Received: by 10.223.185.116 with SMTP id b49csp5728312wrg;
        Tue, 27 Feb 2018 20:01:55 -0800 (PST)
X-Google-Smtp-Source: AH8x2273aWQ1a+vBoJl0Ca9RCzY2isFA/zP1O/f01WZ6YwzXNhuLE/PgxvMUK6XuAeqWWABc3S79
X-Received: by 10.101.88.76 with SMTP id s12mr12829714pgr.385.1519790514920;
        Tue, 27 Feb 2018 20:01:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1519790514; cv=none;
        d=google.com; s=arc-20160816;
        b=wo8UuY8fGyD0394LkQwoYoCQIiXFFFgGejHlJSE2tJt1VYaxu1Cx3AUAnaqZhjS8cd
         J46giYpyTJBfs0nCRJkwA1U8Ywn3dbGW46mGTUrl4oJFq/pqSU2QvEkLf5QVVhYi5Gf7
         Spro5UH5kR1mlg6+RLwblKQgky2s/PRdQvX/6QkaMh4sCLqoxSXLvwmI3iKNcRdDd/wd
         rW4M2x772JKeG37SpedoB73xx6teFpuZH+7gZiBTBsUGqFJpQBsD/AeOFLUDb3jUVkWm
         AoU07+CAqXC6zopILWGyYC9XrYgLnXDNpUskJwmn2U7hPXHHxZ8dYN1AiYNGn9kIjH0m
         xP3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:dkim-signature:arc-authentication-results;
        bh=maE1x+zHtUmA+lsl2Bxum/L+15vTg0UTcHBJ7wI7oeM=;
        b=CDT/W9m0DqsXPap7gFjVdnnM+lt9CX0MW8t0I3Z+tnyymQF7FspUbMkK6HAH2IYM8c
         HpDZ3vTDhEHEfTi7Gx6+oBwLU3KK6c3D50OGV8JACfODoQ6FewkM5F7tNQ6I5U1yqfRP
         Sz0ef/6ZKXh+Mi+uKhkMIgjYBtUNEY9JxmBc3B80dcRSl5salolvhIhRoTEqjHYcRFgq
         2YqqWWvxSi3KyZCBdtRV2rOIi6o+i0CIXDuGT5t0fjpfUN0I50jbSpatHB8y08NxmuYt
         67Ll4yhng8mWgnZOYZe1FdcmFj/Fgd9VOE3JW0m4RuLWzWSbnpFUD7hTi2Qk7MZVQlQQ
         kPog==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=CM93PBOv;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d10-v6si604283pls.660.2018.02.27.20.01.40;
        Tue, 27 Feb 2018 20:01:54 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=CM93PBOv;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932145AbeB1D7d (ORCPT <rfc822;414256we@gmail.com> + 99 others);
        Tue, 27 Feb 2018 22:59:33 -0500
Received: from mail-pf0-f193.google.com ([209.85.192.193]:42014 "EHLO
        mail-pf0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932088AbeB1D7a (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 27 Feb 2018 22:59:30 -0500
Received: by mail-pf0-f193.google.com with SMTP id a16so504584pfn.9
        for <linux-kernel@vger.kernel.org>; Tue, 27 Feb 2018 19:59:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references;
        bh=maE1x+zHtUmA+lsl2Bxum/L+15vTg0UTcHBJ7wI7oeM=;
        b=CM93PBOvq9YTR78mUyTMRhpb0Ktj4IgHME1yNysliZ/Ihlc2LSpzL1bGbyuulv1Rla
         BsTENFh85LjhkRGPMI9q4yET9zW3A9DydSCcsJ1Ahycs2PIbmyLYr6PAkJ5NPgs9y3ox
         QNQAz9xNQ5ZVeDqdN3KJsPa3OddGIWXJRC+JI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references;
        bh=maE1x+zHtUmA+lsl2Bxum/L+15vTg0UTcHBJ7wI7oeM=;
        b=BDPU1OGAPwmtY4NmXhEBpaECIdg7eSrRfcefGlztJHx2//czVG7WHJivly3XWIC48p
         mL4oAAHGT1tcadJ+MvXy6ZWKK/lggEwHUTMw1/lfszY/6yEqQ58kkR/leKL14QFnu1jm
         kFEQgrN8GYNteW6pRk9KGczV0z0LEAmu6NFBDVEotWY5ThBss/h+sSHFzBKQk6p/zi6F
         9iIQKVEJBkPLI3OtnOQHEirzIbeFHTBB/N1SwVUfxmc3Oi72KY1HZfZFqahnKmYxsJpn
         cSwUrNZzGYiAW+2d/x5qc28y/iHf4qWrXFclHTj0Klwwg6qKknq4LemGZ7Zz8MI4SQRK
         j/6g==
X-Gm-Message-State: APf1xPB+VxNYAd1RtDqZOayZ6c7e2FeRk0e6V8vEW2QwNBYNSNHPKs8g
        tILKqCtpA3BSxBZ0p81dIzV4dg==
X-Received: by 10.98.67.78 with SMTP id q75mr16016208pfa.98.1519790370200;
        Tue, 27 Feb 2018 19:59:30 -0800 (PST)
Received: from localhost.localdomain (176.122.172.82.16clouds.com. [176.122.172.82])
        by smtp.gmail.com with ESMTPSA id q17sm739911pgt.7.2018.02.27.19.59.23
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Tue, 27 Feb 2018 19:59:29 -0800 (PST)
From:   Alex Shi <alex.shi@linaro.org>
To:     Marc Zyngier <marc.zyngier@arm.com>,
        Will Deacon <will.deacon@arm.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        Catalin Marinas <catalin.marinas@arm.com>,
        stable@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
        linux-kernel@vger.kernel.org
Cc:     Alex Shi <alex.shi@linaro.org>
Subject: [PATCH 16/29] arm64: use RET instruction for exiting the trampoline
Date:   Wed, 28 Feb 2018 11:56:38 +0800
Message-Id: <1519790211-16582-17-git-send-email-alex.shi@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1519790211-16582-1-git-send-email-alex.shi@linaro.org>
References: <1519790211-16582-1-git-send-email-alex.shi@linaro.org>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Will Deacon <will.deacon@arm.com>

commit be04a6d1126b upstream.

Speculation attacks against the entry trampoline can potentially resteer
the speculative instruction stream through the indirect branch and into
arbitrary gadgets within the kernel.

This patch defends against these attacks by forcing a misprediction
through the return stack: a dummy BL instruction loads an entry into
the stack, so that the predicted program flow of the subsequent RET
instruction is to a branch-to-self instruction which is finally resolved
as a branch to the kernel vectors with speculation suppressed.

Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org>
---
 arch/arm64/kernel/entry.S | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 996c605..c00921e 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -902,6 +902,14 @@ __ni_sys_trace:
 	.if	\regsize == 64
 	msr	tpidrro_el0, x30	// Restored in kernel_ventry
 	.endif
+	/*
+	 * Defend against branch aliasing attacks by pushing a dummy
+	 * entry onto the return stack and using a RET instruction to
+	 * enter the full-fat kernel vectors.
+	 */
+	bl	2f
+	b	.
+2:
 	tramp_map_kernel	x30
 #ifdef CONFIG_RANDOMIZE_BASE
 	adr	x30, tramp_vectors + PAGE_SIZE
@@ -913,7 +921,7 @@ __ni_sys_trace:
 	msr	vbar_el1, x30
 	add	x30, x30, #(1b - tramp_vectors)
 	isb
-	br	x30
+	ret
 	.endm
 
 	.macro tramp_exit, regsize = 64
-- 
2.7.4