From 44e762fdf5b98347deb80afefff131f1dda164d0 Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk <konrad@kernel.org>
Date: Thu, 4 Jan 2018 10:31:15 -0500
Subject: [PATCH] *INCOMPLETE* x86/syscall: Clear unused extra registers on
 syscall entrance

To prevent the unused registers %r12-%r15, %rbp and %rbx from
being used speculatively, we clear them upon syscall entrance
for code hygiene.


Orabug: 27344012
CVE: CVE-2017-5715

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

 Backport: We don't have the ORC stack which means our calling.h
 has the CTF code. And that has RESTORE_EXTRA_ARGS and ZERO_EXTRA_ARGS
 so there was no need to port that in. See
 commit 76f5df43cab5e765c0bd42289103e8f625813ae1
 x86/asm/entry/64: Always allocate a complete "struct pt_regs" on the kernel stack
 which added them.

 The ZERO_EXTRA_REGS (aka CLEAR_EXTRA_REGS) is not part of it.
 It ends up crashing the user-space.  Not sure why not.

 Which means this patch is pretty much useless - we don't clear
 any of the %r12-%r15, nor %rbp, nor %rbx at all.

 In other words we just save now more registers on the %esp
 and restore them.

 But somewhere we depend on these and need to fix that.

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: John Haxby <john.haxby@oracle.com>
Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>
---
 arch/x86/kernel/entry_64.S | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index 15fef9cdbade..1497fd750608 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -247,9 +247,15 @@ GLOBAL(system_call_after_swapgs)
 	pushq_cfi_reg	r9			/* pt_regs->r9 */
 	pushq_cfi_reg	r10			/* pt_regs->r10 */
 	pushq_cfi_reg	r11			/* pt_regs->r11 */
-	sub	$(6*8),%rsp /* pt_regs->bp,bx,r12-15 not saved */
+	sub	$(6*8),%rsp /* pt_regs->bp,bx,r12-15 not used */
 	CFI_ADJUST_CFA_OFFSET 6*8
 
+	/*
+	 * Clear the unused extra regs for code hygiene.
+	 * Will restore the callee saved extra regs at end of syscall.
+	 */
+	SAVE_EXTRA_REGS
+
 	STUFF_RSB
 
 	TRACE_IRQS_OFF
@@ -296,6 +302,7 @@ system_call_fastpath:
 	movq	RIP(%rsp),%rcx
 	CFI_REGISTER	rip,rcx
 	movq	EFLAGS(%rsp),%r11
+	RESTORE_EXTRA_REGS
 	/*CFI_REGISTER	rflags,r11*/
 	movq	RSP(%rsp),%rsp
 	/*
@@ -329,7 +336,6 @@ tracesys:
 	jmp system_call_fastpath	/*      and return to the fast path */
 
 tracesys_phase2:
-	SAVE_EXTRA_REGS
 	movq %rsp, %rdi
 	movl $AUDIT_ARCH_X86_64, %esi
 	movq %rax,%rdx
@@ -393,7 +399,6 @@ int_careful:
 int_very_careful:
 	TRACE_IRQS_ON
 	ENABLE_INTERRUPTS(CLBR_NONE)
-	SAVE_EXTRA_REGS
 	/* Check for syscall exit trace */
 	testl $_TIF_WORK_SYSCALL_EXIT,%edx
 	jz int_signal
-- 
2.50.1