Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp4328530imm; Sat, 21 Jul 2018 16:31:35 -0700 (PDT) X-Google-Smtp-Source: AAOMgpdNfwemqUq6K1DXWiIcuvSptQGrNcHqBypo0Y8b8bdbdqDPLfprV45bG5rlYvSh0BSMQaMd X-Received: by 2002:a62:9dcc:: with SMTP id a73-v6mr7289384pfk.249.1532215895129; Sat, 21 Jul 2018 16:31:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532215895; cv=none; d=google.com; s=arc-20160816; b=gBKsjCbAT0Dg5aUTEceCQXCjQomPq8XElQdn42v3Uwz5/kWhYQP1f19D2+jhnutoxd k7vrl84nU/4rLKpGXIMa/cJoyBaAcTGLALve4ksDl3ldrRGxj9iL+TdN7R1wVhyf2yt7 ZOV+Rr0fu9FyvEOAwkGGiLsT7aG5xE45LAGIiQ2lYvsj2MTJ6Di2qWUQqtIBFSQhrQuH IKFuqFE0Bh9mgtEiV2FWtvqAEScs1Kq/r6b21QcwjPlNXsh+W0I8uXML1S2ld330B5ph XvJutyRQrfeZkkHAJFW/BbOoNc/WsZaInF58SqTfYVCIIpXwMlbijVmjjjdg4Gq9+VU8 xmMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=+tgw+ReGJIfQijxy+bBiW5oQv7dgHcdsk02z9jJ++ac=; b=0AHhY6tHTW9h8VrYfokEQc4YHEaPtZxV1P8HHgu9S/v22E/VPXWC1NWdekJssF/Hqh cVEa3ZzNjUUMT08Is4JN0eamEFQ/dg6KBKUd3PMCgkWa0f9a1SiyBiOxjap3DSEyxI30 G00OudloloXhO48P4oADYGQ+P6T17zJQSPLubsw6gVo2hC4tOiFk9YcjU/Y2UPD4yrBq Qi5mGmf2gGEG4ODc1ZWJy/DNj1Mp5spDgL+Y1H6R4wjw7VuDXEKtdSQhTqJnRtevsGAE PV9q5hiFOa+cQbgPeVELoJoaurcFfP1nA9rivEQUf5wPZHV/dF9SKytPXFOR9s+qJZ74 lauQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=oO7ph1xd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j67-v6si5245440pfg.34.2018.07.21.16.31.20; Sat, 21 Jul 2018 16:31:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=oO7ph1xd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728336AbeGVAY4 (ORCPT + 99 others); Sat, 21 Jul 2018 20:24:56 -0400 Received: from mail.kernel.org ([198.145.29.99]:41810 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728149AbeGVAY4 (ORCPT ); Sat, 21 Jul 2018 20:24:56 -0400 Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3BB7320864 for ; Sat, 21 Jul 2018 23:30:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1532215826; bh=UDIoa9BbRnm2jxNS5PdV2KqOPMM1XVQ8Z1dAbLN7G+w=; h=In-Reply-To:References:From:Date:Subject:To:Cc:From; b=oO7ph1xdeimLdNBKmSJ6atWDg4qfd3Rts7UCRtHYXrBgZ9/mn8FRV+JxsL0tezIFp aGLQzd9owKxrLMa8/dVNKau6T60dx9Sm6d6ZSd+XAenMbKQMtkl1X8N/fIoukld34+ /jJbTuZ/PoIpGtS/IYHi7oSATP6g3Vm9GODDxLHY= Received: by mail-wr1-f47.google.com with SMTP id e7-v6so14412755wrs.9 for ; Sat, 21 Jul 2018 16:30:26 -0700 (PDT) X-Gm-Message-State: AOUpUlERKKUEUIaCtS0TGJFXJJ/1N9fD2RMQbdqvxk/i0ELLb+NePGeN x9YLPHnzhcX2ghKTiJ2cUnC05DxU+NjdsA9mD2ORRA== X-Received: by 2002:adf:81c3:: with SMTP id 61-v6mr4888278wra.120.1532215824794; Sat, 21 Jul 2018 16:30:24 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a1c:d548:0:0:0:0:0 with HTTP; Sat, 21 Jul 2018 16:30:04 -0700 (PDT) In-Reply-To: References: <20180721194909.23903-1-m.v.b@runbox.com> From: Andy Lutomirski Date: Sat, 21 Jul 2018 16:30:04 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 1/2] x86/entry/64: Do not clear %rbx under Xen To: "M. Vefa Bicakci" Cc: Andy Lutomirski , LKML , Dominik Brodowski , Ingo Molnar , "H. Peter Anvin" , Thomas Gleixner , Boris Ostrovsky , Juergen Gross , xen-devel@lists.xenproject.org, X86 ML , stable , Dan Williams , Andi Kleen Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jul 21, 2018 at 4:19 PM, M. Vefa Bicakci wrote: > On 07/21/2018 05:45 PM, Andy Lutomirski wrote: >> >> On Sat, Jul 21, 2018 at 12:49 PM, M. Vefa Bicakci >> wrote: >>> >>> Commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for >>> exceptions/interrupts, to reduce speculation attack surface") >>> unintendedly >>> broke Xen PV virtual machines by clearing the %rbx register at the end of >>> xen_failsafe_callback before the latter jumps to error_exit. >>> error_exit expects the %rbx register to be a flag indicating whether >>> there should be a return to kernel mode. >>> >>> This commit makes sure that the %rbx register is not cleared by >>> the PUSH_AND_CLEAR_REGS macro, when the macro in question is instantiated >>> by xen_failsafe_callback, to avoid the issue. >> >> >> Seems like a genuine problem, but: >> >>> diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S >>> index c7449f377a77..96e8ff34129e 100644 >>> --- a/arch/x86/entry/entry_64.S >>> +++ b/arch/x86/entry/entry_64.S >>> @@ -1129,7 +1129,7 @@ ENTRY(xen_failsafe_callback) >>> addq $0x30, %rsp >>> UNWIND_HINT_IRET_REGS >>> pushq $-1 /* orig_ax = -1 => not a system call */ >>> - PUSH_AND_CLEAR_REGS >>> + PUSH_AND_CLEAR_REGS clear_rbx=0 >>> ENCODE_FRAME_POINTER >>> jmp error_exit >> >> >> The old code first set RBX to zero then, if frame pointers are on, >> sets it to some special non-zero value, then crosses its fingers and >> hopes for the best. Your patched code just skips the zeroing part, so >> RBX either contains the ENCODE_FRAME_POINTER result or is >> uninitialized. >> >> How about actually initializing rbx to something sensible like, say, 1? > > > Hello Andy, > > Thank you for the review! Apparently, I have not done my homework fully. > I will test your suggestion and report back, most likely in a few hours. > > I have been testing with the next/linux-next tree's master branch > (dated 20180720), and I noticed that ENCODE_FRAME_POINTER changes the > frame pointer (i.e., RBP) register, as opposed to the RBX register, > which the patch aims to avoid changing before jumping to error_exit. > It is possible that I am missing something though -- I am not sure about > the connection between the RBP and RBX registers. Sorry, brain fart on my part. > > The change introduced by commit 3ac6d8c787b8 is in the excerpt below. Would > it > be valid to state that the original code had the same issue that you > referred > to (i.e., leaving the RBX register uninitialized)? Presumably. I would propose a rather different fix: https://git.kernel.org/pub/scm/linux/kernel/git/luto/linux.git/commit/?h=x86/pti&id=bb3d76b50c3bc78b67d79cf90d328f38a435c793 Any chance you could test that and see if it fixes your problem?