[SRU][Focal][PATCH 00/11] CVE-2024-2201

Yuxuan Luo yuxuan.luo at canonical.com
Wed Apr 17 23:53:50 UTC 2024 

[Impact]
Native BHI attack, a Spectre v2 variant, allows local unprivileged attackers to
obtain kernel memory information without the help of unprivileged eBPF, negating
to the previous belief that unprivileged eBPF is the only real-world source of
such an attack. Also, this vulnerability affects KVM as well.

[Backport]
[1/8] 0cd01ac5dcb1 (“x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs
file”)
- Since the prerequisite commit, 1d30800c0c0a (“x86/bugs: Use sysfs_emit()”),
  introduces more conflict yet it only solve a printing function conflict,
  manually substitute ',' with ';'.

[2/8] 1e3ad78334a6 (“x86/syscall: Don't force use of indirect calls for system
calls”)
- (Details in the patch)

[3/8] 7390db8aea0d (“x86/bhi: Add support for clearing branch history at syscall
entry”)
- Pick the stable/5.15.y backport since be5341eb0d43 (“x86/entry: Convert INT
  0x80 emulation to IDTENTRY”) is not in the tree, changes made for common.h is
  discarded.
- For entry_64.S, because bc7b11c04ee9 (“x86/asm/64: Change all ENTRY+END to
  SYM_CODE_*”) is not in the tree, substitute SYM_FUNC_START/SYM_FUNC_END with
  ENTRY/END.
- Dependency issue occurs due to ANNOTATE_INTRA_FUNCTION_CALL not defined and
  STACK_FRAME_NON_STANDARD is not provided with an assembly code version, the
  following dependent commits should be backported:
  - 081df94301e3 (“objtool: Add asm version of STACK_FRAME_NON_STANDARD”)
    - introduced the needed asm version of STACK_FRAME_NON_STANDARD.
    - applied changes for include/linux/objtool.h to include/linux/frame.h and
      ignore tools/include/linux/objtool.h.
  - 5567c6c39f34 (“objtool: Only include valid definitions depending on source
    file type”)
    - adds __ASSEMBLY__ macros to differentiate C and ASM.
  - 8aa8eb2a8f5b (“objtool: Add support for intra-function calls”)
     - use stable/5.4.y: f8f25fde0cc680f6488aea6a0a1f80e689525e18
     - introduced ANNOTATE_INTRA_FUNCTION_CALL.

[4/8] 0f4a837615ff (“x86/bhi: Define SPEC_CTRL_BHI_DIS_S“)
- reverse_cpuid.h: since 4e66c0cb79b7 (“KVM: x86: Add support for reverse CPUID
  lookup of scattered features“) is not in the tree, there is no point
  backporting reverse_cpuid.h related changes.

[5/8] be482ff95009 (“x86/bhi: Enumerate Branch History Injection (BHI) bug”)
- Conflicts in both files can be ignored since they are all context difference.

[6/8] ec9404e40e8f (“x86/bhi: Add BHI mitigation knob“)
- This commit is backported in the same scheme as Jammy's.

[7/8] 95a6ccbdc719 ("x86/bhi: Mitigate KVM by default")
- Clean cherry pick.

[8/8] ed2e8d49b54d (“KVM: x86: Add BHI_NO”)
- Since 0204750bd4c6ccc2fb7417618477f10373b33f56 (“KVM: x86: Mask off
  unsupported and unknown bits of IA32_ARCH_CAPABILITIES“) is not in the tree,
  the feature is not supported, ignore this patch.

[Test]
Compiled only.

[Where things could go wrong]
This patch is more about enabling CPU features and reducing branch history
exposed, therefore, that the system is able to boot and run should denote that
it is not introducing any regression.

For KVM, the most significant impact is the performance regression due to system
call substitution since branch prediction probably won't perform as fast as the
previous version for users who do not care about the mitigation.

Alexandre Chartre (1):
  objtool: Add support for intra-function calls

Daniel Sneddon (1):
  x86/bhi: Define SPEC_CTRL_BHI_DIS_S

Josh Poimboeuf (2):
  objtool: Add asm version of STACK_FRAME_NON_STANDARD
  x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file

Julien Thierry (1):
  objtool: Only include valid definitions depending on source file type

Linus Torvalds (1):
  x86/syscall: Don't force use of indirect calls for system calls

Pawan Gupta (4):
  x86/bhi: Add support for clearing branch history at syscall entry
  x86/bhi: Enumerate Branch History Injection (BHI) bug
  x86/bhi: Add BHI mitigation knob
  x86/bhi: Mitigate KVM by default

Yuxuan Luo (1):
  UBUNTU: [Config] updateconfigs for CONFIG_BHI_{AUTO|OFF|ON}

 Documentation/admin-guide/hw-vuln/spectre.rst |  51 +++++++-
 .../admin-guide/kernel-parameters.txt         |  12 ++
 arch/x86/Kconfig                              |  25 ++++
 arch/x86/entry/common.c                       |  11 +-
 arch/x86/entry/entry_64.S                     |  61 +++++++++
 arch/x86/entry/entry_64_compat.S              |   3 +
 arch/x86/entry/syscall_32.c                   |  33 +++++
 arch/x86/entry/syscall_64.c                   |  27 ++++
 arch/x86/include/asm/cpufeatures.h            |  12 ++
 arch/x86/include/asm/msr-index.h              |   9 +-
 arch/x86/include/asm/nospec-branch.h          |  17 +++
 arch/x86/include/asm/syscall.h                |   4 +
 arch/x86/kernel/cpu/bugs.c                    | 121 ++++++++++++++++--
 arch/x86/kernel/cpu/common.c                  |  24 ++--
 arch/x86/kernel/cpu/scattered.c               |   1 +
 arch/x86/kvm/vmx/vmenter.S                    |   2 +
 debian.master/config/annotations              |   3 +
 include/linux/frame.h                         |  26 ++++
 .../Documentation/stack-validation.txt        |   8 ++
 tools/objtool/arch/x86/decode.c               |   6 +
 tools/objtool/check.c                         |  62 ++++++++-
 21 files changed, 478 insertions(+), 40 deletions(-)

-- 
2.34.1

More information about the kernel-team mailing list