projects / thirdparty / kernel / stable-queue.git / blame
| Commit | Line | Data |
|---|---|---|
| 67d0dc37 GKH |
1 | From 8e1eb3fa009aa7c0b944b3c8b26b07de0efb3200 Mon Sep 17 00:00:00 2001 |
| 2 | From: Dan Williams <dan.j.williams@intel.com> | |
| 3 | Date: Mon, 5 Feb 2018 17:18:05 -0800 | |
| 4 | Subject: x86/entry/64: Clear extra registers beyond syscall arguments, to reduce speculation attack surface | |
| 5 | ||
| 6 | From: Dan Williams <dan.j.williams@intel.com> | |
| 7 | ||
| 8 | commit 8e1eb3fa009aa7c0b944b3c8b26b07de0efb3200 upstream. | |
| 9 | ||
| 10 | At entry userspace may have (maliciously) populated the extra registers | |
| 11 | outside the syscall calling convention with arbitrary values that could | |
| 12 | be useful in a speculative execution (Spectre style) attack. | |
| 13 | ||
| 14 | Clear these registers to minimize the kernel's attack surface. | |
| 15 | ||
| 16 | Note, this only clears the extra registers and not the unused | |
| 17 | registers for syscalls less than 6 arguments, since those registers are | |
| 18 | likely to be clobbered well before their values could be put to use | |
| 19 | under speculation. | |
| 20 | ||
| 21 | Note, Linus found that the XOR instructions can be executed with | |
| 22 | minimized cost if interleaved with the PUSH instructions, and Ingo's | |
| 23 | analysis found that R10 and R11 should be included in the register | |
| 24 | clearing beyond the typical 'extra' syscall calling convention | |
| 25 | registers. | |
| 26 | ||
| 27 | Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> | |
| 28 | Reported-by: Andi Kleen <ak@linux.intel.com> | |
| 29 | Signed-off-by: Dan Williams <dan.j.williams@intel.com> | |
| 30 | Cc: <stable@vger.kernel.org> | |
| 31 | Cc: Andy Lutomirski <luto@kernel.org> | |
| 32 | Cc: Borislav Petkov <bp@alien8.de> | |
| 33 | Cc: Brian Gerst <brgerst@gmail.com> | |
| 34 | Cc: Denys Vlasenko <dvlasenk@redhat.com> | |
| 35 | Cc: H. Peter Anvin <hpa@zytor.com> | |
| 36 | Cc: Josh Poimboeuf <jpoimboe@redhat.com> | |
| 37 | Cc: Peter Zijlstra <peterz@infradead.org> | |
| 38 | Cc: Thomas Gleixner <tglx@linutronix.de> | |
| 39 | Link: http://lkml.kernel.org/r/151787988577.7847.16733592218894189003.stgit@dwillia2-desk3.amr.corp.intel.com | |
| 40 | [ Made small improvements to the changelog and the code comments. ] | |
| 41 | Signed-off-by: Ingo Molnar <mingo@kernel.org> | |
| 42 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
| 43 | ||
| 44 | --- | |
| 45 | arch/x86/entry/entry_64.S | 13 +++++++++++++ | |
| 46 | 1 file changed, 13 insertions(+) | |
| 47 | ||
| 48 | --- a/arch/x86/entry/entry_64.S | |
| 49 | +++ b/arch/x86/entry/entry_64.S | |
| 50 | @@ -231,13 +231,26 @@ GLOBAL(entry_SYSCALL_64_after_hwframe) | |
| 51 | pushq %r8 /* pt_regs->r8 */ | |
| 52 | pushq %r9 /* pt_regs->r9 */ | |
| 53 | pushq %r10 /* pt_regs->r10 */ | |
| 54 | + /* | |
| 55 | + * Clear extra registers that a speculation attack might | |
| 56 | + * otherwise want to exploit. Interleave XOR with PUSH | |
| 57 | + * for better uop scheduling: | |
| 58 | + */ | |
| 59 | + xorq %r10, %r10 /* nospec r10 */ | |
| 60 | pushq %r11 /* pt_regs->r11 */ | |
| 61 | + xorq %r11, %r11 /* nospec r11 */ | |
| 62 | pushq %rbx /* pt_regs->rbx */ | |
| 63 | + xorl %ebx, %ebx /* nospec rbx */ | |
| 64 | pushq %rbp /* pt_regs->rbp */ | |
| 65 | + xorl %ebp, %ebp /* nospec rbp */ | |
| 66 | pushq %r12 /* pt_regs->r12 */ | |
| 67 | + xorq %r12, %r12 /* nospec r12 */ | |
| 68 | pushq %r13 /* pt_regs->r13 */ | |
| 69 | + xorq %r13, %r13 /* nospec r13 */ | |
| 70 | pushq %r14 /* pt_regs->r14 */ | |
| 71 | + xorq %r14, %r14 /* nospec r14 */ | |
| 72 | pushq %r15 /* pt_regs->r15 */ | |
| 73 | + xorq %r15, %r15 /* nospec r15 */ | |
| 74 | UNWIND_HINT_REGS | |
| 75 | ||
| 76 | TRACE_IRQS_OFF |