From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752287AbcBXPqO (ORCPT <rfc822;w@1wt.eu>);
	Wed, 24 Feb 2016 10:46:14 -0500
Received: from mail-oi0-f49.google.com ([209.85.218.49]:36806 "EHLO
	mail-oi0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750914AbcBXPqN (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 24 Feb 2016 10:46:13 -0500
MIME-Version: 1.0
In-Reply-To: <3e36be110724896e32a4a1fe73bacb349d3cba94.1456262295.git.luto@kernel.org>
References: <3e36be110724896e32a4a1fe73bacb349d3cba94.1456262295.git.luto@kernel.org>
Date: Wed, 24 Feb 2016 10:46:12 -0500
Message-ID: <CAMzpN2j_eRkZarU6n6562Zwv67GpUGqAZyEtTvssHrDRevXJUg@mail.gmail.com>
Subject: Re: [PATCH] x86/entry/32: Add an ASM_CLAC to entry_SYSENTER_32
From: Brian Gerst <brgerst@gmail.com>
To: Andy Lutomirski <luto@kernel.org>
Cc: "the arch/x86 maintainers" <x86@kernel.org>,
        Borislav Petkov <bp@alien8.de>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Feb 23, 2016 at 4:19 PM, Andy Lutomirski <luto@kernel.org> wrote:
> Both before and after 5f310f739b4c ("x86/entry/32: Re-implement
> SYSENTER using the new C path"), we relied on a uaccess very early
> in the SYSENTER path to clear AC.  After that change, though, we can
> potentially make it all the way into C code with AC set, which
> enlarges the attack surface for SMAP bypass by doing SYSENTER with
> AC set.
>
> Strengthen the SMAP protection by addding the missing ASM_CLAC right
> at the beginning.
>
> Signed-off-by: Andy Lutomirski <luto@kernel.org>
> ---
>
> This is probably an x86/urgent candidate.  It fixes a minor
> hardening regression in 4.4.
>
> It's lightly tested.  It's hard to test well right now because the
> 4.5 series is completely broken for 32-bit SMAP sytems.
>
> arch/x86/entry/entry_32.S | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S
> index f3facd40fd2d..9d6165c171eb 100644
> --- a/arch/x86/entry/entry_32.S
> +++ b/arch/x86/entry/entry_32.S
> @@ -294,6 +294,7 @@ sysenter_past_esp:
>         pushl   $__USER_DS              /* pt_regs->ss */
>         pushl   %ebp                    /* pt_regs->sp (stashed in bp) */
>         pushfl                          /* pt_regs->flags (except IF = 0) */
> +       ASM_CLAC                        /* Clear AC after saving FLAGS */
>         orl     $X86_EFLAGS_IF, (%esp)  /* Fix IF */
>         pushl   $__USER_CS              /* pt_regs->cs */
>         pushl   $0                      /* pt_regs->ip = 0 (placeholder) */
> --
> 2.5.0
>

It looks like entry_INT80_compat is also missing a CLAC.

--
Brian Gerst