|
|
c937db |
From 9479630a09a7484c5b35a5c5eb89e6971d528d9e Mon Sep 17 00:00:00 2001
|
|
|
c937db |
From: Julien Thierry <jthierry@redhat.com>
|
|
|
c937db |
Date: Fri, 19 Jun 2020 08:13:25 +0100
|
|
|
c937db |
Subject: [PATCH] x86/speculation: Prevent rogue cross-process SSBD shutdown
|
|
|
c937db |
|
|
|
c937db |
Kernels:
|
|
|
c937db |
4.18.0-193.el8
|
|
|
c937db |
4.18.0-193.1.2.el8_2
|
|
|
c937db |
4.18.0-193.6.3.el8_2
|
|
|
c937db |
|
|
|
c937db |
Changes since last build:
|
|
|
c937db |
arches: x86_64
|
|
|
c937db |
process.o: changed function: __switch_to_xtra
|
|
|
c937db |
process.o: changed function: speculation_ctrl_update
|
|
|
c937db |
---------------------------
|
|
|
c937db |
|
|
|
c937db |
Modifications:
|
|
|
c937db |
switch_to_cond_stibp jump label fix
|
|
|
c937db |
|
|
|
c937db |
commit e771c60266443edd15f3ebd0866a1ef6f070ebdc
|
|
|
c937db |
Author: Waiman Long <longman@redhat.com>
|
|
|
c937db |
Date: Thu Jun 18 13:40:39 2020 +0100
|
|
|
c937db |
|
|
|
c937db |
x86/speculation: Prevent rogue cross-process SSBD shutdown
|
|
|
c937db |
|
|
|
c937db |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1847357
|
|
|
c937db |
CVE: CVE-2020-10766
|
|
|
c937db |
|
|
|
c937db |
commit dbbe2ad02e9df26e372f38cc3e70dab9222c832e
|
|
|
c937db |
Author: Anthony Steinhauser <asteinhauser@google.com>
|
|
|
c937db |
Date: Sun, 5 Jan 2020 12:19:43 -0800
|
|
|
c937db |
|
|
|
c937db |
x86/speculation: Prevent rogue cross-process SSBD shutdown
|
|
|
c937db |
|
|
|
c937db |
On context switch the change of TIF_SSBD and TIF_SPEC_IB are evaluated
|
|
|
c937db |
to adjust the mitigations accordingly. This is optimized to avoid the
|
|
|
c937db |
expensive MSR write if not needed.
|
|
|
c937db |
|
|
|
c937db |
This optimization is buggy and allows an attacker to shutdown the SSBD
|
|
|
c937db |
protection of a victim process.
|
|
|
c937db |
|
|
|
c937db |
The update logic reads the cached base value for the speculation control
|
|
|
c937db |
MSR which has neither the SSBD nor the STIBP bit set. It then OR's the
|
|
|
c937db |
SSBD bit only when TIF_SSBD is different and requests the MSR update.
|
|
|
c937db |
|
|
|
c937db |
That means if TIF_SSBD of the previous and next task are the same, then
|
|
|
c937db |
the base value is not updated, even if TIF_SSBD is set. The MSR write is
|
|
|
c937db |
not requested.
|
|
|
c937db |
|
|
|
c937db |
Subsequently if the TIF_STIBP bit differs then the STIBP bit is updated
|
|
|
c937db |
in the base value and the MSR is written with a wrong SSBD value.
|
|
|
c937db |
|
|
|
c937db |
This was introduced when the per task/process conditional STIPB
|
|
|
c937db |
switching was added on top of the existing SSBD switching.
|
|
|
c937db |
|
|
|
c937db |
It is exploitable if the attacker creates a process which enforces SSBD
|
|
|
c937db |
and has the contrary value of STIBP than the victim process (i.e. if the
|
|
|
c937db |
victim process enforces STIBP, the attacker process must not enforce it;
|
|
|
c937db |
if the victim process does not enforce STIBP, the attacker process must
|
|
|
c937db |
enforce it) and schedule it on the same core as the victim process. If
|
|
|
c937db |
the victim runs after the attacker the victim becomes vulnerable to
|
|
|
c937db |
Spectre V4.
|
|
|
c937db |
|
|
|
c937db |
To fix this, update the MSR value independent of the TIF_SSBD difference
|
|
|
c937db |
and dependent on the SSBD mitigation method available. This ensures that
|
|
|
c937db |
a subsequent STIPB initiated MSR write has the correct state of SSBD.
|
|
|
c937db |
|
|
|
c937db |
[ tglx: Handle X86_FEATURE_VIRT_SSBD & X86_FEATURE_VIRT_SSBD correctly
|
|
|
c937db |
and massaged changelog ]
|
|
|
c937db |
|
|
|
c937db |
Fixes: 5bfbe3ad5840 ("x86/speculation: Prepare for per task indirect branch speculation control")
|
|
|
c937db |
Signed-off-by: Anthony Steinhauser <asteinhauser@google.com>
|
|
|
c937db |
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
|
c937db |
Cc: stable@vger.kernel.org
|
|
|
c937db |
|
|
|
c937db |
Signed-off-by: Waiman Long <longman@redhat.com>
|
|
|
c937db |
|
|
|
c937db |
Signed-off-by: Julien Thierry <jthierry@redhat.com>
|
|
|
c937db |
---
|
|
|
c937db |
arch/x86/kernel/process.c | 30 +++++++++++-------------------
|
|
|
c937db |
1 file changed, 11 insertions(+), 19 deletions(-)
|
|
|
c937db |
|
|
|
c937db |
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
|
|
|
c937db |
index e5c5b1d724ab..9410134a38a8 100644
|
|
|
c937db |
--- a/arch/x86/kernel/process.c
|
|
|
c937db |
+++ b/arch/x86/kernel/process.c
|
|
|
c937db |
@@ -431,30 +431,22 @@ static __always_inline void __speculation_ctrl_update(unsigned long tifp,
|
|
|
c937db |
|
|
|
c937db |
lockdep_assert_irqs_disabled();
|
|
|
c937db |
|
|
|
c937db |
- /*
|
|
|
c937db |
- * If TIF_SSBD is different, select the proper mitigation
|
|
|
c937db |
- * method. Note that if SSBD mitigation is disabled or permanentely
|
|
|
c937db |
- * enabled this branch can't be taken because nothing can set
|
|
|
c937db |
- * TIF_SSBD.
|
|
|
c937db |
- */
|
|
|
c937db |
- if (tif_diff & _TIF_SSBD) {
|
|
|
c937db |
- if (static_cpu_has(X86_FEATURE_VIRT_SSBD)) {
|
|
|
c937db |
+ /* Handle change of TIF_SSBD depending on the mitigation method. */
|
|
|
c937db |
+ if (static_cpu_has(X86_FEATURE_VIRT_SSBD)) {
|
|
|
c937db |
+ if (tif_diff & _TIF_SSBD)
|
|
|
c937db |
amd_set_ssb_virt_state(tifn);
|
|
|
c937db |
- } else if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD)) {
|
|
|
c937db |
+ } else if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD)) {
|
|
|
c937db |
+ if (tif_diff & _TIF_SSBD)
|
|
|
c937db |
amd_set_core_ssb_state(tifn);
|
|
|
c937db |
- } else if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) ||
|
|
|
c937db |
- static_cpu_has(X86_FEATURE_AMD_SSBD)) {
|
|
|
c937db |
- msr |= ssbd_tif_to_spec_ctrl(tifn);
|
|
|
c937db |
- updmsr = true;
|
|
|
c937db |
- }
|
|
|
c937db |
+ } else if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) ||
|
|
|
c937db |
+ static_cpu_has(X86_FEATURE_AMD_SSBD)) {
|
|
|
c937db |
+ updmsr |= !!(tif_diff & _TIF_SSBD);
|
|
|
c937db |
+ msr |= ssbd_tif_to_spec_ctrl(tifn);
|
|
|
c937db |
}
|
|
|
c937db |
|
|
|
c937db |
- /*
|
|
|
c937db |
- * Only evaluate TIF_SPEC_IB if conditional STIBP is enabled,
|
|
|
c937db |
- * otherwise avoid the MSR write.
|
|
|
c937db |
- */
|
|
|
c937db |
+ /* Only evaluate TIF_SPEC_IB if conditional STIBP is enabled. */
|
|
|
c937db |
if (IS_ENABLED(CONFIG_SMP) &&
|
|
|
c937db |
- static_branch_unlikely(&switch_to_cond_stibp)) {
|
|
|
c937db |
+ static_key_enabled(&switch_to_cond_stibp)) {
|
|
|
c937db |
updmsr |= !!(tif_diff & _TIF_SPEC_IB);
|
|
|
c937db |
msr |= stibp_tif_to_spec_ctrl(tifn);
|
|
|
c937db |
}
|
|
|
c937db |
--
|
|
|
c937db |
2.21.3
|
|
|
c937db |
|