[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] backport of XSA-274 patch to 4.9.x kernel (could use a review)




> On Aug 7, 2018, at 11:49 AM, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx> 
> wrote:
> 
>> On 08/07/2018 01:20 PM, George Dunlap wrote:
>>> On Mon, Aug 6, 2018 at 8:10 PM, Chris Brannon <cmb@xxxxxxxxx> wrote:
>>> I just got the following patch from a colleague.  It's a backport of
>>> the XSA 274 kernel patch to 4.9.x kernels.  The kernel patch given in
>>> the XSA would not apply cleanly.  Would someone mind reviewing it?  It
>>> would be much appreciated.
>>> 
>>> commit b3681dd548d06deb2e1573890829dff4b15abf46 upstream.
>>> 
>>> This version applies to v4.9.
>>> 
>>> error_entry and error_exit communicate the user vs kernel status of
>>> the frame using %ebx.  This is unnecessary -- the information is in
>>> regs->cs.  Just use regs->cs.
>>> 
>>> This makes error_entry simpler and makes error_exit more robust.
>>> 
>>> It also fixes a nasty bug.  Before all the Spectre nonsense, The
>>> xen_failsafe_callback entry point returned like this:
>>> 
>>>        ALLOC_PT_GPREGS_ON_STACK
>>>        SAVE_C_REGS
>>>        SAVE_EXTRA_REGS
>>>        ENCODE_FRAME_POINTER
>>>        jmp     error_exit
>>> 
>>> And it did not go through error_entry.  This was bogus: RBX
>>> contained garbage, and error_exit expected a flag in RBX.
>>> Fortunately, it generally contained *nonzero* garbage, so the
>>> correct code path was used.  As part of the Spectre fixes, code was
>>> added to clear RBX to mitigate certain speculation attacks.  Now,
>>> depending on kernel configuration, RBX got zeroed and, when running
>>> some Wine workloads, the kernel crashes.  This was introduced by:
>>> 
>>>    commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for
>>>    exceptions/interrupts, to reduce speculation attack surface")
>>> 
>>> With this patch applied, RBX is no longer needed as a flag, and the
>>> problem goes away.
>>> 
>>> Cc: Brian Gerst <brgerst@xxxxxxxxx>
>>> Cc: Borislav Petkov <bp@xxxxxxxxx>
>>> Cc: Dominik Brodowski <linux@xxxxxxxxxxxxxxxxxxxx>
>>> Cc: Ingo Molnar <mingo@xxxxxxxxxx>
>>> Cc: "H. Peter Anvin" <hpa@xxxxxxxxx>
>>> Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
>>> Cc: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>
>>> Cc: Juergen Gross <jgross@xxxxxxxx>
>>> Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx
>>> Cc: x86@xxxxxxxxxx
>>> Cc: stable@xxxxxxxxxxxxxxx
>>> Cc: Andy Lutomirski <luto@xxxxxxxxxx>
>>> Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for 
>>> exceptions/interrupts, to reduce speculation attack surface")
>>> Reported-and-tested-by: "M. Vefa Bicakci" <m.v.b@xxxxxxxxxx>
>>> Signed-off-by: Sarah Newman <srn@xxxxxxxxx>
>> I think you need to retain Andy's SoB, and add your own underneath.
>> 
>> This looks plausible to me -- Andy / Boris, any opinions?
> 
> 
> LGTM.
> 
> Note also that Andy's patch had slightly longer commit message
> (including some of the tags that you are missing), with this suggestion:
> 
>       [ Note to stable maintainers: this should probably get applied to all
>       kernels.  If you're nervous about that, a more conservative fix to
>       add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should
>       also fix the problem. ]
> 

On further review, I don’t like that suggestion. What if the callback came from 
user code. It’s not supposed to happen on modern kernels, but I’m not sure I 
trust that. 

> 
> 
> 
> -boris
> 

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.