instead of it sitting in paranoid_entry or error_entry.
The idea behind the STUFF_RSB is to be done _before_
any calls are done. Which means we really want this in the idt
macro that is handled for exceptions - such as device not available,
which currently looks as so:
[Ignore the callq *0x40.. that gets converted to an 'cld']
<device_not_available>:
nop
nop
nop
callq *0x40d0b7(%rip) #
ffffffff81b55330 <pv_irq_ops+0x30> <= patched to cld
pushq $0xffffffffffffffff
sub $0x78,%rsp
callq
ffffffff81748ea0 <error_entry> <=== call!
mov %rsp,%rdi
xor %esi,%esi
callq
ffffffff81018830 <do_device_not_available>
test %rax,%rax
jne
ffffffff81747f10 <dtrace_error_exit>
jmpq
ffffffff817490a0 <error_exit>
nopl 0x0(%rax)
By stuffing the RSB before the call to error_entry (or
paranoid_entry) we remove the chance of this becoming an attack vector.
While at it, remove the useless comment - we don't encode any frames
in UEK4.
OraBug:
27417150
Reviewed-by: Kris Van Hees <kris.van.hees@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
.endif
ASM_CLAC
+ STUFF_RSB
PARAVIRT_ADJUST_EXCEPTION_FRAME
.ifeq \has_error_code
SAVE_C_REGS 8
SAVE_EXTRA_REGS 8
- /*
- * Have to do stuffing before encoding frame pointer.
- * Could add some unnecessary RSB clearing if coming
- * from kernel for non-SMEP platform.
- */
- STUFF_RSB
-
movl $1,%ebx
movl $MSR_GS_BASE,%ecx
rdmsr
cld
SAVE_C_REGS 8
SAVE_EXTRA_REGS 8
- STUFF_RSB
/*
* error_entry() always returns with a kernel gsbase and
* CR3. We must also have a kernel CR3/gsbase before
projects / users / jedix / linux-maple.git / commitdiff