functions @@ -12,7 +12,7 @@ KASAN_SANITIZE_mem_encrypt_identity.o := n KCSAN_SANITIZE := n ifdef CONFIG_FUNCTION_TRACER -CFLAGS_REMOVE_mem_encrypt.o = -pg +CFLAGS_REMOVE_mem_encrypt_amd.o = -pg CFLAGS_REMOVE_mem_encrypt_identity.o = -pg endif @@ -52,6 +52,6 @@ obj-$(CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS) += pkeys.o obj-$(CONFIG_RANDOMIZE_MEMORY) += kaslr.o obj-$(CONFIG_PAGE_TABLE_ISOLATION) += pti.o -obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt.o +obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt_amd.o obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt_identity.o obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt_boot.o diff --git a/arch/x86/mm/mem_encrypt.c b/arch/x86/mm/mem_encrypt_amd.c similarity index 100% rename from arch/x86/mm/mem_encrypt.c rename to arch/x86/mm/mem_encrypt_amd.c From patchwork Mon Aug 26 15:01:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1976876 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wsv623hRWz1yZd for ; Tue, 27 Aug 2024 01:02:02 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sibEA-0002F9-08; Mon, 26 Aug 2024 15:01:54 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sibE7-0002Ch-UD for kernel-team@lists.ubuntu.com; Mon, 26 Aug 2024 15:01:51 +0000 Received: from mail-pg1-f197.google.com (mail-pg1-f197.google.com [209.85.215.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id B91793F078 for ; Mon, 26 Aug 2024 15:01:51 +0000 (UTC) Received: by mail-pg1-f197.google.com with SMTP id 41be03b00d2f7-7c6b192a39bso3777317a12.2 for ; Mon, 26 Aug 2024 08:01:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724684509; x=1725289309; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jHVnfsOnMxcdk85mZlR3zrQYUHo1NpdH1SYE3/sgtdc=; b=dt6pSmnk5xNP7M5NkxdnGxJyzXu6isbsaUo7nkFJXIsBin2sXkauTMTVmOENeMYClp T1mnlc5+xOJ93ULvNWI7EmzN4Z7ZQXKnZaRkihJ3XhEAbJ1qUVKc2PTXSwR/efniEK8e MPo3zLk7pZV/m5IIcr5zmSNILJW6ANFwlV4tlzo2SniaNDwu4Xu0VGBRDTEQm7v567pD 7y7JoBBcuw9A7rXe+Zvo5gxAUAig7TAMLJ71CwAUEdRke+L0cqWq/PRVH7xujWDJU1Up dCAQmmMKcYT0UYSU+8cs320LQ4OIHLZVzITHTMRFPEowBqRmEuY6VlrX1kLhzy/wR5ZB Iofg== X-Gm-Message-State: AOJu0Yx5F/fkhmCpTvGbZpNA4D+gP7BfK4d46tkXR1bpd6gi4syDngzK qW8AeojSoxxHKmF20mprJgljuZ6EiXtNdI/Vo+TDpWvvNQFtUHIfuqQMmfwCZeju8sEHmSijw8v DLhlHrbWjQ1hlxrQMfv7S+cKxKTdIs+xNDWYHBxKgwjtM/ZEykpldJHoDq6tqkmzR3lZaqxKz/G l2I/50zVJq3/Km X-Received: by 2002:a17:902:d4ce:b0:201:f853:3e69 with SMTP id d9443c01a7336-2039e4fbb83mr102802445ad.57.1724684507968; Mon, 26 Aug 2024 08:01:47 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHf3oshlvFymo7AcHd3klR1uROwRq+6H2nx8Gr+zh1+u+aFvzQU34abD9kz1eGonJoUIrXFPw== X-Received: by 2002:a17:902:d4ce:b0:201:f853:3e69 with SMTP id d9443c01a7336-2039e4fbb83mr102801875ad.57.1724684507344; Mon, 26 Aug 2024 08:01:47 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2038556667bsm68731295ad.7.2024.08.26.08.01.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Aug 2024 08:01:46 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 4/8] x86/coco: Disable 32-bit emulation by default on TDX and SEV Date: Mon, 26 Aug 2024 11:01:21 -0400 Message-Id: <20240826150125.1347359-5-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240826150125.1347359-1-yuxuan.luo@canonical.com> References: <20240826150125.1347359-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: "Kirill A. Shutemov" The INT 0x80 instruction is used for 32-bit x86 Linux syscalls. The kernel expects to receive a software interrupt as a result of the INT 0x80 instruction. However, an external interrupt on the same vector triggers the same handler. The kernel interprets an external interrupt on vector 0x80 as a 32-bit system call that came from userspace. A VMM can inject external interrupts on any arbitrary vector at any time. This remains true even for TDX and SEV guests where the VMM is untrusted. Put together, this allows an untrusted VMM to trigger int80 syscall handling at any given point. The content of the guest register file at that moment defines what syscall is triggered and its arguments. It opens the guest OS to manipulation from the VMM side. Disable 32-bit emulation by default for TDX and SEV. User can override it with the ia32_emulation=y command line option. [ dhansen: reword the changelog ] Reported-by: Supraja Sridhara Reported-by: Benedict Schlüter Reported-by: Mark Kuhne Reported-by: Andrin Bertschi Reported-by: Shweta Shinde Signed-off-by: Kirill A. Shutemov Signed-off-by: Dave Hansen Reviewed-by: Thomas Gleixner Reviewed-by: Borislav Petkov (AMD) Cc: # v6.0+: 1da5c9b x86: Introduce ia32_enabled() Cc: # v6.0+ (backported from commit b82a8dbd3d2f4563156f7150c6f2ecab6e960b30) [yuxuan.luo: - mem_encrypt_amd.c: - two trivial conflicts are hard to solve, ignore them and apply the fix. - tdx.c: - Drop the change since TDX is not supported in the tree. ] CVE-2024-25744 Signed-off-by: Yuxuan Luo --- arch/x86/include/asm/ia32.h | 7 +++++++ arch/x86/mm/mem_encrypt_amd.c | 11 +++++++++++ 2 files changed, 18 insertions(+) diff --git a/arch/x86/include/asm/ia32.h b/arch/x86/include/asm/ia32.h index 5a2ae24b1204f..9805629479d96 100644 --- a/arch/x86/include/asm/ia32.h +++ b/arch/x86/include/asm/ia32.h @@ -75,6 +75,11 @@ static inline bool ia32_enabled(void) return __ia32_enabled; } +static inline void ia32_disable(void) +{ + __ia32_enabled = false; +} + #else /* !CONFIG_IA32_EMULATION */ static inline bool ia32_enabled(void) @@ -82,6 +87,8 @@ static inline bool ia32_enabled(void) return IS_ENABLED(CONFIG_X86_32); } +static inline void ia32_disable(void) {} + #endif #endif /* _ASM_X86_IA32_H */ diff --git a/arch/x86/mm/mem_encrypt_amd.c b/arch/x86/mm/mem_encrypt_amd.c index e29b1418d00c7..20a96183ae7ec 100644 --- a/arch/x86/mm/mem_encrypt_amd.c +++ b/arch/x86/mm/mem_encrypt_amd.c @@ -31,6 +31,7 @@ #include #include #include +#include #include "mm_internal.h" @@ -196,6 +197,16 @@ void __init sme_early_init(void) if (sev_active()) swiotlb_force = SWIOTLB_FORCE; + + /* + * The VMM is capable of injecting interrupt 0x80 and triggering the + * compatibility syscall path. + * + * By default, the 32-bit emulation is disabled in order to ensure + * the safety of the VM. + */ + if (sev_status & MSR_AMD64_SEV_ENABLED) + ia32_disable(); } void __init sev_setup_arch(void) From patchwork Mon Aug 26 15:01:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1976877 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wsv640ZlZz1yZd for ; Tue, 27 Aug 2024 01:02:04 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sibEC-0002J0-FK; Mon, 26 Aug 2024 15:01:56 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sibEA-0002Fv-Fa for kernel-team@lists.ubuntu.com; Mon, 26 Aug 2024 15:01:54 +0000 Received: from mail-pg1-f200.google.com (mail-pg1-f200.google.com [209.85.215.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 4988F3F078 for ; Mon, 26 Aug 2024 15:01:54 +0000 (UTC) Received: by mail-pg1-f200.google.com with SMTP id 41be03b00d2f7-7cda25df5a5so2761223a12.3 for ; Mon, 26 Aug 2024 08:01:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724684512; x=1725289312; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eD4CVbtMPRZzjqNsDaaqYoSCzS7lLhVAhQ+K1sswNVA=; b=cEJA0xnYwmKbkAoItxXhLUNJviE9dIkwH7ysLX6qe9DXcI+cscCEHrrjHZrillKfpZ ejlsQ+E5NplH18MBgKQhovj926NoX4qiryo5G2pkQU25Ew0zBwzN+/4bG+FBShwA7aqO pq5ux+QzwxAIsLuPF2krPP17ABknvN9SgYqduSoejg/qz3tjMOnElj2VoophjvkLulzd MhIRmKxXXlghAkYqyTAB+WbqSmTjhnsLUqp8Z9XHUZKeMh9TYku7x7T2bA9SZGNeuAkp Z8aVuGDIG/XNkC9qt/sY0BFfYQ1kmdxWG/zF/Ey8qxHpsvSB3Arg58WAptgRRTGevO9F zjXQ== X-Gm-Message-State: AOJu0YzCm9Rbsdu0Jif1XgNPfZUh1thWQFnhrJ29+b3A3yDpbXGqwq6z Zq3kcLzj+q6lfA5d2gJ3O6B4vL3H9p00UdKj7qVkdsfEBdsSs0PzluFU0dfE43Tg20QVNMFt4IY nYghXKBcowvQPYCMG0gFFrPdHVu/T8bh+Bc3WrxLC4mLmqyCPEMrrP2qszKc4sBvSPIm6+LtiFT 4gxPQJdpI4gabx X-Received: by 2002:a17:903:3204:b0:202:2b3c:9ae1 with SMTP id d9443c01a7336-2039e4d58c3mr92796085ad.39.1724684511919; Mon, 26 Aug 2024 08:01:51 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFqKIYHTRElAGaE/MNf7x1G2LXhdLIyW1MHx0yJHLKPnw55iWxlpzdguA5NfH+Q+aXNsF6Hjg== X-Received: by 2002:a17:903:3204:b0:202:2b3c:9ae1 with SMTP id d9443c01a7336-2039e4d58c3mr92794615ad.39.1724684509796; Mon, 26 Aug 2024 08:01:49 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2038556667bsm68731295ad.7.2024.08.26.08.01.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Aug 2024 08:01:49 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 5/8] x86/entry: Convert INT 0x80 emulation to IDTENTRY Date: Mon, 26 Aug 2024 11:01:22 -0400 Message-Id: <20240826150125.1347359-6-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240826150125.1347359-1-yuxuan.luo@canonical.com> References: <20240826150125.1347359-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Thomas Gleixner There is no real reason to have a separate ASM entry point implementation for the legacy INT 0x80 syscall emulation on 64-bit. IDTENTRY provides all the functionality needed with the only difference that it does not: - save the syscall number (AX) into pt_regs::orig_ax - set pt_regs::ax to -ENOSYS Both can be done safely in the C code of an IDTENTRY before invoking any of the syscall related functions which depend on this convention. Aside of ASM code reduction this prepares for detecting and handling a local APIC injected vector 0x80. [ kirill.shutemov: More verbose comments ] Suggested-by: Linus Torvalds Signed-off-by: Thomas Gleixner Signed-off-by: Kirill A. Shutemov Signed-off-by: Dave Hansen Reviewed-by: Borislav Petkov (AMD) Cc: # v6.0+ (backported from commit be5341eb0d43b1e754799498bd2e8756cc167a41) [yuxuan.luo: - entry_64_compat.S: ignore the conflict and remove the macro. - proto.h: ignore the conflict and remove the declarations. ] CVE-2024-25744 Signed-off-by: Yuxuan Luo --- arch/x86/entry/common.c | 58 ++++++++++++++++- arch/x86/entry/entry_64_compat.S | 106 ------------------------------- arch/x86/include/asm/idtentry.h | 4 ++ arch/x86/include/asm/proto.h | 4 -- arch/x86/kernel/idt.c | 2 +- arch/x86/xen/enlighten_pv.c | 2 +- arch/x86/xen/xen-asm.S | 2 +- 7 files changed, 64 insertions(+), 114 deletions(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index 3ea32cbca6513..5adc7a17f37c9 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -119,7 +119,62 @@ static __always_inline void do_syscall_32_irqs_on(struct pt_regs *regs, int nr) } } -/* Handles int $0x80 */ +#ifdef CONFIG_IA32_EMULATION +/** + * int80_emulation - 32-bit legacy syscall entry + * + * This entry point can be used by 32-bit and 64-bit programs to perform + * 32-bit system calls. Instances of INT $0x80 can be found inline in + * various programs and libraries. It is also used by the vDSO's + * __kernel_vsyscall fallback for hardware that doesn't support a faster + * entry method. Restarted 32-bit system calls also fall back to INT + * $0x80 regardless of what instruction was originally used to do the + * system call. + * + * This is considered a slow path. It is not used by most libc + * implementations on modern hardware except during process startup. + * + * The arguments for the INT $0x80 based syscall are on stack in the + * pt_regs structure: + * eax: system call number + * ebx, ecx, edx, esi, edi, ebp: arg1 - arg 6 + */ +DEFINE_IDTENTRY_RAW(int80_emulation) +{ + int nr; + + /* Establish kernel context. */ + enter_from_user_mode(regs); + + instrumentation_begin(); + add_random_kstack_offset(); + + /* + * The low level idtentry code pushed -1 into regs::orig_ax + * and regs::ax contains the syscall number. + * + * User tracing code (ptrace or signal handlers) might assume + * that the regs::orig_ax contains a 32-bit number on invoking + * a 32-bit syscall. + * + * Establish the syscall convention by saving the 32bit truncated + * syscall number in regs::orig_ax and by invalidating regs::ax. + */ + regs->orig_ax = regs->ax & GENMASK(31, 0); + regs->ax = -ENOSYS; + + nr = syscall_32_enter(regs); + + local_irq_enable(); + nr = syscall_enter_from_user_mode_work(regs, nr); + do_syscall_32_irqs_on(regs, nr); + + instrumentation_end(); + syscall_exit_to_user_mode(regs); +} +#else /* CONFIG_IA32_EMULATION */ + +/* Handles int $0x80 on a 32bit kernel */ __visible noinstr void do_int80_syscall_32(struct pt_regs *regs) { int nr = syscall_32_enter(regs); @@ -138,6 +193,7 @@ __visible noinstr void do_int80_syscall_32(struct pt_regs *regs) instrumentation_end(); syscall_exit_to_user_mode(regs); } +#endif /* !CONFIG_IA32_EMULATION */ static noinstr bool __do_fast_syscall_32(struct pt_regs *regs) { diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S index 4f67e01febc4f..118df23c28d45 100644 --- a/arch/x86/entry/entry_64_compat.S +++ b/arch/x86/entry/entry_64_compat.S @@ -330,109 +330,3 @@ sysret32_from_system_call: CLEAR_CPU_BUFFERS sysretl SYM_CODE_END(entry_SYSCALL_compat) - -/* - * 32-bit legacy system call entry. - * - * 32-bit x86 Linux system calls traditionally used the INT $0x80 - * instruction. INT $0x80 lands here. - * - * This entry point can be used by 32-bit and 64-bit programs to perform - * 32-bit system calls. Instances of INT $0x80 can be found inline in - * various programs and libraries. It is also used by the vDSO's - * __kernel_vsyscall fallback for hardware that doesn't support a faster - * entry method. Restarted 32-bit system calls also fall back to INT - * $0x80 regardless of what instruction was originally used to do the - * system call. - * - * This is considered a slow path. It is not used by most libc - * implementations on modern hardware except during process startup. - * - * Arguments: - * eax system call number - * ebx arg1 - * ecx arg2 - * edx arg3 - * esi arg4 - * edi arg5 - * ebp arg6 - */ -SYM_CODE_START(entry_INT80_compat) - UNWIND_HINT_ENTRY - /* - * Interrupts are off on entry. - */ - ASM_CLAC /* Do this early to minimize exposure */ - SWAPGS - - /* - * User tracing code (ptrace or signal handlers) might assume that - * the saved RAX contains a 32-bit number when we're invoking a 32-bit - * syscall. Just in case the high bits are nonzero, zero-extend - * the syscall number. (This could almost certainly be deleted - * with no ill effects.) - */ - movl %eax, %eax - - /* switch to thread stack expects orig_ax and rdi to be pushed */ - pushq %rax /* pt_regs->orig_ax */ - pushq %rdi /* pt_regs->di */ - - /* Need to switch before accessing the thread stack. */ - SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi - - /* In the Xen PV case we already run on the thread stack. */ - ALTERNATIVE "", "jmp .Lint80_keep_stack", X86_FEATURE_XENPV - - movq %rsp, %rdi - movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp - - pushq 6*8(%rdi) /* regs->ss */ - pushq 5*8(%rdi) /* regs->rsp */ - pushq 4*8(%rdi) /* regs->eflags */ - pushq 3*8(%rdi) /* regs->cs */ - pushq 2*8(%rdi) /* regs->ip */ - pushq 1*8(%rdi) /* regs->orig_ax */ - pushq (%rdi) /* pt_regs->di */ -.Lint80_keep_stack: - - pushq %rsi /* pt_regs->si */ - xorl %esi, %esi /* nospec si */ - pushq %rdx /* pt_regs->dx */ - xorl %edx, %edx /* nospec dx */ - pushq %rcx /* pt_regs->cx */ - xorl %ecx, %ecx /* nospec cx */ - pushq $-ENOSYS /* pt_regs->ax */ - pushq %r8 /* pt_regs->r8 */ - xorl %r8d, %r8d /* nospec r8 */ - pushq %r9 /* pt_regs->r9 */ - xorl %r9d, %r9d /* nospec r9 */ - pushq %r10 /* pt_regs->r10*/ - xorl %r10d, %r10d /* nospec r10 */ - pushq %r11 /* pt_regs->r11 */ - xorl %r11d, %r11d /* nospec r11 */ - pushq %rbx /* pt_regs->rbx */ - xorl %ebx, %ebx /* nospec rbx */ - pushq %rbp /* pt_regs->rbp */ - xorl %ebp, %ebp /* nospec rbp */ - pushq %r12 /* pt_regs->r12 */ - xorl %r12d, %r12d /* nospec r12 */ - pushq %r13 /* pt_regs->r13 */ - xorl %r13d, %r13d /* nospec r13 */ - pushq %r14 /* pt_regs->r14 */ - xorl %r14d, %r14d /* nospec r14 */ - pushq %r15 /* pt_regs->r15 */ - xorl %r15d, %r15d /* nospec r15 */ - - UNWIND_HINT_REGS - - cld - - IBRS_ENTER - UNTRAIN_RET - CLEAR_BRANCH_HISTORY - - movq %rsp, %rdi - call do_int80_syscall_32 - jmp swapgs_restore_regs_and_return_to_usermode -SYM_CODE_END(entry_INT80_compat) diff --git a/arch/x86/include/asm/idtentry.h b/arch/x86/include/asm/idtentry.h index 1345088e99025..2ab668956741d 100644 --- a/arch/x86/include/asm/idtentry.h +++ b/arch/x86/include/asm/idtentry.h @@ -567,6 +567,10 @@ DECLARE_IDTENTRY_RAW(X86_TRAP_UD, exc_invalid_op); DECLARE_IDTENTRY_RAW(X86_TRAP_BP, exc_int3); DECLARE_IDTENTRY_RAW_ERRORCODE(X86_TRAP_PF, exc_page_fault); +#if defined(CONFIG_IA32_EMULATION) +DECLARE_IDTENTRY_RAW(IA32_SYSCALL_VECTOR, int80_emulation); +#endif + #ifdef CONFIG_X86_MCE #ifdef CONFIG_X86_64 DECLARE_IDTENTRY_MCE(X86_TRAP_MC, exc_machine_check); diff --git a/arch/x86/include/asm/proto.h b/arch/x86/include/asm/proto.h index feed36d44d044..c4d331fe65ffd 100644 --- a/arch/x86/include/asm/proto.h +++ b/arch/x86/include/asm/proto.h @@ -28,10 +28,6 @@ void entry_SYSENTER_compat(void); void __end_entry_SYSENTER_compat(void); void entry_SYSCALL_compat(void); void entry_SYSCALL_compat_safe_stack(void); -void entry_INT80_compat(void); -#ifdef CONFIG_XEN_PV -void xen_entry_INT80_compat(void); -#endif #endif void x86_configure_nx(void); diff --git a/arch/x86/kernel/idt.c b/arch/x86/kernel/idt.c index df0fa695bb09c..b9e806ac1de77 100644 --- a/arch/x86/kernel/idt.c +++ b/arch/x86/kernel/idt.c @@ -109,7 +109,7 @@ static const __initconst struct idt_data def_idts[] = { SYSG(X86_TRAP_OF, asm_exc_overflow), #if defined(CONFIG_IA32_EMULATION) - SYSG(IA32_SYSCALL_VECTOR, entry_INT80_compat), + SYSG(IA32_SYSCALL_VECTOR, asm_int80_emulation), #elif defined(CONFIG_X86_32) SYSG(IA32_SYSCALL_VECTOR, entry_INT80_32), #endif diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c index 998db0257e2ad..47aabc173b108 100644 --- a/arch/x86/xen/enlighten_pv.c +++ b/arch/x86/xen/enlighten_pv.c @@ -609,7 +609,7 @@ static struct trap_array_entry trap_array[] = { TRAP_ENTRY(exc_int3, false ), TRAP_ENTRY(exc_overflow, false ), #ifdef CONFIG_IA32_EMULATION - { entry_INT80_compat, xen_entry_INT80_compat, false }, + TRAP_ENTRY(int80_emulation, false ), #endif TRAP_ENTRY(exc_page_fault, false ), TRAP_ENTRY(exc_divide_error, false ), diff --git a/arch/x86/xen/xen-asm.S b/arch/x86/xen/xen-asm.S index 1b757a1ee1bb6..56f2407564c2a 100644 --- a/arch/x86/xen/xen-asm.S +++ b/arch/x86/xen/xen-asm.S @@ -151,7 +151,7 @@ xen_pv_trap asm_xenpv_exc_machine_check #endif /* CONFIG_X86_MCE */ xen_pv_trap asm_exc_simd_coprocessor_error #ifdef CONFIG_IA32_EMULATION -xen_pv_trap entry_INT80_compat +xen_pv_trap asm_int80_emulation #endif xen_pv_trap asm_exc_xen_unknown_trap xen_pv_trap asm_exc_xen_hypervisor_callback From patchwork Mon Aug 26 15:01:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1976878 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wsv671y3Gz1yfF for ; Tue, 27 Aug 2024 01:02:07 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sibEE-0002Md-Ji; Mon, 26 Aug 2024 15:01:58 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sibEB-0002Gm-0U for kernel-team@lists.ubuntu.com; Mon, 26 Aug 2024 15:01:55 +0000 Received: from mail-pl1-f197.google.com (mail-pl1-f197.google.com [209.85.214.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id D49463F078 for ; Mon, 26 Aug 2024 15:01:54 +0000 (UTC) Received: by mail-pl1-f197.google.com with SMTP id d9443c01a7336-203b2f9bbf4so27581475ad.0 for ; Mon, 26 Aug 2024 08:01:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724684513; x=1725289313; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EcBO7ZS7O/0U2CWD0eytewGghZzO2bx2R7QB4uw8sHg=; b=QvCcPKzyFJFw5CrE0yaOp0+WDgT0fFQ8hAd+rFr9ar4sl1jzwAZ56cZnk431UYQfnq F+xP8d3+WzdZwDpAS4Sny/npUI2l1mOkM5+/mf/8tQCrItdSLn8jz4m9wfhCUEdxS2oq jUCkxAdLWZ5hVCLGJUICPIi6b6TpjouE7akW+3CUlpudtNBXjMsV2rPw85rlmlRhqr1m tnKhEts9L4z1TaiDowgiV4+pvzIv7ymOifWPwsVAtvuZ6b11E1a08zXF4nhK167jVmdZ OPWSARYFqu3SpeC5kGMgNJ36mq8RQszImanggkLrpwXeQgR0i6FV8s4khQQMbvXiMPuq y6xA== X-Gm-Message-State: AOJu0YzihypONdUTfTqSufyRTb+503jK3RptpuH0cV/PeGMcSAyBFuEW ZF2+dhUIp2ptdlBE2SWyeAlmNwvHAPomAR4YvNlAaaWTfvLNmZ+o1Lm4hoj1pSDaKX/CqwH4DkF PAgfRHqTmKRYYFY/b44FX/8ztNPULzpjm29ew2buFJKJ9nbNmmnGiZv0ZltxqdbZuERrjqqfqvk brQHJUHPrxuSwQ X-Received: by 2002:a17:903:2287:b0:1fd:8eaf:ea73 with SMTP id d9443c01a7336-2039e4d879cmr131441115ad.35.1724684512673; Mon, 26 Aug 2024 08:01:52 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGkIkNh7ChBelG+F18pGwFJtqid64iGJbHBhEO8Hu3CjTtjDyVCGJBx31t2Wgz4XUfwEuFdBQ== X-Received: by 2002:a17:903:2287:b0:1fd:8eaf:ea73 with SMTP id d9443c01a7336-2039e4d879cmr131440645ad.35.1724684512218; Mon, 26 Aug 2024 08:01:52 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2038556667bsm68731295ad.7.2024.08.26.08.01.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Aug 2024 08:01:51 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 6/8] x86/entry: Do not allow external 0x80 interrupts Date: Mon, 26 Aug 2024 11:01:23 -0400 Message-Id: <20240826150125.1347359-7-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240826150125.1347359-1-yuxuan.luo@canonical.com> References: <20240826150125.1347359-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Thomas Gleixner The INT 0x80 instruction is used for 32-bit x86 Linux syscalls. The kernel expects to receive a software interrupt as a result of the INT 0x80 instruction. However, an external interrupt on the same vector also triggers the same codepath. An external interrupt on vector 0x80 will currently be interpreted as a 32-bit system call, and assuming that it was a user context. Panic on external interrupts on the vector. To distinguish software interrupts from external ones, the kernel checks the APIC ISR bit relevant to the 0x80 vector. For software interrupts, this bit will be 0. Signed-off-by: Thomas Gleixner Signed-off-by: Kirill A. Shutemov Signed-off-by: Dave Hansen Reviewed-by: Borislav Petkov (AMD) Cc: # v6.0+ (cherry picked from commit 55617fb991df535f953589586468612351575704) CVE-2024-25744 Signed-off-by: Yuxuan Luo --- arch/x86/entry/common.c | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index 5adc7a17f37c9..d1594b4acf485 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -25,6 +25,7 @@ #include #endif +#include #include #include #include @@ -120,6 +121,25 @@ static __always_inline void do_syscall_32_irqs_on(struct pt_regs *regs, int nr) } #ifdef CONFIG_IA32_EMULATION +static __always_inline bool int80_is_external(void) +{ + const unsigned int offs = (0x80 / 32) * 0x10; + const u32 bit = BIT(0x80 % 32); + + /* The local APIC on XENPV guests is fake */ + if (cpu_feature_enabled(X86_FEATURE_XENPV)) + return false; + + /* + * If vector 0x80 is set in the APIC ISR then this is an external + * interrupt. Either from broken hardware or injected by a VMM. + * + * Note: In guest mode this is only valid for secure guests where + * the secure module fully controls the vAPIC exposed to the guest. + */ + return apic_read(APIC_ISR + offs) & bit; +} + /** * int80_emulation - 32-bit legacy syscall entry * @@ -143,12 +163,27 @@ DEFINE_IDTENTRY_RAW(int80_emulation) { int nr; - /* Establish kernel context. */ + /* Kernel does not use INT $0x80! */ + if (unlikely(!user_mode(regs))) { + irqentry_enter(regs); + instrumentation_begin(); + panic("Unexpected external interrupt 0x80\n"); + } + + /* + * Establish kernel context for instrumentation, including for + * int80_is_external() below which calls into the APIC driver. + * Identical for soft and external interrupts. + */ enter_from_user_mode(regs); instrumentation_begin(); add_random_kstack_offset(); + /* Validate that this is a soft interrupt to the extent possible */ + if (unlikely(int80_is_external())) + panic("Unexpected external interrupt 0x80\n"); + /* * The low level idtentry code pushed -1 into regs::orig_ax * and regs::ax contains the syscall number. From patchwork Mon Aug 26 15:01:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1976879 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wsv671xjqz1yZd for ; Tue, 27 Aug 2024 01:02:07 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sibEE-0002N6-O9; Mon, 26 Aug 2024 15:01:58 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sibED-0002KN-Hs for kernel-team@lists.ubuntu.com; Mon, 26 Aug 2024 15:01:57 +0000 Received: from mail-pg1-f197.google.com (mail-pg1-f197.google.com [209.85.215.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 4BEDD3F17F for ; Mon, 26 Aug 2024 15:01:57 +0000 (UTC) Received: by mail-pg1-f197.google.com with SMTP id 41be03b00d2f7-7cda25df5a5so2761281a12.3 for ; Mon, 26 Aug 2024 08:01:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724684515; x=1725289315; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CPTJDHrJvHzPXneXeuT8qJQOC++FS+eVLfQVutPsb+w=; b=q4E4hq9pPjufHTH7joe94++cF9fcuNk68I+0i/2rGpG0apeWd9Z7qLMsXfvQ0RNYW4 6JDN9S9w3HXyR15JQkhPEp9AektU0p7IoSOhUU/D5LioK8sQ/k8yZKWyCO0Ju02nRQOf iFl8Bp7UUr4usUO4LOIMjLne1EORu2dZAjg+kBdctN+JHtDAX9QXJqjyopD+cAWrxoxn us14CkyTYsk4U6024RtTuGg7wGcMyhnIMFdSZIYHfzPPlERrzcVl5B8LAXtOAG7ergD4 Z+X02jvgBMiPSiDWUc9ge4xSY/jjPUbhnHIvgv9jg3lx7L+n4k8oixtptyABf13P6KQe sNnQ== X-Gm-Message-State: AOJu0Yz4y84K9lp4gHeusa7b99NRe/dvUpjjnjWUx9KDCXBMLNVhYwSz I40SceRq56kRO3daEKqL/L7nqKKi/GQIjpsxHh1Ixxzr+7qHV4QgcUU4axwP9pSoL5Vhtsp3PEy 1l7TyI4AUyczK43vVA/J/hDLeyJn2TQ7aLwaF7eFecJv6dencizoHbyZkr3m0enWtI4Ll87f9wa umTPjg0jv/U4lG X-Received: by 2002:a17:902:c411:b0:203:a0c5:fcfd with SMTP id d9443c01a7336-203a0c5fd71mr86934325ad.3.1724684515291; Mon, 26 Aug 2024 08:01:55 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEYarOqzwKQIGgW2BoW0Y8Kw15IdJzdLJlz+ZzVlp3VB7Piogxkc5IfgHCUeBYSHeVxeQ34hw== X-Received: by 2002:a17:902:c411:b0:203:a0c5:fcfd with SMTP id d9443c01a7336-203a0c5fd71mr86933935ad.3.1724684514718; Mon, 26 Aug 2024 08:01:54 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2038556667bsm68731295ad.7.2024.08.26.08.01.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Aug 2024 08:01:53 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 7/8] x86/entry: Add do_SYSENTER_32() prototype Date: Mon, 26 Aug 2024 11:01:24 -0400 Message-Id: <20240826150125.1347359-8-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240826150125.1347359-1-yuxuan.luo@canonical.com> References: <20240826150125.1347359-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Arnd Bergmann The 32-bit system call entry points can be called on both 32-bit and 64-bit kernels, but on the former the declarations are hidden: arch/x86/entry/common.c:238:24: error: no previous prototype for 'do_SYSENTER_32' [-Werror=missing-prototypes] Move them all out of the #ifdef block to avoid the warnings. Signed-off-by: Arnd Bergmann Signed-off-by: Dave Hansen Reviewed-by: Alexander Lobakin Link: https://lore.kernel.org/all/20230516193549.544673-12-arnd%40kernel.org (cherry picked from commit f34f0d3c10eb4d3160fc6fe7a2482cb78d3b0c12) CVE-2024-25744 Signed-off-by: Yuxuan Luo --- arch/x86/include/asm/syscall.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/syscall.h b/arch/x86/include/asm/syscall.h index 825528bf0daf5..e873e95ff6bfc 100644 --- a/arch/x86/include/asm/syscall.h +++ b/arch/x86/include/asm/syscall.h @@ -158,9 +158,11 @@ static inline int syscall_get_arch(struct task_struct *task) } void do_syscall_64(struct pt_regs *regs, int nr); -void do_int80_syscall_32(struct pt_regs *regs); -long do_fast_syscall_32(struct pt_regs *regs); #endif /* CONFIG_X86_32 */ +void do_int80_syscall_32(struct pt_regs *regs); +long do_fast_syscall_32(struct pt_regs *regs); +long do_SYSENTER_32(struct pt_regs *regs); + #endif /* _ASM_X86_SYSCALL_H */ From patchwork Mon Aug 26 15:01:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1976880 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wsv6B32Wjz1yZd for ; Tue, 27 Aug 2024 01:02:10 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sibEJ-0002Xq-5T; Mon, 26 Aug 2024 15:02:03 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sibEG-0002Rv-OD for kernel-team@lists.ubuntu.com; Mon, 26 Aug 2024 15:02:00 +0000 Received: from mail-pl1-f200.google.com (mail-pl1-f200.google.com [209.85.214.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 660F03FB5F for ; Mon, 26 Aug 2024 15:02:00 +0000 (UTC) Received: by mail-pl1-f200.google.com with SMTP id d9443c01a7336-20206086d92so41531835ad.2 for ; Mon, 26 Aug 2024 08:02:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724684518; x=1725289318; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=qiV0hVMrmAPKEyG+nd6lOJ/ECxT/Vixftnbx7u2sPqI=; b=FDm6Q3chgCVdgXJhc9zNM7YwHHq3JRhB6/1VN5thiK9idMhW9Op/LS513+nER4ugmx AzuAKTbQmT3WDPwZngjfHieNHZ9AnITiBVNZMPL/gK92lHOhtdJOuiLMrz1rHHM9Pb5/ ExZeuWXgayOzIYAlqlM22EujBSyIWJc1neNS5vgL76eq33ai3Q9JND/fiZbdhAohSArl yvc1hqONJKJajwXRrObHBFeRrxytbBNJOFfSpKIeF2K3Cv3Gi8D2w7Nd8sTGc+VMucth pDkA1s/Bzqr0NVT3x426wU0NtpXXayoYQtDEpAnwMA4rbX5g4uutU3XlMQ2D0VIApqtD rrdw== X-Gm-Message-State: AOJu0Yy2QThYV9/HMPMsRgKfm8M5uSZ/heeY8dtMk+0qnsYFdbgjvhQM 53S4eRTOXZvOK5G2cGEpu+ueZhb1wubPEdEKz6LVtFE/l2w3uyUHv6tJgF5MMG0BMjAJYOZgEB+ pTX8o9ucf257gUvBjwx8VyVX87EqDo11X8kQYDMexYMPuM+kHoSC1A6gfYsn+UwyLF7bsJj/z1a gNT6PlkoX5MzCI X-Received: by 2002:a17:902:e80b:b0:1fc:57b7:995c with SMTP id d9443c01a7336-2039e4a91bdmr94843945ad.7.1724684517979; Mon, 26 Aug 2024 08:01:57 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHYkgtWBHOGP4A1Hr8i747ceHdoIevwVZCm59dz5SbxiBP6ViKfQ7Cvip5gbyYv43DvK9WwNw== X-Received: by 2002:a17:902:e80b:b0:1fc:57b7:995c with SMTP id d9443c01a7336-2039e4a91bdmr94843445ad.7.1724684517335; Mon, 26 Aug 2024 08:01:57 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2038556667bsm68731295ad.7.2024.08.26.08.01.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Aug 2024 08:01:56 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 8/8] x86/bhi: Add support for clearing branch history at syscall entry Date: Mon, 26 Aug 2024 11:01:25 -0400 Message-Id: <20240826150125.1347359-9-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240826150125.1347359-1-yuxuan.luo@canonical.com> References: <20240826150125.1347359-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pawan Gupta Branch History Injection (BHI) attacks may allow a malicious application to influence indirect branch prediction in kernel by poisoning the branch history. eIBRS isolates indirect branch targets in ring0. The BHB can still influence the choice of indirect branch predictor entry, and although branch predictor entries are isolated between modes when eIBRS is enabled, the BHB itself is not isolated between modes. Alder Lake and new processors supports a hardware control BHI_DIS_S to mitigate BHI. For older processors Intel has released a software sequence to clear the branch history on parts that don't support BHI_DIS_S. Add support to execute the software sequence at syscall entry and VMexit to overwrite the branch history. For now, branch history is not cleared at interrupt entry, as malicious applications are not believed to have sufficient control over the registers, since previous register state is cleared at interrupt entry. Researchers continue to poke at this area and it may become necessary to clear at interrupt entry as well in the future. This mitigation is only defined here. It is enabled later. Signed-off-by: Pawan Gupta Co-developed-by: Daniel Sneddon Signed-off-by: Daniel Sneddon Signed-off-by: Thomas Gleixner Reviewed-by: Alexandre Chartre Reviewed-by: Josh Poimboeuf (backported from commit 7390db8aea0d64e9deb28b8e1ce716f5020c7ee5) [yuxuan.luo: Backporting this commit again so that the fixes for CVE-2024-25744 will not make Jammy vulnerable to CVE-2024-2201 Native BHI again. ] CVE-2024-25744 Signed-off-by: Yuxuan Luo --- arch/x86/entry/common.c | 4 ++-- arch/x86/entry/entry_64_compat.S | 14 ++++++++++++++ arch/x86/include/asm/syscall.h | 1 + 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index d1594b4acf485..045e6615bf3b6 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -141,7 +141,7 @@ static __always_inline bool int80_is_external(void) } /** - * int80_emulation - 32-bit legacy syscall entry + * do_int80_emulation - 32-bit legacy syscall C entry from asm * * This entry point can be used by 32-bit and 64-bit programs to perform * 32-bit system calls. Instances of INT $0x80 can be found inline in @@ -159,7 +159,7 @@ static __always_inline bool int80_is_external(void) * eax: system call number * ebx, ecx, edx, esi, edi, ebp: arg1 - arg 6 */ -DEFINE_IDTENTRY_RAW(int80_emulation) +__visible noinstr void do_int80_emulation(struct pt_regs *regs) { int nr; diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S index 118df23c28d45..c681d4767bd64 100644 --- a/arch/x86/entry/entry_64_compat.S +++ b/arch/x86/entry/entry_64_compat.S @@ -330,3 +330,17 @@ sysret32_from_system_call: CLEAR_CPU_BUFFERS sysretl SYM_CODE_END(entry_SYSCALL_compat) + +/* + * int 0x80 is used by 32 bit mode as a system call entry. Normally idt entries + * point to C routines, however since this is a system call interface the branch + * history needs to be scrubbed to protect against BHI attacks, and that + * scrubbing needs to take place in assembly code prior to entering any C + * routines. + */ +SYM_CODE_START(int80_emulation) + ANNOTATE_NOENDBR + UNWIND_HINT_FUNC + CLEAR_BRANCH_HISTORY + jmp do_int80_emulation +SYM_CODE_END(int80_emulation) diff --git a/arch/x86/include/asm/syscall.h b/arch/x86/include/asm/syscall.h index e873e95ff6bfc..250a01782d6a5 100644 --- a/arch/x86/include/asm/syscall.h +++ b/arch/x86/include/asm/syscall.h @@ -158,6 +158,7 @@ static inline int syscall_get_arch(struct task_struct *task) } void do_syscall_64(struct pt_regs *regs, int nr); +void do_int80_emulation(struct pt_regs *regs); #endif /* CONFIG_X86_32 */