Commit fdf82a78 authored by Jiri Kosina's avatar Jiri Kosina Committed by Thomas Gleixner
Browse files

x86/speculation: Protect against userspace-userspace spectreRSB 

The article "Spectre Returns! Speculation Attacks using the Return Stack 
Buffer" [1] describes two new (sub-)variants of spectrev2-like attacks, 
making use solely of the RSB contents even on CPUs that don't fallback to 
BTB on RSB underflow (Skylake+).

Mitigate userspace-userspace attacks by always unconditionally filling RSB on
context switch when the generic spectrev2 mitigation has been enabled.

[1] https://arxiv.org/pdf/1807.07940.pdf



Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
Reviewed-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
Acked-by: default avatarTim Chen <tim.c.chen@linux.intel.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Borislav Petkov <bp@suse.de>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/nycvar.YFH.7.76.1807261308190.997@cbobk.fhfr.pm
parent ca38dc8f

arch/x86/kernel/cpu/bugs.c

+7 −31
Original line number Diff line number Diff line
@@ -313,23 +313,6 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) 
	return cmd;

}



/* Check for Skylake-like CPUs (for RSB handling) */

static bool __init is_skylake_era(void)

{

	if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL &&

	    boot_cpu_data.x86 == 6) {

		switch (boot_cpu_data.x86_model) {

		case INTEL_FAM6_SKYLAKE_MOBILE:

		case INTEL_FAM6_SKYLAKE_DESKTOP:

		case INTEL_FAM6_SKYLAKE_X:

		case INTEL_FAM6_KABYLAKE_MOBILE:

		case INTEL_FAM6_KABYLAKE_DESKTOP:

			return true;

		}

	}

	return false;

}



static void __init spectre_v2_select_mitigation(void)

{

	enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
@@ -390,22 +373,15 @@ retpoline_auto: 
	pr_info("%s\n", spectre_v2_strings[mode]);



	/*

	 * If neither SMEP nor PTI are available, there is a risk of

	 * hitting userspace addresses in the RSB after a context switch

	 * from a shallow call stack to a deeper one. To prevent this fill

	 * the entire RSB, even when using IBRS.

	 * If spectre v2 protection has been enabled, unconditionally fill

	 * RSB during a context switch; this protects against two independent

	 * issues:

	 *

	 * Skylake era CPUs have a separate issue with *underflow* of the

	 * RSB, when they will predict 'ret' targets from the generic BTB.

	 * The proper mitigation for this is IBRS. If IBRS is not supported

	 * or deactivated in favour of retpolines the RSB fill on context

	 * switch is required.

	 *	- RSB underflow (and switch to BTB) on Skylake+

	 *	- SpectreRSB variant of spectre v2 on X86_BUG_SPECTRE_V2 CPUs

	 */

	if ((!boot_cpu_has(X86_FEATURE_PTI) &&

	     !boot_cpu_has(X86_FEATURE_SMEP)) || is_skylake_era()) {

	setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);

		pr_info("Spectre v2 mitigation: Filling RSB on context switch\n");

	}

	pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");



	/* Initialize Indirect Branch Prediction Barrier if supported */

	if (boot_cpu_has(X86_FEATURE_IBPB)) {

CRA Git | Maintained and supported by SUSTech CRA and CCSE