Re-introduce clearing of r12-15, rbp, rbx

Re-introduce the clearing of the extra registers (r12-r15, rbp, rbx)
upon entry into a system call.  This commit ensures that we do not
save the extra registers after they got cleared, because that causes
NULL values to get written in place of the saved values.

Orabug: 27344012
CVE: CVE-2017-5715

Signed-off-by: Kris Van Hees <kris.van.hees@oracle.com>
Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>

diff --git a/arch/x86/include/asm/calling.h b/arch/x86/include/asm/calling.h
index 1c8b50edb2db3cac8f54c0c300d393b18bf24342..d2a3483d4008263273f6b54fcc4ccdee254acd39 100644 (file)
--- a/arch/x86/include/asm/calling.h
+++ b/arch/x86/include/asm/calling.h
@@ -152,12 +152,12 @@ For 32-bit we have the following conventions - kernel is built with
        .endm
 
        .macro ZERO_EXTRA_REGS
-       xorl    %r15d, %r15d
-       xorl    %r14d, %r14d
-       xorl    %r13d, %r13d
-       xorl    %r12d, %r12d
-       xorl    %ebp, %ebp
-       xorl    %ebx, %ebx
+       xorq    %r15, %r15
+       xorq    %r14, %r14
+       xorq    %r13, %r13
+       xorq    %r12, %r12
+       xorq    %rbp, %rbp
+       xorq    %rbx, %rbx
        .endm
 
        .macro RESTORE_C_REGS_HELPER rstor_rax=1, rstor_rcx=1, rstor_r11=1, rstor_r8910=1, rstor_rdx=1

diff --git a/arch/x86/kernel/dtrace_syscall_stubs.S b/arch/x86/kernel/dtrace_syscall_stubs.S
index a07f25b926f29c3cb0a6341fc565eec56180d936..6b8252dd1da75c53f1a6e872fc03a793fbac33b7 100644 (file)
--- a/arch/x86/kernel/dtrace_syscall_stubs.S
+++ b/arch/x86/kernel/dtrace_syscall_stubs.S
@@ -116,7 +116,6 @@
 ENTRY(dtrace_stub_\func)
        CFI_STARTPROC
        DEFAULT_FRAME 0, 8
-       SAVE_EXTRA_REGS 8
        jmp dtrace_sys_\func
        CFI_ENDPROC
 END(dtrace_stub_\func)
@@ -160,7 +159,6 @@ END(dtrace_stub_execveat)
 ENTRY(dtrace_stub_rt_sigreturn)
        CFI_STARTPROC
        DEFAULT_FRAME 0, 8
-       SAVE_EXTRA_REGS 8
        call dtrace_sys_rt_sigreturn
        addq    $8, %rsp
        CFI_ADJUST_CFA_OFFSET -8

diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index f4e8f19b7629fd42053374aaf4edf00c391525c1..507bf55f518c4e7e85abf30f3d9292bdcdc68dc0 100644 (file)
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -257,6 +257,7 @@ GLOBAL(system_call_after_swapgs)
         * Will restore the callee saved extra regs at end of syscall.
         */
        SAVE_EXTRA_REGS
+       ZERO_EXTRA_REGS
 
        STUFF_RSB
 
@@ -287,6 +288,8 @@ system_call_fastpath:
         */
        DISABLE_INTERRUPTS(CLBR_NONE)
 
+       RESTORE_EXTRA_REGS
+
        /*
         * We must check ti flags with interrupts (or at least preemption)
         * off because we must *never* return to userspace without
@@ -303,7 +306,6 @@ system_call_fastpath:
        movq    RIP(%rsp),%rcx
        CFI_REGISTER    rip,rcx
        movq    EFLAGS(%rsp),%r11
-       RESTORE_EXTRA_REGS
        /*CFI_REGISTER  rflags,r11*/
        RESTORE_C_REGS_EXCEPT_RCX_R11
        /*
@@ -533,7 +535,6 @@ END(system_call)
 ENTRY(stub_\func)
        CFI_STARTPROC
        DEFAULT_FRAME 0, 8              /* offset 8: return address */
-       SAVE_EXTRA_REGS 8
        jmp sys_\func
        CFI_ENDPROC
 END(stub_\func)
@@ -617,14 +618,6 @@ END(stub32_execveat)
 ENTRY(stub_rt_sigreturn)
        CFI_STARTPROC
        DEFAULT_FRAME 0, 8
-       /*
-        * SAVE_EXTRA_REGS result is not normally needed:
-        * sigreturn overwrites all pt_regs->GPREGS.
-        * But sigreturn can fail (!), and there is no easy way to detect that.
-        * To make sure RESTORE_EXTRA_REGS doesn't restore garbage on error,
-        * we SAVE_EXTRA_REGS here.
-        */
-       SAVE_EXTRA_REGS 8
        call sys_rt_sigreturn
 return_from_stub:
        addq    $8, %rsp
@@ -639,7 +632,6 @@ END(stub_rt_sigreturn)
 ENTRY(stub_x32_rt_sigreturn)
        CFI_STARTPROC
        DEFAULT_FRAME 0, 8
-       SAVE_EXTRA_REGS 8
        call sys32_x32_rt_sigreturn
        jmp  return_from_stub
        CFI_ENDPROC