From fd89ba7ef6a5cce4038913b7475e958e0ac0945c Mon Sep 17 00:00:00 2001
From: Jamie Iles <jamie.iles@oracle.com>
Date: Mon, 8 Jan 2018 23:21:44 +0000
Subject: [PATCH] x86/ia32: save and clear registers on syscall.

This is a followup to 111ba91464f2 (x86/syscall: Clear unused extra
registers on syscall entrance) and a1aa2e658e0af (Re-introduce clearing
of r12-15, rbp, rbx), making sure that we also save and clear registers
on the compat syscalls.  Otherwise we see segfaults when running an
32-bit binary on a 64-bit kernel.

Orabug: 27365431
CVE: CVE-2017-5754

Cc: Kris Van Hees <kris.van.hees@oracle.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Jamie Iles <jamie.iles@oracle.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>
Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>
---
 arch/x86/ia32/ia32entry.S      |  4 ++++
 arch/x86/include/asm/calling.h | 11 +++++++++++
 2 files changed, 15 insertions(+)

diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index 0604c0b5cfc0..eebb13d11c09 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -151,6 +151,8 @@ ENTRY(ia32_sysenter_target)
 	sub	$(10*8),%rsp /* pt_regs->r8-11,bp,bx,r12-15 not saved */
 	CFI_ADJUST_CFA_OFFSET 10*8
 
+	SAVE_EXTRA_REGS
+	CLEAR_R8_TO_R15
 	ENABLE_IBRS
 	STUFF_RSB
 
@@ -543,6 +545,8 @@ ENTRY(ia32_syscall)
 	sub	$(10*8),%rsp /* pt_regs->r8-11,bp,bx,r12-15 not saved */
 	CFI_ADJUST_CFA_OFFSET 10*8
 
+	SAVE_EXTRA_REGS
+	CLEAR_R8_TO_R15
 	ENABLE_IBRS
 	STUFF_RSB
 
diff --git a/arch/x86/include/asm/calling.h b/arch/x86/include/asm/calling.h
index d2a3483d4008..017514ab84cf 100644
--- a/arch/x86/include/asm/calling.h
+++ b/arch/x86/include/asm/calling.h
@@ -160,6 +160,17 @@ For 32-bit we have the following conventions - kernel is built with
 	xorq	%rbx, %rbx
 	.endm
 
+	.macro CLEAR_R8_TO_R15
+	xorq %r15, %r15
+	xorq %r14, %r14
+	xorq %r13, %r13
+	xorq %r12, %r12
+	xorq %r11, %r11
+	xorq %r10, %r10
+	xorq %r9, %r9
+	xorq %r8, %r8
+	.endm
+
 	.macro RESTORE_C_REGS_HELPER rstor_rax=1, rstor_rcx=1, rstor_r11=1, rstor_r8910=1, rstor_rdx=1
 	.if \rstor_r11
 	movq_cfi_restore 6*8, r11
-- 
2.50.1