--- /dev/null
+From 51a6fa0732d6be6a44e0032752ad2ac10d67c796 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Fri, 15 Jul 2022 16:45:50 -0300
+Subject: efi/x86: use naked RET on mixed mode call wrapper
+
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+
+commit 51a6fa0732d6be6a44e0032752ad2ac10d67c796 upstream.
+
+When running with return thunks enabled under 32-bit EFI, the system
+crashes with:
+
+ kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
+ BUG: unable to handle page fault for address: 000000005bc02900
+ #PF: supervisor instruction fetch in kernel mode
+ #PF: error_code(0x0011) - permissions violation
+ PGD 18f7063 P4D 18f7063 PUD 18ff063 PMD 190e063 PTE 800000005bc02063
+ Oops: 0011 [#1] PREEMPT SMP PTI
+ CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.19.0-rc6+ #166
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
+ RIP: 0010:0x5bc02900
+ Code: Unable to access opcode bytes at RIP 0x5bc028d6.
+ RSP: 0018:ffffffffb3203e10 EFLAGS: 00010046
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000048
+ RDX: 000000000190dfac RSI: 0000000000001710 RDI: 000000007eae823b
+ RBP: ffffffffb3203e70 R08: 0000000001970000 R09: ffffffffb3203e28
+ R10: 747563657865206c R11: 6c6977203a696665 R12: 0000000000001710
+ R13: 0000000000000030 R14: 0000000001970000 R15: 0000000000000001
+ FS: 0000000000000000(0000) GS:ffff8e013ca00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0018 ES: 0018 CR0: 0000000080050033
+ CR2: 000000005bc02900 CR3: 0000000001930000 CR4: 00000000000006f0
+ Call Trace:
+ ? efi_set_virtual_address_map+0x9c/0x175
+ efi_enter_virtual_mode+0x4a6/0x53e
+ start_kernel+0x67c/0x71e
+ x86_64_start_reservations+0x24/0x2a
+ x86_64_start_kernel+0xe9/0xf4
+ secondary_startup_64_no_verify+0xe5/0xeb
+
+That's because it cannot jump to the return thunk from the 32-bit code.
+
+Using a naked RET and marking it as safe allows the system to proceed
+booting.
+
+Fixes: aa3d480315ba ("x86: Use return-thunk in asm code")
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Josh Poimboeuf <jpoimboe@kernel.org>
+Cc: <stable@vger.kernel.org>
+Tested-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/platform/efi/efi_thunk_64.S | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/platform/efi/efi_thunk_64.S
++++ b/arch/x86/platform/efi/efi_thunk_64.S
+@@ -22,6 +22,7 @@
+ #include <linux/linkage.h>
+ #include <asm/page_types.h>
+ #include <asm/segment.h>
++#include <asm/nospec-branch.h>
+
+ .text
+ .code64
+@@ -63,7 +64,9 @@ SYM_CODE_START(__efi64_thunk)
+ 1: movq 24(%rsp), %rsp
+ pop %rbx
+ pop %rbp
+- RET
++ ANNOTATE_UNRET_SAFE
++ ret
++ int3
+
+ .code32
+ 2: pushl $__KERNEL_CS
--- /dev/null
+From 79629181607e801c0b41b8790ac4ee2eb5d7bc3e Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri, 15 Jul 2022 07:34:55 -0400
+Subject: KVM: emulate: do not adjust size of fastop and setcc subroutines
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 79629181607e801c0b41b8790ac4ee2eb5d7bc3e upstream.
+
+Instead of doing complicated calculations to find the size of the subroutines
+(which are even more complicated because they need to be stringified into
+an asm statement), just hardcode to 16.
+
+It is less dense for a few combinations of IBT/SLS/retbleed, but it has
+the advantage of being really simple.
+
+Cc: stable@vger.kernel.org # 5.15.x: 84e7051c0bc1: x86/kvm: fix FASTOP_SIZE when return thunks are enabled
+Cc: stable@vger.kernel.org
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/emulate.c | 17 +++++++----------
+ 1 file changed, 7 insertions(+), 10 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -187,13 +187,6 @@
+ #define X8(x...) X4(x), X4(x)
+ #define X16(x...) X8(x), X8(x)
+
+-#define NR_FASTOP (ilog2(sizeof(ulong)) + 1)
+-#define RET_LENGTH (1 + (4 * IS_ENABLED(CONFIG_RETHUNK)) + \
+- IS_ENABLED(CONFIG_SLS))
+-#define FASTOP_LENGTH (ENDBR_INSN_SIZE + 7 + RET_LENGTH)
+-#define FASTOP_SIZE (8 << ((FASTOP_LENGTH > 8) & 1) << ((FASTOP_LENGTH > 16) & 1))
+-static_assert(FASTOP_LENGTH <= FASTOP_SIZE);
+-
+ struct opcode {
+ u64 flags : 56;
+ u64 intercept : 8;
+@@ -307,9 +300,15 @@ static void invalidate_registers(struct
+ * Moreover, they are all exactly FASTOP_SIZE bytes long, so functions for
+ * different operand sizes can be reached by calculation, rather than a jump
+ * table (which would be bigger than the code).
++ *
++ * The 16 byte alignment, considering 5 bytes for the RET thunk, 3 for ENDBR
++ * and 1 for the straight line speculation INT3, leaves 7 bytes for the
++ * body of the function. Currently none is larger than 4.
+ */
+ static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop);
+
++#define FASTOP_SIZE 16
++
+ #define __FOP_FUNC(name) \
+ ".align " __stringify(FASTOP_SIZE) " \n\t" \
+ ".type " name ", @function \n\t" \
+@@ -441,9 +440,7 @@ static int fastop(struct x86_emulate_ctx
+ * RET | JMP __x86_return_thunk [1,5 bytes; CONFIG_RETHUNK]
+ * INT3 [1 byte; CONFIG_SLS]
+ */
+-#define SETCC_LENGTH (3 + RET_LENGTH)
+-#define SETCC_ALIGN (4 << ((SETCC_LENGTH > 4) & 1) << ((SETCC_LENGTH > 8) & 1))
+-static_assert(SETCC_LENGTH <= SETCC_ALIGN);
++#define SETCC_ALIGN 16
+
+ #define FOP_SETCC(op) \
+ ".align " __stringify(SETCC_ALIGN) " \n\t" \
--- /dev/null
+From 84e7051c0bc1f2a13101553959b3a9d9a8e24939 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Wed, 13 Jul 2022 14:12:41 -0300
+Subject: x86/kvm: fix FASTOP_SIZE when return thunks are enabled
+
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+
+commit 84e7051c0bc1f2a13101553959b3a9d9a8e24939 upstream.
+
+The return thunk call makes the fastop functions larger, just like IBT
+does. Consider a 16-byte FASTOP_SIZE when CONFIG_RETHUNK is enabled.
+
+Otherwise, functions will be incorrectly aligned and when computing their
+position for differently sized operators, they will executed in the middle
+or end of a function, which may as well be an int3, leading to a crash
+like:
+
+[ 36.091116] int3: 0000 [#1] SMP NOPTI
+[ 36.091119] CPU: 3 PID: 1371 Comm: qemu-system-x86 Not tainted 5.15.0-41-generic #44
+[ 36.091120] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+[ 36.091121] RIP: 0010:xaddw_ax_dx+0x9/0x10 [kvm]
+[ 36.091185] Code: 00 0f bb d0 c3 cc cc cc cc 48 0f bb d0 c3 cc cc cc cc 0f 1f 80 00 00 00 00 0f c0 d0 c3 cc cc cc cc 66 0f c1 d0 c3 cc cc cc cc <0f> 1f 80 00 00 00 00 0f c1 d0 c3 cc cc cc cc 48 0f c1 d0 c3 cc cc
+[ 36.091186] RSP: 0018:ffffb1f541143c98 EFLAGS: 00000202
+[ 36.091188] RAX: 0000000089abcdef RBX: 0000000000000001 RCX: 0000000000000000
+[ 36.091188] RDX: 0000000076543210 RSI: ffffffffc073c6d0 RDI: 0000000000000200
+[ 36.091189] RBP: ffffb1f541143ca0 R08: ffff9f1803350a70 R09: 0000000000000002
+[ 36.091190] R10: ffff9f1803350a70 R11: 0000000000000000 R12: ffff9f1803350a70
+[ 36.091190] R13: ffffffffc077fee0 R14: 0000000000000000 R15: 0000000000000000
+[ 36.091191] FS: 00007efdfce8d640(0000) GS:ffff9f187dd80000(0000) knlGS:0000000000000000
+[ 36.091192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 36.091192] CR2: 0000000000000000 CR3: 0000000009b62002 CR4: 0000000000772ee0
+[ 36.091195] PKRU: 55555554
+[ 36.091195] Call Trace:
+[ 36.091197] <TASK>
+[ 36.091198] ? fastop+0x5a/0xa0 [kvm]
+[ 36.091222] x86_emulate_insn+0x7b8/0xe90 [kvm]
+[ 36.091244] x86_emulate_instruction+0x2f4/0x630 [kvm]
+[ 36.091263] ? kvm_arch_vcpu_load+0x7c/0x230 [kvm]
+[ 36.091283] ? vmx_prepare_switch_to_host+0xf7/0x190 [kvm_intel]
+[ 36.091290] complete_emulated_mmio+0x297/0x320 [kvm]
+[ 36.091310] kvm_arch_vcpu_ioctl_run+0x32f/0x550 [kvm]
+[ 36.091330] kvm_vcpu_ioctl+0x29e/0x6d0 [kvm]
+[ 36.091344] ? kvm_vcpu_ioctl+0x120/0x6d0 [kvm]
+[ 36.091357] ? __fget_files+0x86/0xc0
+[ 36.091362] ? __fget_files+0x86/0xc0
+[ 36.091363] __x64_sys_ioctl+0x92/0xd0
+[ 36.091366] do_syscall_64+0x59/0xc0
+[ 36.091369] ? syscall_exit_to_user_mode+0x27/0x50
+[ 36.091370] ? do_syscall_64+0x69/0xc0
+[ 36.091371] ? syscall_exit_to_user_mode+0x27/0x50
+[ 36.091372] ? __x64_sys_writev+0x1c/0x30
+[ 36.091374] ? do_syscall_64+0x69/0xc0
+[ 36.091374] ? exit_to_user_mode_prepare+0x37/0xb0
+[ 36.091378] ? syscall_exit_to_user_mode+0x27/0x50
+[ 36.091379] ? do_syscall_64+0x69/0xc0
+[ 36.091379] ? do_syscall_64+0x69/0xc0
+[ 36.091380] ? do_syscall_64+0x69/0xc0
+[ 36.091381] ? do_syscall_64+0x69/0xc0
+[ 36.091381] entry_SYSCALL_64_after_hwframe+0x61/0xcb
+[ 36.091384] RIP: 0033:0x7efdfe6d1aff
+[ 36.091390] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
+[ 36.091391] RSP: 002b:00007efdfce8c460 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+[ 36.091393] RAX: ffffffffffffffda RBX: 000000000000ae80 RCX: 00007efdfe6d1aff
+[ 36.091393] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 000000000000000c
+[ 36.091394] RBP: 0000558f1609e220 R08: 0000558f13fb8190 R09: 00000000ffffffff
+[ 36.091394] R10: 0000558f16b5e950 R11: 0000000000000246 R12: 0000000000000000
+[ 36.091394] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
+[ 36.091396] </TASK>
+[ 36.091397] Modules linked in: isofs nls_iso8859_1 kvm_intel joydev kvm input_leds serio_raw sch_fq_codel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua ipmi_devintf ipmi_msghandler drm msr ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel virtio_net net_failover crypto_simd ahci xhci_pci cryptd psmouse virtio_blk libahci xhci_pci_renesas failover
+[ 36.123271] ---[ end trace db3c0ab5a48fabcc ]---
+[ 36.123272] RIP: 0010:xaddw_ax_dx+0x9/0x10 [kvm]
+[ 36.123319] Code: 00 0f bb d0 c3 cc cc cc cc 48 0f bb d0 c3 cc cc cc cc 0f 1f 80 00 00 00 00 0f c0 d0 c3 cc cc cc cc 66 0f c1 d0 c3 cc cc cc cc <0f> 1f 80 00 00 00 00 0f c1 d0 c3 cc cc cc cc 48 0f c1 d0 c3 cc cc
+[ 36.123320] RSP: 0018:ffffb1f541143c98 EFLAGS: 00000202
+[ 36.123321] RAX: 0000000089abcdef RBX: 0000000000000001 RCX: 0000000000000000
+[ 36.123321] RDX: 0000000076543210 RSI: ffffffffc073c6d0 RDI: 0000000000000200
+[ 36.123322] RBP: ffffb1f541143ca0 R08: ffff9f1803350a70 R09: 0000000000000002
+[ 36.123322] R10: ffff9f1803350a70 R11: 0000000000000000 R12: ffff9f1803350a70
+[ 36.123323] R13: ffffffffc077fee0 R14: 0000000000000000 R15: 0000000000000000
+[ 36.123323] FS: 00007efdfce8d640(0000) GS:ffff9f187dd80000(0000) knlGS:0000000000000000
+[ 36.123324] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 36.123325] CR2: 0000000000000000 CR3: 0000000009b62002 CR4: 0000000000772ee0
+[ 36.123327] PKRU: 55555554
+[ 36.123328] Kernel panic - not syncing: Fatal exception in interrupt
+[ 36.123410] Kernel Offset: 0x1400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
+[ 36.135305] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
+
+Fixes: aa3d480315ba ("x86: Use return-thunk in asm code")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Co-developed-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Josh Poimboeuf <jpoimboe@kernel.org>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
+Message-Id: <20220713171241.184026-1-cascardo@canonical.com>
+Tested-by: Jack Wang <jinpu.wang@ionos.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/emulate.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -187,8 +187,12 @@
+ #define X8(x...) X4(x), X4(x)
+ #define X16(x...) X8(x), X8(x)
+
+-#define NR_FASTOP (ilog2(sizeof(ulong)) + 1)
+-#define FASTOP_SIZE 8
++#define NR_FASTOP (ilog2(sizeof(ulong)) + 1)
++#define RET_LENGTH (1 + (4 * IS_ENABLED(CONFIG_RETHUNK)) + \
++ IS_ENABLED(CONFIG_SLS))
++#define FASTOP_LENGTH (ENDBR_INSN_SIZE + 7 + RET_LENGTH)
++#define FASTOP_SIZE (8 << ((FASTOP_LENGTH > 8) & 1) << ((FASTOP_LENGTH > 16) & 1))
++static_assert(FASTOP_LENGTH <= FASTOP_SIZE);
+
+ struct opcode {
+ u64 flags : 56;
+@@ -437,8 +441,6 @@ static int fastop(struct x86_emulate_ctx
+ * RET | JMP __x86_return_thunk [1,5 bytes; CONFIG_RETHUNK]
+ * INT3 [1 byte; CONFIG_SLS]
+ */
+-#define RET_LENGTH (1 + (4 * IS_ENABLED(CONFIG_RETHUNK)) + \
+- IS_ENABLED(CONFIG_SLS))
+ #define SETCC_LENGTH (3 + RET_LENGTH)
+ #define SETCC_ALIGN (4 << ((SETCC_LENGTH > 4) & 1) << ((SETCC_LENGTH > 8) & 1))
+ static_assert(SETCC_LENGTH <= SETCC_ALIGN);
projects / thirdparty / kernel / stable-queue.git / commitdiff
