From patchwork Wed Feb 28 03:56:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alex Shi X-Patchwork-Id: 10246743 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 5280160362 for ; Wed, 28 Feb 2018 04:05:17 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 427F928CD4 for ; Wed, 28 Feb 2018 04:05:17 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3543D28CD8; Wed, 28 Feb 2018 04:05:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID autolearn=ham version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id ABF8028CD4 for ; Wed, 28 Feb 2018 04:05:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:References: In-Reply-To:Message-Id:Date:Subject:To:From:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=HMSED9DmWKE/r6ltB1wxbNtJXTn92/oJUVjOubGdctw=; b=DVY0G+nSdgfiy4NP0oAQNuFvDE SrT+RURimOkz1rXHTEsUPO01zeApHDZplT3QgTd9oKm8inuOxShO1sI4jSDMcRn71Zd1RXZR/hjF1 Fyfay1oLtBhZodpuE367fAaYsVoZ3aSutXH8hWJQva4akQXvZItaSGj8/b9FsSCkOUbUfadAnpKjT Ik/ZkDB8NOWAuFtRHeAPh2MXc+uyYSpRKPZx/k6cM8/Fj6opRnfKj7G9lerUhUgv/m3CUXcY2Cx/4 ZsLVTL2jI/lWjGTq+YphvCo5igzZOYMNMiztNHDSGWet2NbM3Rla9ec06n6znKN6Ed9lH2NlHNhBP ytW1WVOQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1eqszG-0003X5-5Z; Wed, 28 Feb 2018 04:05:02 +0000 Received: from merlin.infradead.org ([205.233.59.134]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1eqsu8-0007oq-DN for linux-arm-kernel@bombadil.infradead.org; Wed, 28 Feb 2018 03:59:44 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=References:In-Reply-To:Message-Id:Date: Subject:Cc:To:From:Sender:Reply-To:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=maE1x+zHtUmA+lsl2Bxum/L+15vTg0UTcHBJ7wI7oeM=; b=2owwpqL4tKbzNlXrLRBQYfNns BtjGHiCGy/1bs/eZonAxTFkDq36zNWb66IQjnbh9nd6KU/LeKOfevrvqtGqvLEbZUAEb2Xzm4QZOm IJ/0e5DXlG89BI8Wvgwi4AAMusYPxv5ZECiZgE7IF25gNLcJBBoWeY8ctqfXmQUOOZXOEvkUfzK4L B1zA1hHMotx8JnYQtOzSeV17jeVfe3QcrySwNXSOm1mN/zL4oIMx2kWdgM8oAIi9fl4BIb0P6qPQA wGYebTMYf3Dnex1Wh68udPhz/GwdZIFUx0HC0rchm9/NYhDvkMeCWKcU/OdLIcudQMf4i2p3gSmJA YLpGfAuIQ==; Received: from mail-pf0-x242.google.com ([2607:f8b0:400e:c00::242]) by merlin.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1eqsu6-0004Ze-Uw for linux-arm-kernel@lists.infradead.org; Wed, 28 Feb 2018 03:59:43 +0000 Received: by mail-pf0-x242.google.com with SMTP id m5so507829pff.7 for ; Tue, 27 Feb 2018 19:59:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=maE1x+zHtUmA+lsl2Bxum/L+15vTg0UTcHBJ7wI7oeM=; b=CM93PBOvq9YTR78mUyTMRhpb0Ktj4IgHME1yNysliZ/Ihlc2LSpzL1bGbyuulv1Rla BsTENFh85LjhkRGPMI9q4yET9zW3A9DydSCcsJ1Ahycs2PIbmyLYr6PAkJ5NPgs9y3ox QNQAz9xNQ5ZVeDqdN3KJsPa3OddGIWXJRC+JI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=maE1x+zHtUmA+lsl2Bxum/L+15vTg0UTcHBJ7wI7oeM=; b=TAbs/Mm3WtE6U4srlCd1OYQH1juopDJ1W4ayhNTooTGj6pLQs9xcETlMzOgznkjbmi 0pEkpqpa68QW4gt8N2pEnMHScdQq3RaHrU1cDVqhSMRr1rnIbuokwcRjX1g0+nnGHVuS ASoixO15g9bGLqr1B9DUrkGd9K3L2smWVKeZrtVU8NtfgfuZbgP6isy048qwPSxa9mro fCF2CduVeTGNu1CdPaLscqS/gpFWaB8IWCSu+JDaoXvJqoO2IcA5kPGdeTvabHIbObSK rB+jUpygIJ606jPMfEwt9WNQUAJglGnM/fzQUuROtS+wEp1p2NH8jkmL3EVZAP1mRRw9 CL4g== X-Gm-Message-State: APf1xPCfuNTwQ5OLORBx7vpXF6jgp+xdfgdxcZMNXqMfQH1vvge0iNtB oGKpFnfqwssqVYIrIxWdfb8gZA== X-Google-Smtp-Source: AH8x226key62yVM3XPYF24mksgLS/9AQEY914e4GCXDYa4t7qlPPRZ3RRJmJSt9w7EBNc+9ti7psIQ== X-Received: by 10.98.67.78 with SMTP id q75mr16016208pfa.98.1519790370200; Tue, 27 Feb 2018 19:59:30 -0800 (PST) Received: from localhost.localdomain (176.122.172.82.16clouds.com. [176.122.172.82]) by smtp.gmail.com with ESMTPSA id q17sm739911pgt.7.2018.02.27.19.59.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 27 Feb 2018 19:59:29 -0800 (PST) From: Alex Shi To: Marc Zyngier , Will Deacon , Ard Biesheuvel , Catalin Marinas , stable@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH 16/29] arm64: use RET instruction for exiting the trampoline Date: Wed, 28 Feb 2018 11:56:38 +0800 Message-Id: <1519790211-16582-17-git-send-email-alex.shi@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1519790211-16582-1-git-send-email-alex.shi@linaro.org> References: <1519790211-16582-1-git-send-email-alex.shi@linaro.org> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180227_225943_076068_DCCD65EB X-CRM114-Status: GOOD ( 14.88 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Alex Shi MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP From: Will Deacon commit be04a6d1126b upstream. Speculation attacks against the entry trampoline can potentially resteer the speculative instruction stream through the indirect branch and into arbitrary gadgets within the kernel. This patch defends against these attacks by forcing a misprediction through the return stack: a dummy BL instruction loads an entry into the stack, so that the predicted program flow of the subsequent RET instruction is to a branch-to-self instruction which is finally resolved as a branch to the kernel vectors with speculation suppressed. Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Alex Shi --- arch/arm64/kernel/entry.S | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 996c605..c00921e 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -902,6 +902,14 @@ __ni_sys_trace: .if \regsize == 64 msr tpidrro_el0, x30 // Restored in kernel_ventry .endif + /* + * Defend against branch aliasing attacks by pushing a dummy + * entry onto the return stack and using a RET instruction to + * enter the full-fat kernel vectors. + */ + bl 2f + b . +2: tramp_map_kernel x30 #ifdef CONFIG_RANDOMIZE_BASE adr x30, tramp_vectors + PAGE_SIZE @@ -913,7 +921,7 @@ __ni_sys_trace: msr vbar_el1, x30 add x30, x30, #(1b - tramp_vectors) isb - br x30 + ret .endm .macro tramp_exit, regsize = 64