x86/ia32/syscall: RESTORE_EXTRA_REGS when returning from syscall

EXTRA_REGS (callee saved regs) are saved on kernel stack at entry and
zero'd. Some of these registers might be potentially used in the syscall
entry path and contain kernel state; to avoid leaking this state we
restore these registers as we exit to user-space.

Orabug: 27461990
CVE: CVE-2017-5715

Signed-off-by: Ankur Arora <ankur.a.arora@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>

diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index f7655701e840a57649b67d74925ce6f3b4137e95..6a52527eac060f25e681bde99a186f3ab50843aa 100644 (file)
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -210,6 +210,7 @@ sysexit_from_sys_call:
        andl    $~TS_COMPAT,ASM_THREAD_INFO(TI_status, %rsp, SIZEOF_PTREGS)
        movl    RIP(%rsp),%ecx          /* User %eip */
        CFI_REGISTER rip,rcx
+       RESTORE_EXTRA_REGS
        RESTORE_RSI_RDI
        xorl    %edx,%edx               /* avoid info leaks */
        xorq    %r8,%r8
@@ -291,6 +292,7 @@ sysexit_from_sys_call:
        testl %edi, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
        jz \exit
        CLEAR_RREGS
+       RESTORE_EXTRA_REGS
        jmp int_with_check
        .endm
 
@@ -434,6 +436,7 @@ cstar_dispatch:
        jnz sysretl_audit
 sysretl_from_sys_call:
        andl $~TS_COMPAT, ASM_THREAD_INFO(TI_status, %rsp, SIZEOF_PTREGS)
+       RESTORE_EXTRA_REGS
        RESTORE_RSI_RDI_RDX
        movl RIP(%rsp),%ecx
        CFI_REGISTER rip,rcx
@@ -578,6 +581,7 @@ ia32_sysret:
        movq %rax,RAX(%rsp)
 ia32_ret_from_sys_call:
        CLEAR_RREGS
+       RESTORE_EXTRA_REGS
        jmp int_ret_from_sys_call
 
 ia32_tracesys: