x86/speculation/mds: Fix verw usage to use memory operand

verw instruction needs to be called with a memory operand instead
of the register operand to correctly flush the buffers affected by
MDS. The buffer overwriting occurs regards less of permission check
as well as the null selector.

Orabug: 29791036
CVE: CVE-2018-12127
CVE: CVE-2018-12130

Signed-off-by: Kanth Ghatraju <kanth.ghatraju@oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>

diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index 6e07a1b255da127e7d7de15111fe31751a44dca9..f7cab6163000580141858f3bbd0dc89d6d1fd54f 100644 (file)
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -143,10 +143,10 @@
        STATIC_JUMP_IF_TRUE     .Lmdsverwcall_\@, mds_user_clear, def=0
        jmp     .Lmdsverwdone_\@
 .Lmdsverwcall_\@:
-       pushw   %cx
-       movw    $__KERNEL_DS, %cx
-       verw    %cx
-       popw    %cx
+       sub     $8, %rsp
+       mov     %ds, (%rsp)
+       verw    (%rsp)
+       add     $8, %rsp
 .Lmdsverwdone_\@:
 .endm