From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755448AbcBWVTd (ORCPT ); Tue, 23 Feb 2016 16:19:33 -0500 Received: from mail.kernel.org ([198.145.29.136]:46774 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754895AbcBWVTc (ORCPT ); Tue, 23 Feb 2016 16:19:32 -0500 From: Andy Lutomirski To: x86@kernel.org Cc: Borislav Petkov , linux-kernel@vger.kernel.org, Andy Lutomirski Subject: [PATCH] x86/entry/32: Add an ASM_CLAC to entry_SYSENTER_32 Date: Tue, 23 Feb 2016 13:19:29 -0800 Message-Id: <3e36be110724896e32a4a1fe73bacb349d3cba94.1456262295.git.luto@kernel.org> X-Mailer: git-send-email 2.5.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Both before and after 5f310f739b4c ("x86/entry/32: Re-implement SYSENTER using the new C path"), we relied on a uaccess very early in the SYSENTER path to clear AC. After that change, though, we can potentially make it all the way into C code with AC set, which enlarges the attack surface for SMAP bypass by doing SYSENTER with AC set. Strengthen the SMAP protection by addding the missing ASM_CLAC right at the beginning. Signed-off-by: Andy Lutomirski --- This is probably an x86/urgent candidate. It fixes a minor hardening regression in 4.4. It's lightly tested. It's hard to test well right now because the 4.5 series is completely broken for 32-bit SMAP sytems. arch/x86/entry/entry_32.S | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S index f3facd40fd2d..9d6165c171eb 100644 --- a/arch/x86/entry/entry_32.S +++ b/arch/x86/entry/entry_32.S @@ -294,6 +294,7 @@ sysenter_past_esp: pushl $__USER_DS /* pt_regs->ss */ pushl %ebp /* pt_regs->sp (stashed in bp) */ pushfl /* pt_regs->flags (except IF = 0) */ + ASM_CLAC /* Clear AC after saving FLAGS */ orl $X86_EFLAGS_IF, (%esp) /* Fix IF */ pushl $__USER_CS /* pt_regs->cs */ pushl $0 /* pt_regs->ip = 0 (placeholder) */ -- 2.5.0