www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Ankur Arora <ankur.a.arora@oracle.com>
	Thu, 8 Feb 2018 01:05:18 +0000 (20:05 -0500)
committer	Jack Vogel <jack.vogel@oracle.com>
	Mon, 26 Feb 2018 08:07:42 +0000 (00:07 -0800)
commit	4e5d93269b9f5b6ff2d6fd1d0c34bb71c1d15378
tree	05a6b70188c9a871aa51ac4f5546191199a45f45	tree
parent	d480100381aed0303692effc73e3a91f4acf4559	commit \| diff

x86/ia32/syscall: don't do RESTORE_EXTRA_REGS prematurely

With the recent spectre mitigation changes we save the full pt_regs on
the stack and zero the extra regs. This means that for the sysenter
(and cstar) calling conventions, the pt_regs state for %ebp contains
the user %esp instead of the 6th argument.

For the straight syscall (non-tracing) path we load the real %ebp from
the user-stack and all is well. In the tracing/seccomp path, however, we
do RESTORE_EXTRA_REGS before the syscall, thus clobbering the 6th
argument (which gets replaced with the old %ebp value.)

The fix is to RESTORE_EXTRA_REGS only if we are done with syscall
handling. A side benefit is that this mitigation now also extends to
the tracing path.

Orabug: 27461990
CVE: CVE-2017-5715

Signed-off-by: Ankur Arora <ankur.a.arora@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>