From fd29a0e89b099bb2d7bb17a271c6382a8a4b62c5 Mon Sep 17 00:00:00 2001 From: Konrad Rzeszutek Wilk Date: Fri, 12 Jan 2018 22:32:23 -0500 Subject: [PATCH] x86: Move STUFF_RSB in to the idt macro instead of it sitting in paranoid_entry or error_entry. The idea behind the STUFF_RSB is to be done _before_ any calls are done. Which means we really want this in the idt macro that is handled for exceptions - such as device not available, which currently looks as so: [Ignore the callq *0x40.. that gets converted to an 'cld'] : nop nop nop callq *0x40d0b7(%rip) # ffffffff81b55330 <= patched to cld pushq $0xffffffffffffffff sub $0x78,%rsp callq ffffffff81748ea0 <=== call! mov %rsp,%rdi xor %esi,%esi callq ffffffff81018830 test %rax,%rax jne ffffffff81747f10 jmpq ffffffff817490a0 nopl 0x0(%rax) By stuffing the RSB before the call to error_entry (or paranoid_entry) we remove the chance of this becoming an attack vector. While at it, remove the useless comment - we don't encode any frames in UEK4. OraBug: 27417150 Reviewed-by: Kris Van Hees Signed-off-by: Konrad Rzeszutek Wilk --- arch/x86/kernel/entry_64.S | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S index 993cba9ca08b..fef48172a35c 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -1022,6 +1022,7 @@ ENTRY(\sym) .endif ASM_CLAC + STUFF_RSB PARAVIRT_ADJUST_EXCEPTION_FRAME .ifeq \has_error_code @@ -1475,13 +1476,6 @@ ENTRY(paranoid_entry) SAVE_C_REGS 8 SAVE_EXTRA_REGS 8 - /* - * Have to do stuffing before encoding frame pointer. - * Could add some unnecessary RSB clearing if coming - * from kernel for non-SMEP platform. - */ - STUFF_RSB - movl $1,%ebx movl $MSR_GS_BASE,%ecx rdmsr @@ -1560,7 +1554,6 @@ ENTRY(error_entry) cld SAVE_C_REGS 8 SAVE_EXTRA_REGS 8 - STUFF_RSB /* * error_entry() always returns with a kernel gsbase and * CR3. We must also have a kernel CR3/gsbase before -- 2.50.1