Received: by 10.223.185.111 with SMTP id b44csp917755wrg; Fri, 9 Mar 2018 16:49:58 -0800 (PST) X-Google-Smtp-Source: AG47ELsNMu1McY4BM4y076PxyNc6p3455io7fgb+vtk6ZDT4qP2UFnkBvJ2PnCdXSmI22pbJMPgF X-Received: by 10.99.95.84 with SMTP id t81mr310506pgb.400.1520642997940; Fri, 09 Mar 2018 16:49:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520642997; cv=none; d=google.com; s=arc-20160816; b=i5+neRjuxJw7UwJE4GUH/5aMSbWrF/H68yMq0ke2U9Yvtb6wW9YPUjz6q9uKyR/bdp bPqj2zI6ah6QHgNLclOw7g/Ump6wup2tPeMWf5ociyiggsLQWRvyl6xHC9mGWy9HDTkn vAo6+e79OGydKyf3h6usYKsbe8Ni/MAVLu4GsU6iUNaF4SgexXG95fcblKStkMM8tFPc 2o/AjvAz2/w2bVjStBCr1EeatmPuvddkv3pQKAJW3CHr0agh/+udetHalTCmnVfofLPK E9vLHnNwmrfDxw/i5TweLVMucUes6DeSeRJBHw31jC4WH/b7N7wjcZjnDvedt6Agq0JH XCwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=LYvmrzCcUqbQKx4M8OrEDXr8CKU/e1Cg6SDvhUOeYYI=; b=HCeSd19OGBOWqualrqy6/PtKddEKzCOe/CtXXGN1xDOus+iN3ZPrCBcRHFOHpm/IVF x09Lm1oLCaGaIHceaWqOdA2gycxrZIl1nor7ivqUyrXaW43KG72hJsDi46O/MzeIsweb FIB1Dr634i2GiBjNDAjpOiIr63Pas5jP1SgMOWOZS0YmqSgktuf8dAiEPI2zH7DSvMgi UVlJoD2sSDhk5OZ/V4ZctqmR4CyLUxw8vsmvMVh9FOZ99fr31iCewgXGuV7eDk6H/Qno R6cZmGqCisCmxG92Mc2GuZGjYGq96tTdCv5r0e2O9c1eydusoVQPYnqXzznUkLVx2nBq GtSQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 33-v6si1785935plf.98.2018.03.09.16.49.44; Fri, 09 Mar 2018 16:49:57 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751634AbeCJATo (ORCPT + 99 others); Fri, 9 Mar 2018 19:19:44 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:38778 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932727AbeCJATl (ORCPT ); Fri, 9 Mar 2018 19:19:41 -0500 Received: from localhost (unknown [185.236.200.248]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 0D8F7F7B; Sat, 10 Mar 2018 00:19:41 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jan Beulich , Linus Torvalds , Dan Williams , Thomas Gleixner , linux-arch@vger.kernel.org, kernel-hardening@lists.openwall.com, Andy Lutomirski , alan@linux.intel.com, Jinpu Wang , Jiri Slaby Subject: [PATCH 4.4 11/36] x86/syscall: Sanitize syscall table de-references under speculation fix Date: Fri, 9 Mar 2018 16:18:27 -0800 Message-Id: <20180310001807.821338686@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180310001807.213987241@linuxfoundation.org> References: <20180310001807.213987241@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jiri Slaby In 4.4.118, we have commit c8961332d6da (x86/syscall: Sanitize syscall table de-references under speculation), which is a backport of upstream commit 2fbd7af5af86. But it fixed only the C part of the upstream patch -- the IA32 sysentry. So it ommitted completely the assembly part -- the 64bit sysentry. Fix that in this patch by explicit array_index_mask_nospec written in assembly. The same was used in lib/getuser.S. However, to have "sbb" working properly, we have to switch from "cmp" against (NR_syscalls-1) to (NR_syscalls), otherwise the last syscall number would be "and"ed by 0. It is because the original "ja" relies on "CF" or "ZF", but we rely only on "CF" in "sbb". That means: switch to "jae" conditional jump too. Final note: use rcx for mask as this is exactly what is overwritten by the 4th syscall argument (r10) right after. Reported-by: Jan Beulich Cc: Linus Torvalds Cc: Dan Williams Cc: Thomas Gleixner Cc: linux-arch@vger.kernel.org Cc: kernel-hardening@lists.openwall.com Cc: gregkh@linuxfoundation.org Cc: Andy Lutomirski Cc: alan@linux.intel.com Cc: Jinpu Wang Signed-off-by: Jiri Slaby Signed-off-by: Greg Kroah-Hartman --- arch/x86/entry/entry_64.S | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -178,12 +178,14 @@ GLOBAL(entry_SYSCALL_64_after_swapgs) jnz tracesys entry_SYSCALL_64_fastpath: #if __SYSCALL_MASK == ~0 - cmpq $__NR_syscall_max, %rax + cmpq $NR_syscalls, %rax #else andl $__SYSCALL_MASK, %eax - cmpl $__NR_syscall_max, %eax + cmpl $NR_syscalls, %eax #endif - ja 1f /* return -ENOSYS (already in pt_regs->ax) */ + jae 1f /* return -ENOSYS (already in pt_regs->ax) */ + sbb %rcx, %rcx /* array_index_mask_nospec() */ + and %rcx, %rax movq %r10, %rcx #ifdef CONFIG_RETPOLINE movq sys_call_table(, %rax, 8), %rax @@ -276,12 +278,14 @@ tracesys_phase2: RESTORE_C_REGS_EXCEPT_RAX RESTORE_EXTRA_REGS #if __SYSCALL_MASK == ~0 - cmpq $__NR_syscall_max, %rax + cmpq $NR_syscalls, %rax #else andl $__SYSCALL_MASK, %eax - cmpl $__NR_syscall_max, %eax + cmpl $NR_syscalls, %eax #endif - ja 1f /* return -ENOSYS (already in pt_regs->ax) */ + jae 1f /* return -ENOSYS (already in pt_regs->ax) */ + sbb %rcx, %rcx /* array_index_mask_nospec() */ + and %rcx, %rax movq %r10, %rcx /* fixup for C */ #ifdef CONFIG_RETPOLINE movq sys_call_table(, %rax, 8), %rax