Commit 70df98e2 authored by Tim Chen's avatar Tim Chen Committed by Marcelo Henrique Cerri

x86/syscall: Clear unused extra registers on 32-bit compatible syscall entrance

CVE-2017-5753
CVE-2017-5715

To prevent the unused registers %r8-%r15, from being used speculatively,
we clear them upon syscall entrance for code hygiene in 32 bit compatible
mode.
Signed-off-by: default avatarTim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: default avatarAndy Whitcroft <apw@canonical.com>
(backported from commit 85910f3f9cd728acce9ef34a6df4f8bf8714d006)
Signed-off-by: default avatarAndy Whitcroft <apw@canonical.com>
parent 0f76330e
...@@ -195,6 +195,17 @@ For 32-bit we have the following conventions - kernel is built with ...@@ -195,6 +195,17 @@ For 32-bit we have the following conventions - kernel is built with
subq $-(15*8+\addskip), %rsp subq $-(15*8+\addskip), %rsp
.endm .endm
.macro CLEAR_R8_TO_R15
xorq %r15, %r15
xorq %r14, %r14
xorq %r13, %r13
xorq %r12, %r12
xorq %r11, %r11
xorq %r10, %r10
xorq %r9, %r9
xorq %r8, %r8
.endm
.macro CLEAR_EXTRA_REGS .macro CLEAR_EXTRA_REGS
xorq %r15, %r15 xorq %r15, %r15
xorq %r14, %r14 xorq %r14, %r14
......
...@@ -103,6 +103,8 @@ ENTRY(entry_SYSENTER_compat) ...@@ -103,6 +103,8 @@ ENTRY(entry_SYSENTER_compat)
ENABLE_IBRS ENABLE_IBRS
STUFF_RSB STUFF_RSB
CLEAR_R8_TO_R15
/* /*
* Sysenter doesn't filter flags, so we need to clear NT * Sysenter doesn't filter flags, so we need to clear NT
* ourselves. To save a few cycles, we can check whether * ourselves. To save a few cycles, we can check whether
...@@ -196,10 +198,12 @@ ENTRY(entry_SYSCALL_compat) ...@@ -196,10 +198,12 @@ ENTRY(entry_SYSCALL_compat)
pushq %r8 /* pt_regs->r11 = 0 */ pushq %r8 /* pt_regs->r11 = 0 */
pushq %rbx /* pt_regs->rbx */ pushq %rbx /* pt_regs->rbx */
pushq %rbp /* pt_regs->rbp (will be overwritten) */ pushq %rbp /* pt_regs->rbp (will be overwritten) */
pushq %r8 /* pt_regs->r12 = 0 */ pushq %r12 /* pt_regs->r12 */
pushq %r8 /* pt_regs->r13 = 0 */ pushq %r13 /* pt_regs->r13 */
pushq %r8 /* pt_regs->r14 = 0 */ pushq %r14 /* pt_regs->r14 */
pushq %r8 /* pt_regs->r15 = 0 */ pushq %r15 /* pt_regs->r15 */
CLEAR_R8_TO_R15
ENABLE_IBRS ENABLE_IBRS
STUFF_RSB STUFF_RSB
...@@ -221,6 +225,11 @@ sysret32_from_system_call: ...@@ -221,6 +225,11 @@ sysret32_from_system_call:
TRACE_IRQS_ON /* User mode traces as IRQs on. */ TRACE_IRQS_ON /* User mode traces as IRQs on. */
DISABLE_IBRS DISABLE_IBRS
SWITCH_USER_CR3 SWITCH_USER_CR3
movq R15(%rsp), %r15 /* pt_regs->r15 */
movq R14(%rsp), %r14 /* pt_regs->r14 */
movq R13(%rsp), %r13 /* pt_regs->r13 */
movq R12(%rsp), %r12 /* pt_regs->r12 */
movq RBX(%rsp), %rbx /* pt_regs->rbx */ movq RBX(%rsp), %rbx /* pt_regs->rbx */
movq RBP(%rsp), %rbp /* pt_regs->rbp */ movq RBP(%rsp), %rbp /* pt_regs->rbp */
movq EFLAGS(%rsp), %r11 /* pt_regs->flags (in r11) */ movq EFLAGS(%rsp), %r11 /* pt_regs->flags (in r11) */
...@@ -316,6 +325,8 @@ ENTRY(entry_INT80_compat) ...@@ -316,6 +325,8 @@ ENTRY(entry_INT80_compat)
ENABLE_IBRS ENABLE_IBRS
STUFF_RSB STUFF_RSB
CLEAR_R8_TO_R15
/* /*
* User mode is traced as though IRQs are on, and the interrupt * User mode is traced as though IRQs are on, and the interrupt
* gate turned them off. * gate turned them off.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment