Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp4332429imm; Sat, 21 Jul 2018 16:38:36 -0700 (PDT) X-Google-Smtp-Source: AAOMgpe4NizXfZMC6Lw49XjXuytT0E3wqQsZcLl6eh/Qz7Q0koZ+qzWkOBV5IdIpRhAVU4Ctu+MP X-Received: by 2002:a17:902:6105:: with SMTP id t5-v6mr7390534plj.92.1532216316873; Sat, 21 Jul 2018 16:38:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532216316; cv=none; d=google.com; s=arc-20160816; b=H3IEggSmRPhWIWH7jsjXy7mH5maBW1bRea5Yo4tDfPK2VjWTkGsC2ypMUp+JI0Y1WB BYPPbRj5hzZl+LXlv6NgiFpUXIy/inZxSvF/znlIiLLX43wsQ+JPw2YV/079hw6Pv/lJ D8CyvpLn6cNgCs8VTwGL0P3d53oT8dkfs6nRWR7tKBtAfULLCremoQ/Mly9tyxlSxhW3 zbNf6l7zXjeqYHZoOU+ay59ncW7vvjJEfSU/9ULyTjYt/8NQSJO3qqZ1F+SGX17jzzKN oDUuySgiS00kcosJyKyExjHXJbJ7BR7a/IaifP+Iycg9DRe+TS5ZgKQvu/86+aOCrYCF pbkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=qhHCj96h8JZgQKcMUVDvns6GKQ0zr5/DZlkLIbqzt4s=; b=WrEruzwCnw/tSYAy18ls71Kx6vC86ppMQBcCKAKqmRSXJtPn6lA3va3/pAhh6JH03C 98ZxjDEuAUJK5mp6J1vflpxmuVM2zkNsmghi12YaiD+UPjdDYElMEBPas72apFuIR3U/ 45kmuzQuUKvyiTmqhLpgUQF/TkwusL3VtaxQ71j3NT/nZDp2S2KNLEZlej8gTWIDzalF wJW3axXKmrTslDDTvBUHDWGxR1GWz+PYU8KcT5Dvu4awE0rsXWDQG48LUu9po4mkLNSh y0YhgfCJGLMPcITMqzBzN1OkCCqvsccxOMN3b0uJzcZYfBDAzp3ojyuYalCXzXO4le9Q LEjg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@runbox.com header.s=rbselector1 header.b=OlmHjdIq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r3-v6si4727347pgo.606.2018.07.21.16.38.21; Sat, 21 Jul 2018 16:38:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@runbox.com header.s=rbselector1 header.b=OlmHjdIq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728253AbeGVAcC (ORCPT + 99 others); Sat, 21 Jul 2018 20:32:02 -0400 Received: from aibo.runbox.com ([91.220.196.211]:36910 "EHLO aibo.runbox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728130AbeGVAcC (ORCPT ); Sat, 21 Jul 2018 20:32:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=runbox.com; s=rbselector1; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: MIME-Version:Date:Message-ID:From:References:Cc:To:Subject; bh=qhHCj96h8JZgQKcMUVDvns6GKQ0zr5/DZlkLIbqzt4s=; b=OlmHjdIqsT6WS/+MdeBjaDKDXR UloUdO0L/7b47z8k1VoFwdUemEtq2IEiICME5PLPjLAG3DC8WO5MXJ1LDi7BBKns65B+L5qAIuKHq 8G10BWA7QbM5LWvpq5uAYzGzgxkA9okTmaKGjPX87cXadE4+CObM9s8MItiSLfC5FpvMk8pOUARmM NHbYx+NSTGGBbMiSm3h5ncVWC2Db4ROL4oQ62jA++PtjHMA0/mTgbygPD5SQ544ct41SDp8ldVJi/ IBEfRpb49itT2VxbgaZBKn1f48x3K79lLzBXdjDRLE5H/TO2387X55BZqN/UTIf640L84PA9L6J/B 4ooWEckA==; Received: from [10.9.9.211] (helo=mailfront11.runbox.com) by mailtransmit03.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1fh1R9-0007tc-9s; Sun, 22 Jul 2018 01:37:19 +0200 Received: by mailfront11.runbox.com with esmtpsa (uid:769847 ) (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.82) id 1fh1R1-0004SU-1q; Sun, 22 Jul 2018 01:37:11 +0200 Subject: Re: [PATCH 1/2] x86/entry/64: Do not clear %rbx under Xen To: Andy Lutomirski Cc: LKML , Dominik Brodowski , Ingo Molnar , "H. Peter Anvin" , Thomas Gleixner , Boris Ostrovsky , Juergen Gross , xen-devel@lists.xenproject.org, X86 ML , stable , Dan Williams , Andi Kleen References: <20180721194909.23903-1-m.v.b@runbox.com> From: "M. Vefa Bicakci" Message-ID: Date: Sat, 21 Jul 2018 19:37:05 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-CA Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 07/21/2018 07:30 PM, Andy Lutomirski wrote: > On Sat, Jul 21, 2018 at 4:19 PM, M. Vefa Bicakci wrote: >> On 07/21/2018 05:45 PM, Andy Lutomirski wrote: >>> >>> On Sat, Jul 21, 2018 at 12:49 PM, M. Vefa Bicakci >>> wrote: >>>> >>>> Commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for >>>> exceptions/interrupts, to reduce speculation attack surface") >>>> unintendedly >>>> broke Xen PV virtual machines by clearing the %rbx register at the end of >>>> xen_failsafe_callback before the latter jumps to error_exit. >>>> error_exit expects the %rbx register to be a flag indicating whether >>>> there should be a return to kernel mode. >>>> >>>> This commit makes sure that the %rbx register is not cleared by >>>> the PUSH_AND_CLEAR_REGS macro, when the macro in question is instantiated >>>> by xen_failsafe_callback, to avoid the issue. >>> >>> >>> Seems like a genuine problem, but: >>> >>>> diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S >>>> index c7449f377a77..96e8ff34129e 100644 >>>> --- a/arch/x86/entry/entry_64.S >>>> +++ b/arch/x86/entry/entry_64.S >>>> @@ -1129,7 +1129,7 @@ ENTRY(xen_failsafe_callback) >>>> addq $0x30, %rsp >>>> UNWIND_HINT_IRET_REGS >>>> pushq $-1 /* orig_ax = -1 => not a system call */ >>>> - PUSH_AND_CLEAR_REGS >>>> + PUSH_AND_CLEAR_REGS clear_rbx=0 >>>> ENCODE_FRAME_POINTER >>>> jmp error_exit >>> >>> >>> The old code first set RBX to zero then, if frame pointers are on, >>> sets it to some special non-zero value, then crosses its fingers and >>> hopes for the best. Your patched code just skips the zeroing part, so >>> RBX either contains the ENCODE_FRAME_POINTER result or is >>> uninitialized. >>> >>> How about actually initializing rbx to something sensible like, say, 1? >> >> Hello Andy, >> >> Thank you for the review! Apparently, I have not done my homework fully. >> I will test your suggestion and report back, most likely in a few hours. >> >> I have been testing with the next/linux-next tree's master branch >> (dated 20180720), and I noticed that ENCODE_FRAME_POINTER changes the >> frame pointer (i.e., RBP) register, as opposed to the RBX register, >> which the patch aims to avoid changing before jumping to error_exit. >> It is possible that I am missing something though -- I am not sure about >> the connection between the RBP and RBX registers. > > Sorry, brain fart on my part. No problem! :-) >> The change introduced by commit 3ac6d8c787b8 is in the excerpt below. Would >> it >> be valid to state that the original code had the same issue that you >> referred >> to (i.e., leaving the RBX register uninitialized)? > > Presumably. > > I would propose a rather different fix: > > https://git.kernel.org/pub/scm/linux/kernel/git/luto/linux.git/commit/?h=x86/pti&id=bb3d76b50c3bc78b67d79cf90d328f38a435c793 > > Any chance you could test that and see if it fixes your problem? Of course; I will report back with the result in a few hours.