[PATCH] x86: add missing verify_cpu to 32bit wakeup

[PATCH] x86: add missing verify_cpu to 32bit wakeup

[Kees Cook]

Some BIOSes will reset the Intel XD_DISABLE MSR bit when resuming from S3,
which can interact poorly with ebba638ae723d8a8fc2f7abce5ec18b688b791d7.
In 32bit PAE mode, this can lead to a fault when EFER is restored by
the kernel wakeup routines, due to it setting the NX bit for a CPU
that (thanks to the BIOS reset) now incorrectly thinks it lacks the NX
feature. 64bit wakeup already handled this through its common call path
that would hit verify_cpu(). 32bit has a separate path for restoring
CPU state on S3 wakeup, and needed to call verify_cpu() to handle this
situation.

Signed-off-by: Kees Cook <kees.cook@canonical.com>
Cc: stable@kernel.org
---
 arch/x86/kernel/acpi/realmode/wakeup.S |    4 ++++
 arch/x86/kernel/verify_cpu.S           |    1 +
 2 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/arch/x86/kernel/acpi/realmode/wakeup.S b/arch/x86/kernel/acpi/realmode/wakeup.S
index ead21b6..19698da 100644
--- a/arch/x86/kernel/acpi/realmode/wakeup.S
+++ b/arch/x86/kernel/acpi/realmode/wakeup.S
@@ -94,6 +94,9 @@ wakeup_code:
 	/* Do any other stuff... */
 
 #ifndef CONFIG_64BIT
+	/* Recheck NX bit overrides (64bit path does this in trampoline) */
+	call	verify_cpu
+
 	/* This could also be done in C code... */
 	movl	pmode_cr3, %eax
 	movl	%eax, %cr3
@@ -117,6 +120,7 @@ wakeup_code:
 	movl	pmode_cr0, %eax
 	movl	%eax, %cr0
 	jmp	pmode_return
+# include "../../verify_cpu.S"
 #else
 	pushw	$0
 	pushw	trampoline_segment
diff --git a/arch/x86/kernel/verify_cpu.S b/arch/x86/kernel/verify_cpu.S
index b9242ba..50c5edd 100644
--- a/arch/x86/kernel/verify_cpu.S
+++ b/arch/x86/kernel/verify_cpu.S
@@ -20,6 +20,7 @@
  *	arch/x86/boot/compressed/head_64.S: Boot cpu verification
  *	arch/x86/kernel/trampoline_64.S: secondary processor verification
  *	arch/x86/kernel/head_32.S: processor startup
+ *	arch/x86/kernel/acpi/realmode/wakeup.S: 32bit processor resume
  *
  *	verify_cpu, returns the status of longmode and SSE in register %eax.
  *		0: Success    1: Failure
-- 
1.7.4.1

-- 
Kees Cook
Ubuntu Security Team

Re: [PATCH] x86: add missing verify_cpu to 32bit wakeup

[H. Peter Anvin]

On 07/01/2011 02:19 PM, Kees Cook wrote:
> Some BIOSes will reset the Intel XD_DISABLE MSR bit when resuming from S3,
> which can interact poorly with ebba638ae723d8a8fc2f7abce5ec18b688b791d7.
> In 32bit PAE mode, this can lead to a fault when EFER is restored by
> the kernel wakeup routines, due to it setting the NX bit for a CPU
> that (thanks to the BIOS reset) now incorrectly thinks it lacks the NX
> feature. 64bit wakeup already handled this through its common call path
> that would hit verify_cpu(). 32bit has a separate path for restoring
> CPU state on S3 wakeup, and needed to call verify_cpu() to handle this
> situation.

For S3, we should save/restore MISC_ENABLE instead... in fact, we
already save it, we just restore it too late.

	-hpa

Re: [PATCH] x86: add missing verify_cpu to 32bit wakeup

[Kees Cook]

Hi,

On Fri, Jul 01, 2011 at 02:26:27PM -0700, H. Peter Anvin wrote:
> On 07/01/2011 02:19 PM, Kees Cook wrote:
> > Some BIOSes will reset the Intel XD_DISABLE MSR bit when resuming from S3,
> > which can interact poorly with ebba638ae723d8a8fc2f7abce5ec18b688b791d7.
> > In 32bit PAE mode, this can lead to a fault when EFER is restored by
> > the kernel wakeup routines, due to it setting the NX bit for a CPU
> > that (thanks to the BIOS reset) now incorrectly thinks it lacks the NX
> > feature. 64bit wakeup already handled this through its common call path
> > that would hit verify_cpu(). 32bit has a separate path for restoring
> > CPU state on S3 wakeup, and needed to call verify_cpu() to handle this
> > situation.
> 
> For S3, we should save/restore MISC_ENABLE instead... in fact, we
> already save it, we just restore it too late.

Given that MISC_ENABLE may not be available for a given CPU, it seems that
it's basically the same detection code as in verify_cpu() already. Since
this bit is the only part that is needed that early, I think the patch is
good the way it is (especially since it balances the 64bit path which
already calls this logic). I don't think doing the full early MISC_ENABLE
save/restore this early is worth it. Thoughts?

-Kees

-- 
Kees Cook
Ubuntu Security Team

Re: [PATCH] x86: add missing verify_cpu to 32bit wakeup

[H. Peter Anvin]

On 07/01/2011 03:36 PM, Kees Cook wrote:
>>
>> For S3, we should save/restore MISC_ENABLE instead... in fact, we
>> already save it, we just restore it too late.
> 
> Given that MISC_ENABLE may not be available for a given CPU, it seems that
> it's basically the same detection code as in verify_cpu() already. Since
> this bit is the only part that is needed that early, I think the patch is
> good the way it is (especially since it balances the 64bit path which
> already calls this logic). I don't think doing the full early MISC_ENABLE
> save/restore this early is worth it. Thoughts?
> 

We already save it, including if it exists, so we should just restore it
early, and then we don't have to do it again.

	-hpa

Re: [PATCH] x86: add missing verify_cpu to 32bit wakeup

[Pavel Machek]

Hi!

> Some BIOSes will reset the Intel XD_DISABLE MSR bit when resuming from S3,
> which can interact poorly with ebba638ae723d8a8fc2f7abce5ec18b688b791d7.
> In 32bit PAE mode, this can lead to a fault when EFER is restored by
> the kernel wakeup routines, due to it setting the NX bit for a CPU
> that (thanks to the BIOS reset) now incorrectly thinks it lacks the NX
> feature. 64bit wakeup already handled this through its common call path
> that would hit verify_cpu(). 32bit has a separate path for restoring
> CPU state on S3 wakeup, and needed to call verify_cpu() to handle this
> situation.
> 
> Signed-off-by: Kees Cook <kees.cook@canonical.com>
> Cc: stable@kernel.org

Looks ok to me, but I'm not sure it is stable material.
									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Re: [PATCH] x86: add missing verify_cpu to 32bit wakeup

[Kees Cook]

Hi Pavel,

On Sun, Jul 03, 2011 at 02:15:49PM +0200, Pavel Machek wrote:
> > Some BIOSes will reset the Intel XD_DISABLE MSR bit when resuming from S3,
> > which can interact poorly with ebba638ae723d8a8fc2f7abce5ec18b688b791d7.
> > In 32bit PAE mode, this can lead to a fault when EFER is restored by
> > the kernel wakeup routines, due to it setting the NX bit for a CPU
> > that (thanks to the BIOS reset) now incorrectly thinks it lacks the NX
> > feature. 64bit wakeup already handled this through its common call path
> > that would hit verify_cpu(). 32bit has a separate path for restoring
> > CPU state on S3 wakeup, and needed to call verify_cpu() to handle this
> > situation.
> > 
> > Signed-off-by: Kees Cook <kees.cook@canonical.com>
> > Cc: stable@kernel.org
> 
> Looks ok to me, but I'm not sure it is stable material.

Well, I figured anything that shipped with
ebba638ae723d8a8fc2f7abce5ec18b688b791d7 should get it, since it is
a regression in the 32bit PAE with BIOS-disabled NX corner-case.

-Kees

-- 
Kees Cook
Ubuntu Security Team

Re: [PATCH] x86: add missing verify_cpu to 32bit wakeup

[H. Peter Anvin]

On 07/03/2011 12:15 PM, Kees Cook wrote:
> 
> Well, I figured anything that shipped with
> ebba638ae723d8a8fc2f7abce5ec18b688b791d7 should get it, since it is
> a regression in the 32bit PAE with BIOS-disabled NX corner-case.
> 

Yes, but let's do the early restore... it's both more complete and simpler.

	-hpa

Re: [PATCH] x86: add missing verify_cpu to 32bit wakeup

[Pavel Machek]

On Sun 2011-07-03 12:15:22, Kees Cook wrote:
> Hi Pavel,
> 
> On Sun, Jul 03, 2011 at 02:15:49PM +0200, Pavel Machek wrote:
> > > Some BIOSes will reset the Intel XD_DISABLE MSR bit when resuming from S3,
> > > which can interact poorly with ebba638ae723d8a8fc2f7abce5ec18b688b791d7.
> > > In 32bit PAE mode, this can lead to a fault when EFER is restored by
> > > the kernel wakeup routines, due to it setting the NX bit for a CPU
> > > that (thanks to the BIOS reset) now incorrectly thinks it lacks the NX
> > > feature. 64bit wakeup already handled this through its common call path
> > > that would hit verify_cpu(). 32bit has a separate path for restoring
> > > CPU state on S3 wakeup, and needed to call verify_cpu() to handle this
> > > situation.
> > > 
> > > Signed-off-by: Kees Cook <kees.cook@canonical.com>
> > > Cc: stable@kernel.org
> > 
> > Looks ok to me, but I'm not sure it is stable material.
> 
> Well, I figured anything that shipped with
> ebba638ae723d8a8fc2f7abce5ec18b688b791d7 should get it, since it is
> a regression in the 32bit PAE with BIOS-disabled NX corner-case.

Aha, if it is an regression it makes sense for stable..

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html