x86/syscall: Clear unused extra registers on 32-bit compatible syscall entrance

CVE-2017-5753 CVE-2017-5715 To prevent the unused registers %r8-%r15, from being used speculatively, we clear them upon syscall entrance for code hygiene in 32 bit compatible mode. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 85910f3f9cd728acce9ef34a6df4f8bf8714d006) Signed-off-by: Andy Whitcroft <apw@canonical.com>

x86/syscall: Clear unused extra registers on 32-bit compatible syscall entrance
CVE-2017-5753 CVE-2017-5715 To prevent the unused registers %r8-%r15, from being used speculatively, we clear them upon syscall entrance for code hygiene in 32 bit compatible mode. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 85910f3f9cd728acce9ef34a6df4f8bf8714d006) Signed-off-by: Andy Whitcroft <apw@canonical.com>
70df98e2 · Tim Chen · Marcelo Henrique Cerri · 0f76330e · 70df98e2 · 70df98e2
Commit 70df98e2 authored Sep 15, 2017 by Tim Chen Committed by Marcelo Henrique Cerri Jan 12, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 4 deletions

arch/x86/entry/calling.h arch/x86/entry/calling.h +11 -0

arch/x86/entry/entry_64_compat.S arch/x86/entry/entry_64_compat.S +15 -4

No files found.
--- a/arch/x86/entry/calling.h
+++ b/arch/x86/entry/calling.h
@@ -195,6 +195,17 @@ For 32-bit we have the following conventions - kernel is built with
 	subq $-(15*8+\addskip), %rsp
 	.endm

+	.macro CLEAR_R8_TO_R15
+	xorq %r15, %r15
+	xorq %r14, %r14
+	xorq %r13, %r13
+	xorq %r12, %r12
+	xorq %r11, %r11
+	xorq %r10, %r10
+	xorq %r9, %r9
+	xorq %r8, %r8
+	.endm
+
 	.macro CLEAR_EXTRA_REGS
 	xorq %r15, %r15
 	xorq %r14, %r14

--- a/arch/x86/entry/entry_64_compat.S
+++ b/arch/x86/entry/entry_64_compat.S
@@ -103,6 +103,8 @@ ENTRY(entry_SYSENTER_compat)
 	ENABLE_IBRS
 	STUFF_RSB

+	CLEAR_R8_TO_R15
+
 	/*
 	 * Sysenter doesn't filter flags, so we need to clear NT
 	 * ourselves.  To save a few cycles, we can check whether
@@ -196,10 +198,12 @@ ENTRY(entry_SYSCALL_compat)
 	pushq   %r8                     /* pt_regs->r11 = 0 */
 	pushq   %rbx                    /* pt_regs->rbx */
 	pushq   %rbp                    /* pt_regs->rbp (will be overwritten) */
-	pushq   %r8                     /* pt_regs->r12 = 0 */
-	pushq   %r8                     /* pt_regs->r13 = 0 */
-	pushq   %r8                     /* pt_regs->r14 = 0 */
-	pushq   %r8                     /* pt_regs->r15 = 0 */
+	pushq   %r12                    /* pt_regs->r12 */
+	pushq   %r13                    /* pt_regs->r13 */
+	pushq   %r14                    /* pt_regs->r14 */
+	pushq   %r15                    /* pt_regs->r15 */
+
+	CLEAR_R8_TO_R15

 	ENABLE_IBRS
 	STUFF_RSB
@@ -221,6 +225,11 @@ sysret32_from_system_call:
 	TRACE_IRQS_ON			/* User mode traces as IRQs on. */
 	DISABLE_IBRS
 	SWITCH_USER_CR3
+
+	movq    R15(%rsp), %r15         /* pt_regs->r15 */
+	movq    R14(%rsp), %r14         /* pt_regs->r14 */
+	movq    R13(%rsp), %r13         /* pt_regs->r13 */
+	movq    R12(%rsp), %r12         /* pt_regs->r12 */
 	movq	RBX(%rsp), %rbx		/* pt_regs->rbx */
 	movq	RBP(%rsp), %rbp		/* pt_regs->rbp */
 	movq	EFLAGS(%rsp), %r11	/* pt_regs->flags (in r11) */
@@ -316,6 +325,8 @@ ENTRY(entry_INT80_compat)
 	ENABLE_IBRS
 	STUFF_RSB

+	CLEAR_R8_TO_R15
+
 	/*
 	 * User mode is traced as though IRQs are on, and the interrupt
 	 * gate turned them off.