On Tue, 2022-09-06 at 14:20 -0700, Pawan Gupta wrote:
> Hi Ben,
>
> On Tue, Sep 06, 2022 at 07:07:57PM +0200, Ben Hutchings wrote:
> > On Tue, 2022-09-06 at 14:07 +0200, Greg KH wrote:
> > > On Fri, Sep 02, 2022 at 04:26:57PM +0200, Ben Hutchings wrote:
> > > > On Thu, 2022-09-01 at 11:43 +0200, Greg KH wrote:
> > > > > On Mon, Aug 29, 2022 at 04:04:58PM +0200, Ben Hutchings wrote:
> > > > > > On Mon, 2022-08-29 at 10:30 +0200, gregkh@xxxxxxxxxxxxxxxxxxx wrote:
> > > > > > > The patch below does not apply to the 5.10-stable tree.
> > > > > > > If someone wants it applied there, or to any other stable or longterm
> > > > > > > tree, then please email the backport, including the original git commit
> > > > > > > id to <stable@xxxxxxxxxxxxxxx>.
> > > > > > >
> > > > > >
> > > > > > You need commit 4e3aa9238277 "x86/nospec: Unwreck the RSB stuffing"
> > > > > > before this one. I've attached the backport of that for 5.10. I
> > > > > > haven't checked the older branches.
> > > > >
> > > > > Great, thanks, this worked. But the backport did not apply to 4.19, so
> > > > > I will need that in order to take this one as well.
> > > >
> > > > I've had a look at 5.4, and it's sufficiently different from upstream
> > > > that I don't see how to move forward.
> > > >
> > > > However, I also found that the PBRSB mitigation seems broken, as commit
> > > > fc02735b14ff "KVM: VMX: Prevent guest RSB poisoning attacks with eIBRS"
> > > > was not backported (and would be hard to add).
> > > >
> > > > So, perhaps it would be best to revert the backports of:
> > > >
> > > > 2b1299322016 x86/speculation: Add RSB VM Exit protections
> > > > ba6e31af2be9 x86/speculation: Add LFENCE to RSB fill sequence
> > > >
> > > > in stable branches older than 5.10.
> > >
> > > Why? Is it because they do not work at all there, or are they causing
> > > problems?
> >
> > - They both add unconditional LFENCE instructions, which are not
> > implemented on older 32-bit CPUs and will therefore result in a crash.
>
> Backporting commit 332924973725 ("x86/nospec: Fix i386 RSB stuffing") should
> fix this?
That's where this thread started. The problem is that it seems to
depend on a lot of other changes.
> https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=332924973725e8cdcc783c175f68cf7e162cb9e5
>
> > - The added mitigation, for PBRSB, requires removing any RET
> > instructions executed between VM exit and the RSB filling. In these
> > older branches that hasn't been done, so the mitigation doesn't work.
>
> I checked 4.19 and 5.4, I don't see any RET between VM-exit and RSB
> filling. Could you please point me to any specific instance you are
> seeing?
Yes, you're right. The backported versions avoid this problem. They
are quite different from the upstream commit - and I would have
appreciated some explanation of this in their commit messages.
So, let's try again to move forward. I've attached a backport for 4.19
and 5.4 (only tested with the latter so far).
Ben.
--
Ben Hutchings
Hoare's Law of Large Problems:
Inside every large problem is a small problem struggling to get out.
From e751e8a43c78e045a20819eb6b598039c3027449 Mon Sep 17 00:00:00 2001
From: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
Date: Fri, 19 Aug 2022 13:01:35 +0200
Subject: [PATCH] x86/nospec: Fix i386 RSB stuffing
commit 332924973725e8cdcc783c175f68cf7e162cb9e5 upstream.
Turns out that i386 doesn't unconditionally have LFENCE, as such the
loop in __FILL_RETURN_BUFFER isn't actually speculation safe on such
chips.
Fixes: ba6e31af2be9 ("x86/speculation: Add LFENCE to RSB fill sequence")
Reported-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
Signed-off-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx>
Link: https://lkml.kernel.org/r/Yv9tj9vbQ9nNlXoY@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[bwh: Backported to 4.19/5.4:
- __FILL_RETURN_BUFFER takes an sp parameter
- Open-code __FILL_RETURN_SLOT]
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
---
arch/x86/include/asm/nospec-branch.h | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index 1e5df3ccdd5c..a1ee1a760c3e 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -44,6 +44,7 @@
* the optimal version — two calls, each with their own speculation
* trap should their return address end up getting used, in a loop.
*/
+#ifdef CONFIG_X86_64
#define __FILL_RETURN_BUFFER(reg, nr, sp) \
mov $(nr/2), reg; \
771: \
@@ -64,6 +65,19 @@
add $(BITS_PER_LONG/8) * nr, sp; \
/* barrier for jnz misprediction */ \
lfence;
+#else
+/*
+ * i386 doesn't unconditionally have LFENCE, as such it can't
+ * do a loop.
+ */
+#define __FILL_RETURN_BUFFER(reg, nr, sp) \
+ .rept nr; \
+ call 772f; \
+ int3; \
+772:; \
+ .endr; \
+ add $(BITS_PER_LONG/8) * nr, sp;
+#endif
#define __ISSUE_UNBALANCED_RET_GUARD(sp) \
call 881f; \
Attachment:
signature.asc
Description: This is a digitally signed message part
