x86/speculation: Protect against userspace-userspace spectreRSB

The article "Spectre Returns! Speculation Attacks using the Return Stack
Buffer" [1] describes two new (sub-)variants of spectrev2-like attacks,
making use solely of the RSB contents even on CPUs that don't fallback to
BTB on RSB underflow (Skylake+).

Mitigate userspace-userspace attacks by always unconditionally filling RSB on
context switch when the generic spectrev2 mitigation has been enabled.

[1] https://arxiv.org/pdf/1807.07940.pdf

Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
Acked-by: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Borislav Petkov <bp@suse.de>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/nycvar.YFH.7.76.1807261308190.997@cbobk.fhfr.pm
(cherry picked from commit fdf82a7856b32d905c39afc85e34364491e46346)

Orabug: 28631590
CVE: CVE-2018-15572

Signed-off-by: Alejandro Jimenez <alejandro.j.jimenez@oracle.com>
Reviewed-by: Mark Kanda <mark.kanda@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>
Conflicts:
	arch/x86/kernel/cpu/bugs.c
(UEK4 has the relevant code in arch/x86/kernel/cpu/bugs_64.c.
Also, the upstream patch removes the function is_skylake_era(),
but this patch does not since it is still used in the UEK code)

Signed-off-by: Brian Maly <brian.maly@oracle.com>

diff --git a/arch/x86/kernel/cpu/bugs_64.c b/arch/x86/kernel/cpu/bugs_64.c
index 4029abe7a8f6e7cb2fc4e9560bddfe0e5ba638d5..1355b0249a983860294e5e1a6c57efb6484897bf 100644 (file)
--- a/arch/x86/kernel/cpu/bugs_64.c
+++ b/arch/x86/kernel/cpu/bugs_64.c
@@ -664,23 +664,15 @@ display:
 
 out:
        /*
-        * If neither SMEP or KPTI are available, there is a risk of
-        * hitting userspace addresses in the RSB after a context switch
-        * from a shallow call stack to a deeper one. To prevent this fill
-        * the entire RSB, even when using IBRS.
+        * If spectre v2 protection has been enabled, unconditionally fill
+        * RSB during a context switch; this protects against two independent
+        * issues:
         *
-        * Skylake era CPUs have a separate issue with *underflow* of the
-        * RSB, when they will predict 'ret' targets from the generic BTB.
-        * The proper mitigation for this is IBRS. If IBRS is not supported
-        * or deactivated in favour of retpolines the RSB fill on context
-        * switch is required.
+        *      - RSB underflow (and switch to BTB) on Skylake+
+        *      - SpectreRSB variant of spectre v2 on X86_BUG_SPECTRE_V2 CPUs
         */
-       if ((mode != SPECTRE_V2_IBRS) &&
-           ((!boot_cpu_has(X86_FEATURE_PTI) &&
-            !boot_cpu_has(X86_FEATURE_SMEP)) || is_skylake_era())) {
-               setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
-               pr_info("Filling RSB on context switch\n");
-       }
+       setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
+       pr_info("Filling RSB on context switch\n");
 
        /* IBRS is unnecessary with retpoline mitigation. */
        if (mode == SPECTRE_V2_RETPOLINE_GENERIC ||