- 09 Feb, 2018 8 commits
-
-
Tim Chen authored
CVE-2017-5715 (Spectre v2 Intel) Clear IBRS when cpu is offlined and set it when brining it back online. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit ca09185cd600fc8e43a9bb5ddec61103039930b3) Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Acked-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
-
Tim Chen authored
CVE-2017-5715 (Spectre v2 Intel) Clear IBRS on idle entry and set it on idle exit into kernel on mwait. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit c2a2a232b0553e32a7bfe198a40f377bd1ba016d) Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Acked-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
-
Tim Chen authored
CVE-2017-5715 (Spectre v2 Intel) Set IBRS upon kernel entrance via syscall and interrupts. Clear it upon exit. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit bb6c1a01e82fb0eb14d1229fd71a99ed285d330d) Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Acked-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
-
Tim Chen authored
CVE-2017-5715 (Spectre v2 Intel) Setup macros to control IBRS and IBPB Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit 582c3ac1ea2fd287fca743f4e498e844a0e2b606) Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Acked-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
-
Tim Chen authored
CVE-2017-5715 (Spectre v2 Intel) Report presence of IBPB and IBRS. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit e6941d30960ab43adfa0bbb446e73036bfb52842) Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Acked-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
-
Tim Chen authored
CVE-2017-5715 (Spectre v2 Intel) cpuid ax=0x7, return rdx bit 26 to indicate presence of this feature IA32_SPEC_CTRL (0x48) and IA32_PRED_CMD (0x49) IA32_SPEC_CTRL, bit0 – Indirect Branch Restricted Speculation (IBRS) IA32_PRED_CMD, bit0 – Indirect Branch Prediction Barrier (IBPB) Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 40b5e1635733891442f6dab9181ffeb3dd26a8d7) Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Acked-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
-
Andy Whitcroft authored
CVE-2017-5715 (Spectre v2 Intel) Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Acked-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
-
Khalid Elmously authored
Ignore: yes Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
-
- 07 Feb, 2018 1 commit
-
-
Khalid Elmously authored
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
-
- 06 Feb, 2018 1 commit
-
-
dann frazier authored
BugLink: https://bugs.launchpad.net/bugs/1743638Signed-off-by: dann frazier <dann.frazier@canonical.com> Acked-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
- 05 Feb, 2018 30 commits
-
-
Andy Whitcroft authored
CVE-2017-5753 (Spectre v1 Intel) Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Andy Whitcroft authored
CVE-2017-5753 (Spectre v1 Intel) Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Martin Schwidefsky authored
CVE-2017-5753 (Spectre v1 Intel) Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Andy Whitcroft authored
CVE-2017-5753 (Spectre v1 Intel) Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Andy Whitcroft authored
CVE-2017-5753 (Spectre v1 Intel) Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 (Spectre v1 Intel) Since the pos value in function m_start() seems to be controllable by userspace and later on conditionally (upon bound check) used to resolve map->extent, insert an observable speculation barrier before its usage. This should prevent observable speculation on that branch and avoid kernel memory leak. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 (Spectre v1 Intel) Since the eahd->appAttrLocation value in function udf_add_extendedattr() seems to be controllable by userspace and later on conditionally (upon bound check) used in following memmove, insert an observable speculation barrier before its usage. This should prevent observable speculation on that branch and avoid kernel memory leak. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 (Spectre v1 Intel) Since the index value in function mpls_route_input_rcu() seems to be controllable by userspace and later on conditionally (upon bound check) used to resolve platform_label, insert an observable speculation barrier before its usage. This should prevent observable speculation on that branch and avoid kernel memory leak. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 (Spectre v1 Intel) Since the fd value in function __fcheck_files() seems to be controllable by userspace and later on conditionally (upon bound check) used to resolve fdt->fd, insert an observable speculation barrier before its usage. This should prevent observable speculation on that branch and avoid kernel memory leak. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 (Spectre v1 Intel) Since the offset value in function raw6_getfrag() seems to be controllable by userspace and later on conditionally (upon bound check) used in the following memcpy, insert an observable speculation barrier before its usage. This should prevent observable speculation on that branch and avoid kernel memory leak. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 (Spectre v1 Intel) Since the offset value in function raw_getfrag() seems to be controllable by userspace and later on conditionally (upon bound check) used in the following memcpy, insert an observable speculation barrier before its usage. This should prevent observable speculation on that branch and avoid kernel memory leak. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 (Spectre v1 Intel) Since the trip value in function int340x_thermal_get_trip_temp() seems to be controllable by userspace and later on conditionally (upon bound check) used to resolve d->aux_trips, insert an observable speculation barrier before its usage. This should prevent observable speculation on that branch and avoid kernel memory leak. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 (Spectre v1 Intel) Since the handle value in functions qlafx00_status_entry() and qlafx00_multistatus_entry() seems to be controllable by userspace and later on conditionally (upon bound check) used to resolve req->outstanding_cmds, insert an observable speculation barrier before its usage. This should prevent observable speculation on that branch and avoid kernel memory leak. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 (Spectre v1 Intel) Since the queue value in function carl9170_op_conf_tx() seems to be controllable by userspace and later on conditionally (upon bound check) used to resolve ar9170_qmap and following ar->edcf, insert an observable speculation barrier before its usage. This should prevent observable speculation on that branch and avoid kernel memory leak. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Andy Whitcroft authored
CVE-2017-5753 (Spectre v1 Intel) Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 (Spectre v1 Intel) When constant blinding is enabled (bpf_jit_harden = 1), this adds an observable speculation barrier before emitting x86 jitted code for the BPF_ALU(64)_OR_X and BPF_ALU_LHS_X (for BPF_REG_AX register) eBPF instructions. This is needed in order to prevent speculative execution on out of bounds BPF_MAP array indexes when JIT is enabled. This way an arbitary kernel memory is not exposed through side-channel attacks. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 (Spectre v1 Intel) This adds an observable speculation barrier before LD_IMM_DW and LDX_MEM_B/H/W/DW eBPF instructions during eBPF program execution in order to prevent speculative execution on out of bound BFP_MAP array indexes. This way an arbitary kernel memory is not exposed through side channel attacks. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 (Spectre v1 Intel) The new observable speculation barrier, osb(), ensures that any user observable speculation doesn't cross the boundary. Any user observable speculative activity on this CPU thread before this point either completes, reaches a state it can no longer cause an observable activity, or is aborted before instructions after the barrier execute. In x86 case, osb() resolves in lfence if X86_FEATURE_LFENCE_RDTSC is present. Other architectures can define their variants. Suggested-by: Arjan van de Ven <arjan@linux.intel.com> Suggested-by: Alan Cox <alan.cox@intel.com> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Andy Whitcroft authored
CVE-2017-5753 (Spectre v1 Intel) Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 (Spectre v1 Intel) With the switch to using LFENCE_RDTSC on AMD platforms there is no longer a need for the MFENCE_RDTSC feature. Remove its usage and definition. Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 (Spectre v1 Intel) In order to reduce the impact of using MFENCE, make the execution of the LFENCE instruction serialized. This is done by setting bit 1 of MSR 0xc0011029 (DE_CFG). Some families that support LFENCE do not have this MSR. For these families, the LFENCE instruction is already serialized. Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Andy Whitcroft authored
CVE-2017-5715 (Spectre v2 retpoline) Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Andy Whitcroft authored
CVE-2017-5715 (Spectre v2 retpoline) Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Andy Whitcroft authored
CVE-2017-5715 (Spectre v2 retpoline) Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Andi Kleen authored
CVE-2017-5715 (Spectre v2 retpoline) commit 3f7d8755 upstream. The generated assembler for the C fill RSB inline asm operations has several issues: - The C code sets up the loop register, which is then immediately overwritten in __FILL_RETURN_BUFFER with the same value again. - The C code also passes in the iteration count in another register, which is not used at all. Remove these two unnecessary operations. Just rely on the single constant passed to the macro for the iterations. Signed-off-by: Andi Kleen <ak@linux.intel.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: David Woodhouse <dwmw@amazon.co.uk> Cc: dave.hansen@intel.com Cc: gregkh@linuxfoundation.org Cc: torvalds@linux-foundation.org Cc: arjan@linux.intel.com Link: https://lkml.kernel.org/r/20180117225328.15414-1-andi@firstfloor.orgSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 838eee60741a910019fe55d8f1f5f7d4471d62fe) Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Masami Hiramatsu authored
CVE-2017-5715 (Spectre v2 retpoline) commit c86a32c0 upstream. Since indirect jump instructions will be replaced by jump to __x86_indirect_thunk_*, those jmp instruction must be treated as an indirect jump. Since optprobe prohibits to optimize probes in the function which uses an indirect jump, it also needs to find out the function which jump to __x86_indirect_thunk_* and disable optimization. Add a check that the jump target address is between the __indirect_thunk_start/end when optimizing kprobe. Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: David Woodhouse <dwmw@amazon.co.uk> Cc: Andi Kleen <ak@linux.intel.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Ananth N Mavinakayanahalli <ananth@linux.vnet.ibm.com> Cc: Arjan van de Ven <arjan@linux.intel.com> Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org> Link: https://lkml.kernel.org/r/151629212062.10241.6991266100233002273.stgit@devboxSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 74c818cb445d7148da34874ac45179f091c258ed) Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Masami Hiramatsu authored
CVE-2017-5715 (Spectre v2 retpoline) commit c1804a23 upstream. Mark __x86_indirect_thunk_* functions as blacklist for kprobes because those functions can be called from anywhere in the kernel including blacklist functions of kprobes. Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: David Woodhouse <dwmw@amazon.co.uk> Cc: Andi Kleen <ak@linux.intel.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Ananth N Mavinakayanahalli <ananth@linux.vnet.ibm.com> Cc: Arjan van de Ven <arjan@linux.intel.com> Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org> Link: https://lkml.kernel.org/r/151629209111.10241.5444852823378068683.stgit@devboxSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 813d0bf655b16a4efdd07360648b124b8c1a190e) Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Masami Hiramatsu authored
CVE-2017-5715 (Spectre v2 retpoline) commit 736e80a4 upstream. Introduce start/end markers of __x86_indirect_thunk_* functions. To make it easy, consolidate .text.__x86.indirect_thunk.* sections to one .text.__x86.indirect_thunk section and put it in the end of kernel text section and adds __indirect_thunk_start/end so that other subsystem (e.g. kprobes) can identify it. Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: David Woodhouse <dwmw@amazon.co.uk> Cc: Andi Kleen <ak@linux.intel.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Ananth N Mavinakayanahalli <ananth@linux.vnet.ibm.com> Cc: Arjan van de Ven <arjan@linux.intel.com> Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org> Link: https://lkml.kernel.org/r/151629206178.10241.6828804696410044771.stgit@devboxSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 036aa2c8445652058fc937cb7f651e1cdb35cb19) Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Thomas Gleixner authored
CVE-2017-5715 (Spectre v2 retpoline) commit 6f41c34d upstream. The machine check idtentry uses an indirect branch directly from the low level code. This evades the speculation protection. Replace it by a direct call into C code and issue the indirect call there so the compiler can apply the proper speculation protection. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Borislav Petkov <bp@alien8.de> Reviewed-by: David Woodhouse <dwmw@amazon.co.uk> Niced-by: Peter Zijlstra <peterz@infradead.org> Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1801181626290.1847@nanosSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 64d0fe7072138d34d60b903edf597161ac3d05b9) Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Andi Kleen authored
CVE-2017-5715 (Spectre v2 retpoline) commit 6cfb521a upstream. Add a marker for retpoline to the module VERMAGIC. This catches the case when a non RETPOLINE compiled module gets loaded into a retpoline kernel, making it insecure. It doesn't handle the case when retpoline has been runtime disabled. Even in this case the match of the retcompile status will be enforced. This implies that even with retpoline run time disabled all modules loaded need to be recompiled. Signed-off-by: Andi Kleen <ak@linux.intel.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by: David Woodhouse <dwmw@amazon.co.uk> Cc: rusty@rustcorp.com.au Cc: arjan.van.de.ven@intel.com Cc: jeyu@kernel.org Cc: torvalds@linux-foundation.org Link: https://lkml.kernel.org/r/20180116205228.4890-1-andi@firstfloor.orgSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit d6da4d43f2ed167e632424b02e9672e410693ffd) Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-