Revert "x86, bpf, jit: prevent speculative execution when JIT is enabled"

CVE-2017-5753 (revert embargoed) CVE-2017-5715 (revert embargoed) This reverts commit 87f0ff16. Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

Revert "x86, bpf, jit: prevent speculative execution when JIT is enabled"
CVE-2017-5753 (revert embargoed) CVE-2017-5715 (revert embargoed) This reverts commit 87f0ff16. Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
543389c8 · Andy Whitcroft · Kleber Sacilotto de Souza · e65a01ee · 543389c8
Commit 543389c8 authored Jan 31, 2018 by Andy Whitcroft Committed by Kleber Sacilotto de Souza Feb 05, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 32 deletions

arch/x86/net/bpf_jit_comp.c arch/x86/net/bpf_jit_comp.c +1 -32

No files found.
--- a/arch/x86/net/bpf_jit_comp.c
+++ b/arch/x86/net/bpf_jit_comp.c
@@ -106,27 +106,6 @@ static void bpf_flush_icache(void *start, void *end)
 	set_fs(old_fs);
 }
-static void emit_memory_barrier(u8 **pprog)
-{
-	u8 *prog = *pprog;
-	int cnt = 0;
-	if (bpf_jit_blinding_enabled()) {
-		if (boot_cpu_has(X86_FEATURE_LFENCE_RDTSC))
-			/* x86 LFENCE opcode 0F AE E8 */
-			EMIT3(0x0f, 0xae, 0xe8);
-		else if (boot_cpu_has(X86_FEATURE_MFENCE_RDTSC))
-			/* AMD MFENCE opcode 0F AE F0 */
-			EMIT3(0x0f, 0xae, 0xf0);
-		else
-			/* we should never end up here,
-			 * but if we do, better not to emit anything*/
-			return;
-	}
-	*pprog = prog;
-	return;
-}
 #define CHOOSE_LOAD_FUNC(K, func) \
 	((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative_offset : func) : func##_positive_offset)
@@ -400,7 +379,7 @@ static int do_jit(struct bpf_prog *bpf_prog, int *addrs, u8 *image,
 			case BPF_ADD: b2 = 0x01; break;
 			case BPF_SUB: b2 = 0x29; break;
 			case BPF_AND: b2 = 0x21; break;
-			case BPF_OR: b2 = 0x09; emit_memory_barrier(&prog); break;
+			case BPF_OR: b2 = 0x09; break;
 			case BPF_XOR: b2 = 0x31; break;
 			}
 			if (BPF_CLASS(insn->code) == BPF_ALU64)
@@ -628,16 +607,6 @@ static int do_jit(struct bpf_prog *bpf_prog, int *addrs, u8 *image,
 		case BPF_ALU64 | BPF_RSH | BPF_X:
 		case BPF_ALU64 | BPF_ARSH | BPF_X:
-			/* If blinding is enabled, each
-			 * BPF_LD | BPF_IMM | BPF_DW instruction
-			 * is converted to 4 eBPF instructions with
-			 * BPF_ALU64_IMM(BPF_LSH, BPF_REG_AX, 32)
-			 * always present(number 3). Detect such cases
-			 * and insert memory barriers. */
-			if ((BPF_CLASS(insn->code) == BPF_ALU64)
-				&& (BPF_OP(insn->code) == BPF_LSH)
-				&& (src_reg == BPF_REG_AX))
-				emit_memory_barrier(&prog);
 			/* check for bad case when dst_reg == rcx */
 			if (dst_reg == BPF_REG_4) {
 				/* mov r11, dst_reg */