| Message ID | 20200612044219.31606-1-f.fainelli@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [stable,4.9] arm64: entry: Place an SB sequence following an ERET instruction | expand |
On 6/11/20 9:42 PM, Florian Fainelli wrote: > From: Will Deacon <will.deacon@arm.com> > > commit 679db70801da9fda91d26caf13bf5b5ccc74e8e8 upstream > > Some CPUs can speculate past an ERET instruction and potentially perform > speculative accesses to memory before processing the exception return. > Since the register state is often controlled by a lower privilege level > at the point of an ERET, this could potentially be used as part of a > side-channel attack. > > This patch emits an SB sequence after each ERET so that speculation is > held up on exception return. > > Signed-off-by: Will Deacon <will.deacon@arm.com> > [florian: Adjust hyp-entry.S to account for the label] > Signed-off-by: Florian Fainelli <f.fainelli@gmail.com> > --- > Will, > > Can you confirm that for 4.9 these are the only places that require > patching? Thank you! Hi Will, Catalin, Does this look good to you for a 4.9 backport? I would like to see this included at some point since this pertains to CVE-2020-13844. Thanks!
On Tue, Jun 23, 2020 at 11:46:37AM -0700, Florian Fainelli wrote: > On 6/11/20 9:42 PM, Florian Fainelli wrote: > > From: Will Deacon <will.deacon@arm.com> > > > > commit 679db70801da9fda91d26caf13bf5b5ccc74e8e8 upstream > > > > Some CPUs can speculate past an ERET instruction and potentially perform > > speculative accesses to memory before processing the exception return. > > Since the register state is often controlled by a lower privilege level > > at the point of an ERET, this could potentially be used as part of a > > side-channel attack. > > > > This patch emits an SB sequence after each ERET so that speculation is > > held up on exception return. > > > > Signed-off-by: Will Deacon <will.deacon@arm.com> > > [florian: Adjust hyp-entry.S to account for the label] > > Signed-off-by: Florian Fainelli <f.fainelli@gmail.com> > > --- > > Will, > > > > Can you confirm that for 4.9 these are the only places that require > > patching? Thank you! > > Hi Will, Catalin, > > Does this look good to you for a 4.9 backport? I would like to see this > included at some point since this pertains to CVE-2020-13844. I think you're missing one of the ERET instructions in hyp/entry.S Will
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index ca978d7d98eb..3408c782702c 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -255,6 +255,7 @@ alternative_insn eret, nop, ARM64_UNMAP_KERNEL_AT_EL0 .else eret .endif + sb .endm .macro get_thread_info, rd @@ -945,6 +946,7 @@ __ni_sys_trace: mrs x30, far_el1 .endif eret + sb .endm .align 11 diff --git a/arch/arm64/kvm/hyp/entry.S b/arch/arm64/kvm/hyp/entry.S index a360ac6e89e9..bc5c6cdb8538 100644 --- a/arch/arm64/kvm/hyp/entry.S +++ b/arch/arm64/kvm/hyp/entry.S @@ -83,6 +83,7 @@ ENTRY(__guest_enter) // Do not touch any register after this! eret + sb ENDPROC(__guest_enter) ENTRY(__guest_exit) diff --git a/arch/arm64/kvm/hyp/hyp-entry.S b/arch/arm64/kvm/hyp/hyp-entry.S index bf4988f9dae8..3675e7f0ab72 100644 --- a/arch/arm64/kvm/hyp/hyp-entry.S +++ b/arch/arm64/kvm/hyp/hyp-entry.S @@ -97,6 +97,7 @@ el1_sync: // Guest trapped into EL2 do_el2_call 2: eret + sb el1_hvc_guest: /* @@ -147,6 +148,7 @@ wa_epilogue: mov x0, xzr add sp, sp, #16 eret + sb el1_trap: get_vcpu_ptr x1, x0 @@ -198,6 +200,7 @@ el2_error: b.ne __hyp_panic mov x0, #(1 << ARM_EXIT_WITH_SERROR_BIT) eret + sb ENTRY(__hyp_do_panic) mov lr, #(PSR_F_BIT | PSR_I_BIT | PSR_A_BIT | PSR_D_BIT |\ @@ -206,6 +209,7 @@ ENTRY(__hyp_do_panic) ldr lr, =panic msr elr_el2, lr eret + sb ENDPROC(__hyp_do_panic) ENTRY(__hyp_panic)