[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.19] x86/thunk: (Mis)align __x86_indirect_thunk_* to mitigate ITS

commit 545eba29ac798305e2c5cb1fe5112771b6890907
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Mon Apr 7 17:15:50 2025 +0200
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Mon May 12 17:29:13 2025 +0100

    x86/thunk: (Mis)align __x86_indirect_thunk_* to mitigate ITS
    
    The Indirect Target Selection speculative vulnerability means that indirect
    branches (including RETs) are unsafe when in the first half of a cacheline.
    
    Arrange for __x86_indirect_thunk_* to always be in the second half.
    
    This is part of XSA-469 / CVE-2024-28956
    
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    (cherry picked from commit d293cc9da9021a51915e058acd1f05e83a462aa9)
---
 xen/arch/x86/indirect-thunk.S | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/xen/arch/x86/indirect-thunk.S b/xen/arch/x86/indirect-thunk.S
index fd5493c22b..c4b978d67b 100644
--- a/xen/arch/x86/indirect-thunk.S
+++ b/xen/arch/x86/indirect-thunk.S
@@ -11,6 +11,10 @@
 
 #include <asm/asm_defns.h>
 
+/* Alignment is dealt with explicitly here; override the respective macro. */
+#undef SYM_ALIGN
+#define SYM_ALIGN(align...)
+
 .macro IND_THUNK_RETPOLINE reg:req
         call 1f
         int3
@@ -35,6 +39,16 @@
 .macro GEN_INDIRECT_THUNK reg:req
         .section .text.__x86_indirect_thunk_\reg, "ax", @progbits
 
+        /*
+         * The Indirect Target Selection speculative vulnerability means that
+         * indirect branches (including RETs) are unsafe when in the first
+         * half of a cacheline.  Arrange for them to be in the second half.
+         *
+         * Align to 64, then skip 32.
+         */
+        .balign 64
+        .fill 32, 1, 0xcc
+
 FUNC(__x86_indirect_thunk_\reg)
         ALTERNATIVE_2 __stringify(IND_THUNK_RETPOLINE \reg),              \
         __stringify(IND_THUNK_LFENCE \reg), X86_FEATURE_IND_THUNK_LFENCE, \
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.19

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.