*INCOMPLETE* x86/syscall: Clear unused extra registers on syscall entrance

To prevent the unused registers %r12-%r15, %rbp and %rbx from
being used speculatively, we clear them upon syscall entrance
for code hygiene.

Orabug: 27344012
CVE: CVE-2017-5715

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
 Backport: We don't have the ORC stack which means our calling.h
 has the CTF code. And that has RESTORE_EXTRA_ARGS and ZERO_EXTRA_ARGS
 so there was no need to port that in. See
 commit 76f5df43cab5e765c0bd42289103e8f625813ae1
 x86/asm/entry/64: Always allocate a complete "struct pt_regs" on the kernel stack
 which added them.

 The ZERO_EXTRA_REGS (aka CLEAR_EXTRA_REGS) is not part of it.
 It ends up crashing the user-space.  Not sure why not.

 Which means this patch is pretty much useless - we don't clear
 any of the %r12-%r15, nor %rbp, nor %rbx at all.

 In other words we just save now more registers on the %esp
 and restore them.

 But somewhere we depend on these and need to fix that.

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: John Haxby <john.haxby@oracle.com>
Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>

diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index 15fef9cdbade38e8201dbf22a0d39ade0a63d25f..1497fd75060854cf16a4a0c13d2e78873c2a9e4d 100644 (file)
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -247,9 +247,15 @@ GLOBAL(system_call_after_swapgs)
        pushq_cfi_reg   r9                      /* pt_regs->r9 */
        pushq_cfi_reg   r10                     /* pt_regs->r10 */
        pushq_cfi_reg   r11                     /* pt_regs->r11 */
-       sub     $(6*8),%rsp /* pt_regs->bp,bx,r12-15 not saved */
+       sub     $(6*8),%rsp /* pt_regs->bp,bx,r12-15 not used */
        CFI_ADJUST_CFA_OFFSET 6*8
 
+       /*
+        * Clear the unused extra regs for code hygiene.
+        * Will restore the callee saved extra regs at end of syscall.
+        */
+       SAVE_EXTRA_REGS
+
        STUFF_RSB
 
        TRACE_IRQS_OFF
@@ -296,6 +302,7 @@ system_call_fastpath:
        movq    RIP(%rsp),%rcx
        CFI_REGISTER    rip,rcx
        movq    EFLAGS(%rsp),%r11
+       RESTORE_EXTRA_REGS
        /*CFI_REGISTER  rflags,r11*/
        movq    RSP(%rsp),%rsp
        /*
@@ -329,7 +336,6 @@ tracesys:
        jmp system_call_fastpath        /*      and return to the fast path */
 
 tracesys_phase2:
-       SAVE_EXTRA_REGS
        movq %rsp, %rdi
        movl $AUDIT_ARCH_X86_64, %esi
        movq %rax,%rdx
@@ -393,7 +399,6 @@ int_careful:
 int_very_careful:
        TRACE_IRQS_ON
        ENABLE_INTERRUPTS(CLBR_NONE)
-       SAVE_EXTRA_REGS
        /* Check for syscall exit trace */
        testl $_TIF_WORK_SYSCALL_EXIT,%edx
        jz int_signal