[SRU][Trusty][PATCH] UBUNTU: SAUCE: Fix "x86/retpoline/entry: Convert entry assembler indirect jumps"

Juerg Haefliger juerg.haefliger at canonical.com
Fri Jul 27 15:43:28 UTC 2018 

CVE-2017-5715 (Spectre v2 retpoline)

For whatever reason, our backport of "x86/retpoline/entry: Convert entry
assembler indirect jumps" added "#ifdef RETPOLINE" in entry_64.S when it
should be "#ifdef CONFIG_RETPOLINE". Although this doesn't make a fuctional
difference for the Ubuntu kernel, fix it to be formally correct and
equivalent to upstream.

Also, the backport is incomplete (doesn't convert the indirect jumps
through the syscall table in ia32entry.S) and also introduces whitespaces
instead of tabs. Fix that too, to be in line with upstream stable 3.16 and
to prevent potential future conflicts when cherry picking patches that
modify these areas.

Fixes: b12de0b8b316 ("x86/retpoline/entry: Convert entry assembler indirect jumps")
Signed-off-by: Juerg Haefliger <juergh at canonical.com>
---
 arch/x86/ia32/ia32entry.S  | 18 +++++++++++++++++-
 arch/x86/kernel/entry_32.S |  6 +++---
 arch/x86/kernel/entry_64.S | 14 +++++++-------
 3 files changed, 27 insertions(+), 11 deletions(-)

diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index aedd4b526243..cc9fa083175d 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -20,6 +20,7 @@
 #include <asm/spec_ctrl.h>
 #include <linux/linkage.h>
 #include <linux/err.h>
+#include <asm/nospec-branch.h>
 
 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
 #include <linux/elf-em.h>
@@ -176,7 +177,12 @@ sysenter_flags_fixed:
 sysenter_do_call:
 	IA32_ARG_FIXUP
 sysenter_dispatch:
+#ifdef CONFIG_RETPOLINE
+	movq	ia32_sys_call_table(,%rax,8),%rax
+	call	__x86_indirect_thunk_rax
+#else
 	call	*ia32_sys_call_table(,%rax,8)
+#endif
 	movq	%rax,RAX-ARGOFFSET(%rsp)
 	DISABLE_INTERRUPTS(CLBR_NONE)
 	TRACE_IRQS_OFF
@@ -344,7 +350,12 @@ ENTRY(ia32_cstar_target)
 cstar_do_call:
 	IA32_ARG_FIXUP 1
 cstar_dispatch:
+#ifdef CONFIG_RETPOLINE
+	movq ia32_sys_call_table(,%rax,8),%rax
+	call __x86_indirect_thunk_rax
+#else
 	call *ia32_sys_call_table(,%rax,8)
+#endif
 	movq %rax,RAX-ARGOFFSET(%rsp)
 	DISABLE_INTERRUPTS(CLBR_NONE)
 	TRACE_IRQS_OFF
@@ -458,7 +469,12 @@ ENTRY(ia32_syscall)
 	ja ia32_badsys
 ia32_do_call:
 	IA32_ARG_FIXUP
+#ifdef CONFIG_RETPOLINE
+	movq ia32_sys_call_table(,%rax,8),%rax
+	call __x86_indirect_thunk_rax
+#else
 	call *ia32_sys_call_table(,%rax,8) # xxx: rip relative
+#endif
 ia32_sysret:
 	movq %rax,RAX-ARGOFFSET(%rsp)
 ia32_ret_from_sys_call:
@@ -524,7 +540,7 @@ ia32_ptregs_common:
 	CFI_REL_OFFSET	rsp,RSP-ARGOFFSET
 /*	CFI_REL_OFFSET	ss,SS-ARGOFFSET*/
 	SAVE_REST
-	call *%rax
+	CALL_NOSPEC %rax
 	RESTORE_REST
 	jmp  ia32_sysret	/* misbalances the return cache */
 	CFI_ENDPROC
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index afab84e0e50e..a250f31c0093 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -309,7 +309,7 @@ ENTRY(ret_from_kernel_thread)
 	pushl_cfi $0x0202		# Reset kernel eflags
 	popfl_cfi
 	movl PT_EBP(%esp),%eax
-	movl PT_EBX(%esp),%edx
+	movl	PT_EBX(%esp), %edx
 	CALL_NOSPEC %edx
 	movl $0,PT_EAX(%esp)
 	jmp syscall_exit
@@ -435,7 +435,7 @@ sysenter_do_call:
 	cmpl $(NR_syscalls), %eax
 	jae sysenter_badsys
 #ifdef CONFIG_RETPOLINE
-	movl sys_call_table(,%eax,4), %eax
+	movl sys_call_table(,%eax,4),%eax
 	call __x86_indirect_thunk_eax
 #else
 	call *sys_call_table(,%eax,4)
@@ -521,7 +521,7 @@ ENTRY(system_call)
 	jae syscall_badsys
 syscall_call:
 #ifdef CONFIG_RETPOLINE
-	movl sys_call_table(,%eax,4), %eax
+	movl sys_call_table(,%eax,4),%eax
 	call __x86_indirect_thunk_eax
 #else
 	call *sys_call_table(,%eax,4)
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index 3b9377790eca..8cf5cfa4a8a2 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -61,8 +61,8 @@
 #include <asm/pgtable_types.h>
 #include <asm/kaiser.h>
 #include <asm/spec_ctrl.h>
-#include <linux/err.h>
 #include <asm/nospec-branch.h>
+#include <linux/err.h>
 
 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
 #include <linux/elf-em.h>
@@ -709,9 +709,9 @@ system_call_fastpath:
 #endif
 	ja badsys
 	movq %r10,%rcx
-#ifdef RETPOLINE
-	movq    sys_call_table(, %rax, 8), %rax
-	call    __x86_indirect_thunk_rax
+#ifdef CONFIG_RETPOLINE
+	movq	sys_call_table(, %rax, 8), %rax
+	call	__x86_indirect_thunk_rax
 #else
 	call *sys_call_table(,%rax,8)  # XXX:	 rip relative
 #endif
@@ -842,9 +842,9 @@ tracesys:
 #endif
 	ja   int_ret_from_sys_call	/* RAX(%rsp) set to -ENOSYS above */
 	movq %r10,%rcx	/* fixup for C */
-#ifdef RETPOLINE
-	movq    sys_call_table(, %rax, 8), %rax
-	call    __x86_indirect_thunk_rax
+#ifdef CONFIG_RETPOLINE
+	movq	sys_call_table(, %rax, 8), %rax
+	call	__x86_indirect_thunk_rax
 #else
 	call *sys_call_table(,%rax,8)
 #endif
-- 
2.17.1

More information about the kernel-team mailing list