From patchwork Thu Oct 17 20:58:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1998763 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XV0Yb5MRlz1xvc for ; Fri, 18 Oct 2024 07:58:43 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1t1XZr-0003Or-Vd; Thu, 17 Oct 2024 20:58:35 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1t1XZh-0003NB-Kj for kernel-team@lists.ubuntu.com; Thu, 17 Oct 2024 20:58:25 +0000 Received: from mail-pf1-f199.google.com (mail-pf1-f199.google.com [209.85.210.199]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 33B023F458 for ; Thu, 17 Oct 2024 20:58:25 +0000 (UTC) Received: by mail-pf1-f199.google.com with SMTP id d2e1a72fcca58-71e55c9d23cso1142810b3a.0 for ; Thu, 17 Oct 2024 13:58:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729198703; x=1729803503; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xA8xeowR8A6LzRlR6VCkrbgZS59FrklqLXEYmb2g+no=; b=bkBnKptzY6DTLJn7m/BZAcUnFNNn9+thcnsM/Za9m/obWre43RKRg4at237D1BBLPm pmmfICw07B2x/BaFVPb5vWX/ql/lpyXS4h+JDz8OQ+qiyTJx1GmSHfnZaiYIQ5Dwj+q3 35+/rKPYalkw+i1GdBRJNnnL50JU6R+06Zq99t1mp3Fz4w6CQp+GjbmTD+8JpNsxfUpW Z5ntlaTgXJZHHag4AXQYXj/ez9araEHZoS0ZceTsSryOWzxbAF6VqycyRt1KrdU2eibp 1NXa/f7NtsxA3jbDu+uYySnafzr2szONu7/HRVE6nLWFieTaMeZQKptLUxh2JF/9dash 4LIA== X-Gm-Message-State: AOJu0Yxa+mF3uHWbfije/M6lbSAQF4/4+dDB9gpSDUd9aJhjTVIMSkLb VyUNsOw1uhJM5QwengQwA/8XEKXVgQgJ6AyphSpzAlx4Ch1Wyvy9yCUtOpTERlYkie/5tgSzade nMDxF6XmlnVHDPlDpFTXODxJ5Hmqy8NNlnuRI8bGmTco+/9M4GndUTSrd3KQLY15M2t/tkqSZqX bumv7RoaEgCY6I X-Received: by 2002:a05:6a00:2f96:b0:71e:4798:8753 with SMTP id d2e1a72fcca58-71e8fd619d3mr6840002b3a.6.1729198703364; Thu, 17 Oct 2024 13:58:23 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH0F9OtuBK4xjdM+UkxlJKFZ8NDSgOemgjv0CMlUH5G/IS/WWxIMuonJ3PnHE/ezNKGmUpdBw== X-Received: by 2002:a05:6a00:2f96:b0:71e:4798:8753 with SMTP id d2e1a72fcca58-71e8fd619d3mr6839974b3a.6.1729198702955; Thu, 17 Oct 2024 13:58:22 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71ea345acfesm86561b3a.152.2024.10.17.13.58.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Oct 2024 13:58:22 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/1] x86/bhi: Avoid warning in #DB handler due to BHI mitigation Date: Thu, 17 Oct 2024 16:58:07 -0400 Message-ID: <20241017205815.482327-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241017205815.482327-1-yuxuan.luo@canonical.com> References: <20241017205815.482327-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Alexandre Chartre When BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set then entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the clear_bhb_loop() before the TF flag is cleared. This causes the #DB handler (exc_debug_kernel()) to issue a warning because single-step is used outside the entry_SYSENTER_compat() function. To address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY after making sure the TF flag is cleared. The problem can be reproduced with the following sequence: $ cat sysenter_step.c int main() { asm("pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter"); } $ gcc -o sysenter_step sysenter_step.c $ ./sysenter_step Segmentation fault (core dumped) The program is expected to crash, and the #DB handler will issue a warning. Kernel log: WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160 ... RIP: 0010:exc_debug_kernel+0xd2/0x160 ... Call Trace: <#DB> ? show_regs+0x68/0x80 ? __warn+0x8c/0x140 ? exc_debug_kernel+0xd2/0x160 ? report_bug+0x175/0x1a0 ? handle_bug+0x44/0x90 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? exc_debug_kernel+0xd2/0x160 exc_debug+0x43/0x50 asm_exc_debug+0x1e/0x40 RIP: 0010:clear_bhb_loop+0x0/0xb0 ... ? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d [ bp: Massage commit message. ] Fixes: 7390db8aea0d ("x86/bhi: Add support for clearing branch history at syscall entry") Reported-by: Suman Maity Signed-off-by: Alexandre Chartre Signed-off-by: Borislav Petkov (AMD) Reviewed-by: Andrew Cooper Reviewed-by: Pawan Gupta Reviewed-by: Josh Poimboeuf Link: https://lore.kernel.org/r/20240524070459.3674025-1-alexandre.chartre@oracle.com (backported from commit ac8b270b61d48fcc61f052097777e3b5e11591e0) [yuxuan.luo: adjusted the context.] CVE-2024-42240 Signed-off-by: Yuxuan Luo --- arch/x86/entry/entry_64_compat.S | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S index fe6e25951d408..da4d3061ca05d 100644 --- a/arch/x86/entry/entry_64_compat.S +++ b/arch/x86/entry/entry_64_compat.S @@ -107,9 +107,6 @@ ENTRY(entry_SYSENTER_compat) xorl %r15d, %r15d /* nospec r15 */ cld - IBRS_ENTER - CLEAR_BRANCH_HISTORY - /* * SYSENTER doesn't filter flags, so we need to clear NT and AC * ourselves. To save a few cycles, we can check whether @@ -139,6 +136,15 @@ ENTRY(entry_SYSENTER_compat) */ TRACE_IRQS_OFF + /* + * CPU bugs mitigations mechanisms can call other functions. They + * should be invoked after making sure TF is cleared because + * single-step is ignored only for instructions inside the + * entry_SYSENTER_compat function. + */ + IBRS_ENTER + CLEAR_BRANCH_HISTORY + movq %rsp, %rdi call do_fast_syscall_32 /* XEN PV guests always use IRET path */