From 360a97a0255cf630b93d90dd2792ace2ec57b8e6 Mon Sep 17 00:00:00 2001 From: Kris Van Hees Date: Sun, 7 Jan 2018 12:18:42 -0800 Subject: [PATCH] Re-introduce clearing of r12-15, rbp, rbx Re-introduce the clearing of the extra registers (r12-r15, rbp, rbx) upon entry into a system call. This commit ensures that we do not save the extra registers after they got cleared, because that causes NULL values to get written in place of the saved values. Orabug: 27344012 CVE: CVE-2017-5715 Signed-off-by: Kris Van Hees Signed-off-by: Kirtikar Kashyap --- arch/x86/include/asm/calling.h | 12 ++++++------ arch/x86/kernel/dtrace_syscall_stubs.S | 2 -- arch/x86/kernel/entry_64.S | 14 +++----------- 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/arch/x86/include/asm/calling.h b/arch/x86/include/asm/calling.h index 1c8b50edb2db..d2a3483d4008 100644 --- a/arch/x86/include/asm/calling.h +++ b/arch/x86/include/asm/calling.h @@ -152,12 +152,12 @@ For 32-bit we have the following conventions - kernel is built with .endm .macro ZERO_EXTRA_REGS - xorl %r15d, %r15d - xorl %r14d, %r14d - xorl %r13d, %r13d - xorl %r12d, %r12d - xorl %ebp, %ebp - xorl %ebx, %ebx + xorq %r15, %r15 + xorq %r14, %r14 + xorq %r13, %r13 + xorq %r12, %r12 + xorq %rbp, %rbp + xorq %rbx, %rbx .endm .macro RESTORE_C_REGS_HELPER rstor_rax=1, rstor_rcx=1, rstor_r11=1, rstor_r8910=1, rstor_rdx=1 diff --git a/arch/x86/kernel/dtrace_syscall_stubs.S b/arch/x86/kernel/dtrace_syscall_stubs.S index a07f25b926f2..6b8252dd1da7 100644 --- a/arch/x86/kernel/dtrace_syscall_stubs.S +++ b/arch/x86/kernel/dtrace_syscall_stubs.S @@ -116,7 +116,6 @@ ENTRY(dtrace_stub_\func) CFI_STARTPROC DEFAULT_FRAME 0, 8 - SAVE_EXTRA_REGS 8 jmp dtrace_sys_\func CFI_ENDPROC END(dtrace_stub_\func) @@ -160,7 +159,6 @@ END(dtrace_stub_execveat) ENTRY(dtrace_stub_rt_sigreturn) CFI_STARTPROC DEFAULT_FRAME 0, 8 - SAVE_EXTRA_REGS 8 call dtrace_sys_rt_sigreturn addq $8, %rsp CFI_ADJUST_CFA_OFFSET -8 diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S index f4e8f19b7629..507bf55f518c 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -257,6 +257,7 @@ GLOBAL(system_call_after_swapgs) * Will restore the callee saved extra regs at end of syscall. */ SAVE_EXTRA_REGS + ZERO_EXTRA_REGS STUFF_RSB @@ -287,6 +288,8 @@ system_call_fastpath: */ DISABLE_INTERRUPTS(CLBR_NONE) + RESTORE_EXTRA_REGS + /* * We must check ti flags with interrupts (or at least preemption) * off because we must *never* return to userspace without @@ -303,7 +306,6 @@ system_call_fastpath: movq RIP(%rsp),%rcx CFI_REGISTER rip,rcx movq EFLAGS(%rsp),%r11 - RESTORE_EXTRA_REGS /*CFI_REGISTER rflags,r11*/ RESTORE_C_REGS_EXCEPT_RCX_R11 /* @@ -533,7 +535,6 @@ END(system_call) ENTRY(stub_\func) CFI_STARTPROC DEFAULT_FRAME 0, 8 /* offset 8: return address */ - SAVE_EXTRA_REGS 8 jmp sys_\func CFI_ENDPROC END(stub_\func) @@ -617,14 +618,6 @@ END(stub32_execveat) ENTRY(stub_rt_sigreturn) CFI_STARTPROC DEFAULT_FRAME 0, 8 - /* - * SAVE_EXTRA_REGS result is not normally needed: - * sigreturn overwrites all pt_regs->GPREGS. - * But sigreturn can fail (!), and there is no easy way to detect that. - * To make sure RESTORE_EXTRA_REGS doesn't restore garbage on error, - * we SAVE_EXTRA_REGS here. - */ - SAVE_EXTRA_REGS 8 call sys_rt_sigreturn return_from_stub: addq $8, %rsp @@ -639,7 +632,6 @@ END(stub_rt_sigreturn) ENTRY(stub_x32_rt_sigreturn) CFI_STARTPROC DEFAULT_FRAME 0, 8 - SAVE_EXTRA_REGS 8 call sys32_x32_rt_sigreturn jmp return_from_stub CFI_ENDPROC -- 2.50.1