From: Greg Kroah-Hartman Date: Wed, 6 Nov 2024 06:08:30 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.19.323~52 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e2d2751cde0dda3f505d2cf7c160fd4dcce1470d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: x86-bugs-use-code-segment-selector-for-verw-operand.patch --- diff --git a/queue-5.10/series b/queue-5.10/series index 0e2fdbfb52e..49dc5fe24b3 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -101,3 +101,4 @@ riscv-use-u-to-format-the-output-of-cpu.patch riscv-remove-unused-generating_asm_offsets.patch riscv-remove-duplicated-get_rm.patch ocfs2-pass-u64-to-ocfs2_truncate_inline-maybe-overfl.patch +x86-bugs-use-code-segment-selector-for-verw-operand.patch diff --git a/queue-5.10/x86-bugs-use-code-segment-selector-for-verw-operand.patch b/queue-5.10/x86-bugs-use-code-segment-selector-for-verw-operand.patch new file mode 100644 index 00000000000..691e211c3ff --- /dev/null +++ b/queue-5.10/x86-bugs-use-code-segment-selector-for-verw-operand.patch @@ -0,0 +1,81 @@ +From e4d2102018542e3ae5e297bc6e229303abff8a0f Mon Sep 17 00:00:00 2001 +From: Pawan Gupta +Date: Thu, 26 Sep 2024 09:10:31 -0700 +Subject: x86/bugs: Use code segment selector for VERW operand + +From: Pawan Gupta + +commit e4d2102018542e3ae5e297bc6e229303abff8a0f upstream. + +Robert Gill reported below #GP in 32-bit mode when dosemu software was +executing vm86() system call: + + general protection fault: 0000 [#1] PREEMPT SMP + CPU: 4 PID: 4610 Comm: dosemu.bin Not tainted 6.6.21-gentoo-x86 #1 + Hardware name: Dell Inc. PowerEdge 1950/0H723K, BIOS 2.7.0 10/30/2010 + EIP: restore_all_switch_stack+0xbe/0xcf + EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000 + ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: ff8affdc + DS: 0000 ES: 0000 FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010046 + CR0: 80050033 CR2: 00c2101c CR3: 04b6d000 CR4: 000406d0 + Call Trace: + show_regs+0x70/0x78 + die_addr+0x29/0x70 + exc_general_protection+0x13c/0x348 + exc_bounds+0x98/0x98 + handle_exception+0x14d/0x14d + exc_bounds+0x98/0x98 + restore_all_switch_stack+0xbe/0xcf + exc_bounds+0x98/0x98 + restore_all_switch_stack+0xbe/0xcf + +This only happens in 32-bit mode when VERW based mitigations like MDS/RFDS +are enabled. This is because segment registers with an arbitrary user value +can result in #GP when executing VERW. Intel SDM vol. 2C documents the +following behavior for VERW instruction: + + #GP(0) - If a memory operand effective address is outside the CS, DS, ES, + FS, or GS segment limit. + +CLEAR_CPU_BUFFERS macro executes VERW instruction before returning to user +space. Use %cs selector to reference VERW operand. This ensures VERW will +not #GP for an arbitrary user %ds. + +[ mingo: Fixed the SOB chain. ] + +Fixes: a0e2dab44d22 ("x86/entry_32: Add VERW just before userspace transition") +Reported-by: Robert Gill +Reviewed-by: Andrew Cooper +Suggested-by: Brian Gerst +Signed-off-by: Pawan Gupta +Signed-off-by: Dave Hansen +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/nospec-branch.h | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -199,7 +199,16 @@ + */ + .macro CLEAR_CPU_BUFFERS + ALTERNATIVE "jmp .Lskip_verw_\@", "", X86_FEATURE_CLEAR_CPU_BUF +- verw _ASM_RIP(mds_verw_sel) ++#ifdef CONFIG_X86_64 ++ verw mds_verw_sel(%rip) ++#else ++ /* ++ * In 32bit mode, the memory operand must be a %cs reference. The data ++ * segments may not be usable (vm86 mode), and the stack segment may not ++ * be flat (ESPFIX32). ++ */ ++ verw %cs:mds_verw_sel ++#endif + .Lskip_verw_\@: + .endm +