From: Ankur Arora <ankur.a.arora@oracle.com>
Date: Thu, 8 Feb 2018 01:05:18 +0000 (-0500)
Subject: x86/ia32/syscall: don't do RESTORE_EXTRA_REGS prematurely
X-Git-Tag: v4.1.12-124.31.3~1123
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=4e5d93269b9f5b6ff2d6fd1d0c34bb71c1d15378;p=users%2Fjedix%2Flinux-maple.git

x86/ia32/syscall: don't do RESTORE_EXTRA_REGS prematurely

With the recent spectre mitigation changes we save the full pt_regs on
the stack and zero the extra regs. This means that for the sysenter
(and cstar) calling conventions, the pt_regs state for %ebp contains
the user %esp instead of the 6th argument.

For the straight syscall (non-tracing) path we load the real %ebp from
the user-stack and all is well. In the tracing/seccomp path, however, we
do RESTORE_EXTRA_REGS before the syscall, thus clobbering the 6th
argument (which gets replaced with the old %ebp value.)

The fix is to RESTORE_EXTRA_REGS only if we are done with syscall
handling. A side benefit is that this mitigation now also extends to
the tracing path.

Orabug: 27461990
CVE: CVE-2017-5715

Signed-off-by: Ankur Arora <ankur.a.arora@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
---

diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index 39f4debdf5bb..f7655701e840 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -318,10 +318,12 @@ sysenter_tracesys:
 	movq	%rsp,%rdi        /* &pt_regs -> arg1 */
 	call	syscall_trace_enter
 	LOAD_ARGS32  /* reload args from stack in case ptrace changed it */
-	RESTORE_EXTRA_REGS
 	cmpq	$(IA32_NR_syscalls-1),%rax
-	ja	int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
+	ja	ia32_bounce_out /* sysenter_tracesys has set RAX(%rsp) */
 	jmp	sysenter_do_call
+ia32_bounce_out:
+	RESTORE_EXTRA_REGS
+	jmp	int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
 	CFI_ENDPROC
 ENDPROC(ia32_sysenter_target)
 
@@ -484,10 +486,9 @@ cstar_tracesys:
 	movq %rsp,%rdi        /* &pt_regs -> arg1 */
 	call syscall_trace_enter
 	LOAD_ARGS32 1	/* reload args from stack in case ptrace changed it */
-	RESTORE_EXTRA_REGS
 	xchgl %ebp,%r9d
 	cmpq $(IA32_NR_syscalls-1),%rax
-	ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
+	ja ia32_bounce_out	/* cstar_tracesys has set RAX(%rsp) */
 	jmp cstar_do_call
 END(ia32_cstar_target)
 				
@@ -585,9 +586,8 @@ ia32_tracesys:
 	movq %rsp,%rdi        /* &pt_regs -> arg1 */
 	call syscall_trace_enter
 	LOAD_ARGS32	/* reload args from stack in case ptrace changed it */
-	RESTORE_EXTRA_REGS
 	cmpq $(IA32_NR_syscalls-1),%rax
-	ja  int_ret_from_sys_call	/* ia32_tracesys has set RAX(%rsp) */
+	ja  ia32_bounce_out 	/* ia32_tracesys has set RAX(%rsp) */
 	jmp ia32_do_call
 END(ia32_syscall)