x86/ia32/syscall: don't do RESTORE_EXTRA_REGS prematurely

With the recent spectre mitigation changes we save the full pt_regs on
the stack and zero the extra regs. This means that for the sysenter
(and cstar) calling conventions, the pt_regs state for %ebp contains
the user %esp instead of the 6th argument.

For the straight syscall (non-tracing) path we load the real %ebp from
the user-stack and all is well. In the tracing/seccomp path, however, we
do RESTORE_EXTRA_REGS before the syscall, thus clobbering the 6th
argument (which gets replaced with the old %ebp value.)

The fix is to RESTORE_EXTRA_REGS only if we are done with syscall
handling. A side benefit is that this mitigation now also extends to
the tracing path.

Orabug: 27461990
CVE: CVE-2017-5715

Signed-off-by: Ankur Arora <ankur.a.arora@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>

diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index 39f4debdf5bbe42be1610bf14a40c74f5b0f4be0..f7655701e840a57649b67d74925ce6f3b4137e95 100644 (file)
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -318,10 +318,12 @@ sysenter_tracesys:
        movq    %rsp,%rdi        /* &pt_regs -> arg1 */
        call    syscall_trace_enter
        LOAD_ARGS32  /* reload args from stack in case ptrace changed it */
-       RESTORE_EXTRA_REGS
        cmpq    $(IA32_NR_syscalls-1),%rax
-       ja      int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
+       ja      ia32_bounce_out /* sysenter_tracesys has set RAX(%rsp) */
        jmp     sysenter_do_call
+ia32_bounce_out:
+       RESTORE_EXTRA_REGS
+       jmp     int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
        CFI_ENDPROC
 ENDPROC(ia32_sysenter_target)
 
@@ -484,10 +486,9 @@ cstar_tracesys:
        movq %rsp,%rdi        /* &pt_regs -> arg1 */
        call syscall_trace_enter
        LOAD_ARGS32 1   /* reload args from stack in case ptrace changed it */
-       RESTORE_EXTRA_REGS
        xchgl %ebp,%r9d
        cmpq $(IA32_NR_syscalls-1),%rax
-       ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
+       ja ia32_bounce_out      /* cstar_tracesys has set RAX(%rsp) */
        jmp cstar_do_call
 END(ia32_cstar_target)
                                
@@ -585,9 +586,8 @@ ia32_tracesys:
        movq %rsp,%rdi        /* &pt_regs -> arg1 */
        call syscall_trace_enter
        LOAD_ARGS32     /* reload args from stack in case ptrace changed it */
-       RESTORE_EXTRA_REGS
        cmpq $(IA32_NR_syscalls-1),%rax
-       ja  int_ret_from_sys_call       /* ia32_tracesys has set RAX(%rsp) */
+       ja  ia32_bounce_out     /* ia32_tracesys has set RAX(%rsp) */
        jmp ia32_do_call
 END(ia32_syscall)