]>
Commit | Line | Data |
---|---|---|
67d0dc37 GKH |
1 | From 8e1eb3fa009aa7c0b944b3c8b26b07de0efb3200 Mon Sep 17 00:00:00 2001 |
2 | From: Dan Williams <dan.j.williams@intel.com> | |
3 | Date: Mon, 5 Feb 2018 17:18:05 -0800 | |
4 | Subject: x86/entry/64: Clear extra registers beyond syscall arguments, to reduce speculation attack surface | |
5 | ||
6 | From: Dan Williams <dan.j.williams@intel.com> | |
7 | ||
8 | commit 8e1eb3fa009aa7c0b944b3c8b26b07de0efb3200 upstream. | |
9 | ||
10 | At entry userspace may have (maliciously) populated the extra registers | |
11 | outside the syscall calling convention with arbitrary values that could | |
12 | be useful in a speculative execution (Spectre style) attack. | |
13 | ||
14 | Clear these registers to minimize the kernel's attack surface. | |
15 | ||
16 | Note, this only clears the extra registers and not the unused | |
17 | registers for syscalls less than 6 arguments, since those registers are | |
18 | likely to be clobbered well before their values could be put to use | |
19 | under speculation. | |
20 | ||
21 | Note, Linus found that the XOR instructions can be executed with | |
22 | minimized cost if interleaved with the PUSH instructions, and Ingo's | |
23 | analysis found that R10 and R11 should be included in the register | |
24 | clearing beyond the typical 'extra' syscall calling convention | |
25 | registers. | |
26 | ||
27 | Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> | |
28 | Reported-by: Andi Kleen <ak@linux.intel.com> | |
29 | Signed-off-by: Dan Williams <dan.j.williams@intel.com> | |
30 | Cc: <stable@vger.kernel.org> | |
31 | Cc: Andy Lutomirski <luto@kernel.org> | |
32 | Cc: Borislav Petkov <bp@alien8.de> | |
33 | Cc: Brian Gerst <brgerst@gmail.com> | |
34 | Cc: Denys Vlasenko <dvlasenk@redhat.com> | |
35 | Cc: H. Peter Anvin <hpa@zytor.com> | |
36 | Cc: Josh Poimboeuf <jpoimboe@redhat.com> | |
37 | Cc: Peter Zijlstra <peterz@infradead.org> | |
38 | Cc: Thomas Gleixner <tglx@linutronix.de> | |
39 | Link: http://lkml.kernel.org/r/151787988577.7847.16733592218894189003.stgit@dwillia2-desk3.amr.corp.intel.com | |
40 | [ Made small improvements to the changelog and the code comments. ] | |
41 | Signed-off-by: Ingo Molnar <mingo@kernel.org> | |
42 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
43 | ||
44 | --- | |
45 | arch/x86/entry/entry_64.S | 13 +++++++++++++ | |
46 | 1 file changed, 13 insertions(+) | |
47 | ||
48 | --- a/arch/x86/entry/entry_64.S | |
49 | +++ b/arch/x86/entry/entry_64.S | |
50 | @@ -231,13 +231,26 @@ GLOBAL(entry_SYSCALL_64_after_hwframe) | |
51 | pushq %r8 /* pt_regs->r8 */ | |
52 | pushq %r9 /* pt_regs->r9 */ | |
53 | pushq %r10 /* pt_regs->r10 */ | |
54 | + /* | |
55 | + * Clear extra registers that a speculation attack might | |
56 | + * otherwise want to exploit. Interleave XOR with PUSH | |
57 | + * for better uop scheduling: | |
58 | + */ | |
59 | + xorq %r10, %r10 /* nospec r10 */ | |
60 | pushq %r11 /* pt_regs->r11 */ | |
61 | + xorq %r11, %r11 /* nospec r11 */ | |
62 | pushq %rbx /* pt_regs->rbx */ | |
63 | + xorl %ebx, %ebx /* nospec rbx */ | |
64 | pushq %rbp /* pt_regs->rbp */ | |
65 | + xorl %ebp, %ebp /* nospec rbp */ | |
66 | pushq %r12 /* pt_regs->r12 */ | |
67 | + xorq %r12, %r12 /* nospec r12 */ | |
68 | pushq %r13 /* pt_regs->r13 */ | |
69 | + xorq %r13, %r13 /* nospec r13 */ | |
70 | pushq %r14 /* pt_regs->r14 */ | |
71 | + xorq %r14, %r14 /* nospec r14 */ | |
72 | pushq %r15 /* pt_regs->r15 */ | |
73 | + xorq %r15, %r15 /* nospec r15 */ | |
74 | UNWIND_HINT_REGS | |
75 | ||
76 | TRACE_IRQS_OFF |