From: Ankur Arora <ankur.a.arora@oracle.com>
Date: Sat, 10 Feb 2018 03:25:21 +0000 (-0500)
Subject: x86/ia32/syscall: RESTORE_EXTRA_REGS when returning from syscall
X-Git-Tag: v4.1.12-124.31.3~1122
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=2110ad088232fd3c876be4c2c64df04784dd2fea;p=users%2Fjedix%2Flinux-maple.git

x86/ia32/syscall: RESTORE_EXTRA_REGS when returning from syscall

EXTRA_REGS (callee saved regs) are saved on kernel stack at entry and
zero'd. Some of these registers might be potentially used in the syscall
entry path and contain kernel state; to avoid leaking this state we
restore these registers as we exit to user-space.

Orabug: 27461990
CVE: CVE-2017-5715

Signed-off-by: Ankur Arora <ankur.a.arora@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
---

diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index f7655701e840..6a52527eac06 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -210,6 +210,7 @@ sysexit_from_sys_call:
 	andl    $~TS_COMPAT,ASM_THREAD_INFO(TI_status, %rsp, SIZEOF_PTREGS)
 	movl	RIP(%rsp),%ecx		/* User %eip */
 	CFI_REGISTER rip,rcx
+	RESTORE_EXTRA_REGS
 	RESTORE_RSI_RDI
 	xorl	%edx,%edx		/* avoid info leaks */
 	xorq	%r8,%r8
@@ -291,6 +292,7 @@ sysexit_from_sys_call:
 	testl %edi, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
 	jz \exit
 	CLEAR_RREGS
+	RESTORE_EXTRA_REGS
 	jmp int_with_check
 	.endm
 
@@ -434,6 +436,7 @@ cstar_dispatch:
 	jnz sysretl_audit
 sysretl_from_sys_call:
 	andl $~TS_COMPAT, ASM_THREAD_INFO(TI_status, %rsp, SIZEOF_PTREGS)
+	RESTORE_EXTRA_REGS
 	RESTORE_RSI_RDI_RDX
 	movl RIP(%rsp),%ecx
 	CFI_REGISTER rip,rcx
@@ -578,6 +581,7 @@ ia32_sysret:
 	movq %rax,RAX(%rsp)
 ia32_ret_from_sys_call:
 	CLEAR_RREGS
+	RESTORE_EXTRA_REGS
 	jmp int_ret_from_sys_call
 
 ia32_tracesys: