x86/entry: Use retpoline for syscall's indirect calls

CVE-2017-5753 CVE-2017-5715 Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 48ec0cfa6dac428470e30855e2d9751e00e2ba6c) Signed-off-by: Andy Whitcroft <apw@canonical.com>

x86/entry: Use retpoline for syscall's indirect calls
CVE-2017-5753 CVE-2017-5715 Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 48ec0cfa6dac428470e30855e2d9751e00e2ba6c) Signed-off-by: Andy Whitcroft <apw@canonical.com>
f3fd3c0a · Tim Chen · Marcelo Henrique Cerri · 70df98e2 · f3fd3c0a
Commit f3fd3c0a authored Nov 08, 2017 by Tim Chen Committed by Marcelo Henrique Cerri Jan 12, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 1 deletion

arch/x86/entry/entry_64.S arch/x86/entry/entry_64.S +15 -1

No files found.
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -195,7 +195,21 @@ entry_SYSCALL_64_fastpath:
 #endif
 	ja	1f				/* return -ENOSYS (already in pt_regs->ax) */
 	movq	%r10, %rcx
-	call	*sys_call_table(, %rax, 8)
+
+	/*
+	 * This call instruction is handled specially in stub_ptregs_64.
+	 * It might end up jumping to the slow path.  If it jumps, RAX
+	 * and all argument registers are clobbered.
+	 */
+	movq	sys_call_table(, %rax, 8), %r10
+	jmp     1001f
+1004:	callq   1002f
+1003:	nop
+	jmp     1003b
+1002:	mov     %r10, (%rsp)
+	retq
+1001:	callq   1004b
+
 	movq	%rax, RAX(%rsp)
 1:
 /*