From: Konrad Rzeszutek Wilk Date: Sun, 7 Jan 2018 04:35:11 +0000 (-0500) Subject: x86/enter: Use IBRS on syscall and interrupts - fix ia32 path X-Git-Tag: v4.1.12-124.31.3~1301 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=b267115a48412f811502cbc021f310b186e5a757;p=users%2Fjedix%2Flinux-maple.git x86/enter: Use IBRS on syscall and interrupts - fix ia32 path The backports missed a tiny bit of changes. The easier of them is the ia32_syscall - there are two ways it returns back to userspace - to int_ret_from_sys_call and there eventually end up either in syscall_return_via_sysret or opportunistic_sysret_failed. syscall_return_via_sysret had it, but opportunistic_sysret_failed failed to have it. That is b/c we optimized a bit and stuck the DISABLE_IBRS on restore_c_regs_and_iret which was called from opportunistic_sysret_failed and retint_swapgs. But with KPTI, doing IBRS_DISABLE from within restore_c_regs_and_iret is not good - as we are touching an kernel variable and restore_c_regs_and_iret is running with user-mode cr3! So "x86: Fix spectre/kpti integration" fixed it by adding the DISABLE_IBRS syscall_return_via_sysret. (If you look at the original commit you would think that we should also fix opportunistic_sysret_failed, but that is fixed in "x86: Fix spectre/kpti integration") The seconday issue is that we did not call DISABLE_IBRS from sysexit_from_sys_call. This patch adds that in too. Orabug: 27344012 CVE: CVE-2017-5715 Reported-by: Alexandre Chartre Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Kirtikar Kashyap --- diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S index 2279b4ff5d9e..0604c0b5cfc0 100644 --- a/arch/x86/ia32/ia32entry.S +++ b/arch/x86/ia32/ia32entry.S @@ -214,6 +214,9 @@ sysexit_from_sys_call: movl EFLAGS(%rsp),%r11d /* User eflags */ /*CFI_RESTORE rflags*/ TRACE_IRQS_ON + + DISABLE_IBRS + SWITCH_USER_CR3 /* @@ -560,7 +563,6 @@ ia32_sysret: movq %rax,RAX(%rsp) ia32_ret_from_sys_call: CLEAR_RREGS - DISABLE_IBRS jmp int_ret_from_sys_call ia32_tracesys: