Received: by 10.213.65.68 with SMTP id h4csp710624imn; Fri, 6 Apr 2018 07:39:43 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/JJy+bgv4+xc/xzwzgdFZjZAJplqi5IkfvEPU6UhONYCSQF/U2hrsssEG5d6nXQQxlCbY2 X-Received: by 10.101.98.87 with SMTP id q23mr13545730pgv.429.1523025583589; Fri, 06 Apr 2018 07:39:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523025583; cv=none; d=google.com; s=arc-20160816; b=uFbM0gvC8i5I9MycHAeguNCvKQ1JHfrzpQsjsvdZLR24Wdp9xyezeImMVmWPYpuPAX XHpt7dVI5l7L9zVeyHX1UIhR5VC4PfcXPitcLmt+fjDPujz0FyQ3b6VjiGbScpMpWS48 blPNsDVgQWo/FIPv26kbRp5LueKr4DT9i9A+JTzQm8zT6i/Y/o3HkhPcuJKJulK0e7uu LJ+P358W52f5NQAcIm8NGRGMkUp6+e+H75nhH4CzljC46GWBdWqnVLt9rJmzsm3w9RdF uUQ2HvUZ2Gj8Bq4cJM4nDyujndXQDox6emy2THm2rGeGXYiC25qyxAWHWp4SBYucLTDp qGeg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=aPhHGnB1uci2pEc6+P2WqnZLPedDrNVRvgnv7s/030M=; b=0fYmDoO4ZPSgSt2R01hgrP23hy7X4JcyF0PmKq0A87a9hzgacw2IgV2SJbwL/YQ6bX Zk7O19/VUwXQFIYrD8dapFulg3P289L9bCUueF5DjNYHRfXpsOI1RvzJ4KRT8X/lMcOP r8iwoAEUhIkwwO9l33R0yByYRKnxM/0XiaX/xllw6TBFe/Ba18ZWT7vLquPV6oE+otag P2jthMvuiaBEX2yoIOzwfltWhPRi0+kK1ZWKZGSu5Inyt/eLvulY/2PbsT/woZLsCSXr PaYJdWDMxVMGBaTwBcI4ClYjwaFG8YHUUvJRWNz9q/vGkJBOqubnQpsyOK64sOWlqU9r B/WQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a6-v6si9933524pln.632.2018.04.06.07.39.29; Fri, 06 Apr 2018 07:39:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932093AbeDFOhq (ORCPT + 99 others); Fri, 6 Apr 2018 10:37:46 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:58716 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753645AbeDFNfS (ORCPT ); Fri, 6 Apr 2018 09:35:18 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 7D2A6DCB; Fri, 6 Apr 2018 13:35:17 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , Will Deacon , Catalin Marinas , Greg Hackmann , Alex Shi , Mark Rutland Subject: [PATCH 4.9 064/102] arm64: use RET instruction for exiting the trampoline Date: Fri, 6 Apr 2018 15:23:45 +0200 Message-Id: <20180406084340.553370699@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180406084331.507038179@linuxfoundation.org> References: <20180406084331.507038179@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Will Deacon commit be04a6d1126b upstream. Speculation attacks against the entry trampoline can potentially resteer the speculative instruction stream through the indirect branch and into arbitrary gadgets within the kernel. This patch defends against these attacks by forcing a misprediction through the return stack: a dummy BL instruction loads an entry into the stack, so that the predicted program flow of the subsequent RET instruction is to a branch-to-self instruction which is finally resolved as a branch to the kernel vectors with speculation suppressed. Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Alex Shi [v4.9 backport] Signed-off-by: Mark Rutland [v4.9 backport] Tested-by: Will Deacon Tested-by: Greg Hackmann Signed-off-by: Greg Kroah-Hartman --- arch/arm64/kernel/entry.S | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -880,6 +880,14 @@ __ni_sys_trace: .if \regsize == 64 msr tpidrro_el0, x30 // Restored in kernel_ventry .endif + /* + * Defend against branch aliasing attacks by pushing a dummy + * entry onto the return stack and using a RET instruction to + * enter the full-fat kernel vectors. + */ + bl 2f + b . +2: tramp_map_kernel x30 #ifdef CONFIG_RANDOMIZE_BASE adr x30, tramp_vectors + PAGE_SIZE @@ -892,7 +900,7 @@ __ni_sys_trace: msr vbar_el1, x30 add x30, x30, #(1b - tramp_vectors) isb - br x30 + ret .endm .macro tramp_exit, regsize = 64