| From fdf82a7856b32d905c39afc85e34364491e46346 Mon Sep 17 00:00:00 2001 |
| From: Jiri Kosina <jkosina@suse.cz> |
| Date: Thu, 26 Jul 2018 13:14:55 +0200 |
| Subject: x86/speculation: Protect against userspace-userspace spectreRSB |
| |
| From: Jiri Kosina <jkosina@suse.cz> |
| |
| commit fdf82a7856b32d905c39afc85e34364491e46346 upstream. |
| |
| The article "Spectre Returns! Speculation Attacks using the Return Stack |
| Buffer" [1] describes two new (sub-)variants of spectrev2-like attacks, |
| making use solely of the RSB contents even on CPUs that don't fallback to |
| BTB on RSB underflow (Skylake+). |
| |
| Mitigate userspace-userspace attacks by always unconditionally filling RSB on |
| context switch when the generic spectrev2 mitigation has been enabled. |
| |
| [1] https://arxiv.org/pdf/1807.07940.pdf |
| |
| Signed-off-by: Jiri Kosina <jkosina@suse.cz> |
| Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
| Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com> |
| Acked-by: Tim Chen <tim.c.chen@linux.intel.com> |
| Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
| Cc: Borislav Petkov <bp@suse.de> |
| Cc: David Woodhouse <dwmw@amazon.co.uk> |
| Cc: Peter Zijlstra <peterz@infradead.org> |
| Cc: Linus Torvalds <torvalds@linux-foundation.org> |
| Cc: stable@vger.kernel.org |
| Link: https://lkml.kernel.org/r/nycvar.YFH.7.76.1807261308190.997@cbobk.fhfr.pm |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| arch/x86/kernel/cpu/bugs.c | 38 +++++++------------------------------- |
| 1 file changed, 7 insertions(+), 31 deletions(-) |
| |
| --- a/arch/x86/kernel/cpu/bugs.c |
| +++ b/arch/x86/kernel/cpu/bugs.c |
| @@ -310,23 +310,6 @@ static enum spectre_v2_mitigation_cmd __ |
| return cmd; |
| } |
| |
| -/* Check for Skylake-like CPUs (for RSB handling) */ |
| -static bool __init is_skylake_era(void) |
| -{ |
| - if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL && |
| - boot_cpu_data.x86 == 6) { |
| - switch (boot_cpu_data.x86_model) { |
| - case INTEL_FAM6_SKYLAKE_MOBILE: |
| - case INTEL_FAM6_SKYLAKE_DESKTOP: |
| - case INTEL_FAM6_SKYLAKE_X: |
| - case INTEL_FAM6_KABYLAKE_MOBILE: |
| - case INTEL_FAM6_KABYLAKE_DESKTOP: |
| - return true; |
| - } |
| - } |
| - return false; |
| -} |
| - |
| static void __init spectre_v2_select_mitigation(void) |
| { |
| enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); |
| @@ -387,22 +370,15 @@ retpoline_auto: |
| pr_info("%s\n", spectre_v2_strings[mode]); |
| |
| /* |
| - * If neither SMEP nor PTI are available, there is a risk of |
| - * hitting userspace addresses in the RSB after a context switch |
| - * from a shallow call stack to a deeper one. To prevent this fill |
| - * the entire RSB, even when using IBRS. |
| + * If spectre v2 protection has been enabled, unconditionally fill |
| + * RSB during a context switch; this protects against two independent |
| + * issues: |
| * |
| - * Skylake era CPUs have a separate issue with *underflow* of the |
| - * RSB, when they will predict 'ret' targets from the generic BTB. |
| - * The proper mitigation for this is IBRS. If IBRS is not supported |
| - * or deactivated in favour of retpolines the RSB fill on context |
| - * switch is required. |
| + * - RSB underflow (and switch to BTB) on Skylake+ |
| + * - SpectreRSB variant of spectre v2 on X86_BUG_SPECTRE_V2 CPUs |
| */ |
| - if ((!boot_cpu_has(X86_FEATURE_KAISER) && |
| - !boot_cpu_has(X86_FEATURE_SMEP)) || is_skylake_era()) { |
| - setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); |
| - pr_info("Spectre v2 mitigation: Filling RSB on context switch\n"); |
| - } |
| + setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); |
| + pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n"); |
| |
| /* Initialize Indirect Branch Prediction Barrier if supported */ |
| if (boot_cpu_has(X86_FEATURE_IBPB)) { |