* [PATCH 0/2] x86/speculation/mds: Minor fixes @ 2019-05-14 20:24 Andy Lutomirski 2019-05-14 20:24 ` [PATCH 1/2] x86/speculation/mds: Revert CPU buffer clear on double fault exit Andy Lutomirski 2019-05-14 20:24 ` [PATCH 2/2] x86/speculation/mds: Improve CPU buffer clear documentation Andy Lutomirski 0 siblings, 2 replies; 5+ messages in thread From: Andy Lutomirski @ 2019-05-14 20:24 UTC (permalink / raw) To: x86; +Cc: LKML, Andy Lutomirski The first I heard of MDS was today. Let's fix the problems I noticed right away. Andy Lutomirski (2): x86/speculation/mds: Revert CPU buffer clear on double fault exit x86/speculation/mds: Improve CPU buffer clear documentation Documentation/x86/mds.rst | 44 ++++++--------------------------------- arch/x86/kernel/traps.c | 8 ------- 2 files changed, 6 insertions(+), 46 deletions(-) -- 2.21.0 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/2] x86/speculation/mds: Revert CPU buffer clear on double fault exit 2019-05-14 20:24 [PATCH 0/2] x86/speculation/mds: Minor fixes Andy Lutomirski @ 2019-05-14 20:24 ` Andy Lutomirski 2019-05-16 7:10 ` [tip:x86/urgent] " tip-bot for Andy Lutomirski 2019-05-14 20:24 ` [PATCH 2/2] x86/speculation/mds: Improve CPU buffer clear documentation Andy Lutomirski 1 sibling, 1 reply; 5+ messages in thread From: Andy Lutomirski @ 2019-05-14 20:24 UTC (permalink / raw) To: x86 Cc: LKML, Andy Lutomirski, stable, Greg Kroah-Hartman, Borislav Petkov, Frederic Weisbecker, Jon Masters The double fault ESPFIX path doesn't return to user mode at all -- it returns back to the kernel by simulating a #GP fault. prepare_exit_to_usermode() will run on the way out of general_protection before running user code. Cc: stable@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Borislav Petkov <bp@suse.de> Cc: Frederic Weisbecker <frederic@kernel.org> Cc: Jon Masters <jcm@redhat.com> Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user") Signed-off-by: Andy Lutomirski <luto@kernel.org> --- Documentation/x86/mds.rst | 7 ------- arch/x86/kernel/traps.c | 8 -------- 2 files changed, 15 deletions(-) diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst index 534e9baa4e1d..0dc812bb9249 100644 --- a/Documentation/x86/mds.rst +++ b/Documentation/x86/mds.rst @@ -158,13 +158,6 @@ Mitigation points mitigated on the return from do_nmi() to provide almost complete coverage. - - Double fault (#DF): - - A double fault is usually fatal, but the ESPFIX workaround, which can - be triggered from user space through modify_ldt(2) is a recoverable - double fault. #DF uses the paranoid exit path, so explicit mitigation - in the double fault handler is required. - - Machine Check Exception (#MC): Another corner case is a #MC which hits between the CPU buffer clear diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c index 7de466eb960b..8b6d03e55d2f 100644 --- a/arch/x86/kernel/traps.c +++ b/arch/x86/kernel/traps.c @@ -58,7 +58,6 @@ #include <asm/alternative.h> #include <asm/fpu/xstate.h> #include <asm/trace/mpx.h> -#include <asm/nospec-branch.h> #include <asm/mpx.h> #include <asm/vm86.h> #include <asm/umip.h> @@ -368,13 +367,6 @@ dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code) regs->ip = (unsigned long)general_protection; regs->sp = (unsigned long)&gpregs->orig_ax; - /* - * This situation can be triggered by userspace via - * modify_ldt(2) and the return does not take the regular - * user space exit, so a CPU buffer clear is required when - * MDS mitigation is enabled. - */ - mds_user_clear_cpu_buffers(); return; } #endif -- 2.21.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [tip:x86/urgent] x86/speculation/mds: Revert CPU buffer clear on double fault exit 2019-05-14 20:24 ` [PATCH 1/2] x86/speculation/mds: Revert CPU buffer clear on double fault exit Andy Lutomirski @ 2019-05-16 7:10 ` tip-bot for Andy Lutomirski 0 siblings, 0 replies; 5+ messages in thread From: tip-bot for Andy Lutomirski @ 2019-05-16 7:10 UTC (permalink / raw) To: linux-tip-commits Cc: tglx, gregkh, linux-kernel, frederic, bp, peterz, torvalds, mingo, jcm, hpa, luto Commit-ID: 88640e1dcd089879530a49a8d212d1814678dfe7 Gitweb: https://git.kernel.org/tip/88640e1dcd089879530a49a8d212d1814678dfe7 Author: Andy Lutomirski <luto@kernel.org> AuthorDate: Tue, 14 May 2019 13:24:39 -0700 Committer: Ingo Molnar <mingo@kernel.org> CommitDate: Thu, 16 May 2019 09:05:11 +0200 x86/speculation/mds: Revert CPU buffer clear on double fault exit The double fault ESPFIX path doesn't return to user mode at all -- it returns back to the kernel by simulating a #GP fault. prepare_exit_to_usermode() will run on the way out of general_protection before running user code. Signed-off-by: Andy Lutomirski <luto@kernel.org> Cc: Borislav Petkov <bp@suse.de> Cc: Frederic Weisbecker <frederic@kernel.org> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Jon Masters <jcm@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: stable@vger.kernel.org Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user") Link: http://lkml.kernel.org/r/ac97612445c0a44ee10374f6ea79c222fe22a5c4.1557865329.git.luto@kernel.org Signed-off-by: Ingo Molnar <mingo@kernel.org> --- Documentation/x86/mds.rst | 7 ------- arch/x86/kernel/traps.c | 8 -------- 2 files changed, 15 deletions(-) diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst index 534e9baa4e1d..0dc812bb9249 100644 --- a/Documentation/x86/mds.rst +++ b/Documentation/x86/mds.rst @@ -158,13 +158,6 @@ Mitigation points mitigated on the return from do_nmi() to provide almost complete coverage. - - Double fault (#DF): - - A double fault is usually fatal, but the ESPFIX workaround, which can - be triggered from user space through modify_ldt(2) is a recoverable - double fault. #DF uses the paranoid exit path, so explicit mitigation - in the double fault handler is required. - - Machine Check Exception (#MC): Another corner case is a #MC which hits between the CPU buffer clear diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c index 7de466eb960b..8b6d03e55d2f 100644 --- a/arch/x86/kernel/traps.c +++ b/arch/x86/kernel/traps.c @@ -58,7 +58,6 @@ #include <asm/alternative.h> #include <asm/fpu/xstate.h> #include <asm/trace/mpx.h> -#include <asm/nospec-branch.h> #include <asm/mpx.h> #include <asm/vm86.h> #include <asm/umip.h> @@ -368,13 +367,6 @@ dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code) regs->ip = (unsigned long)general_protection; regs->sp = (unsigned long)&gpregs->orig_ax; - /* - * This situation can be triggered by userspace via - * modify_ldt(2) and the return does not take the regular - * user space exit, so a CPU buffer clear is required when - * MDS mitigation is enabled. - */ - mds_user_clear_cpu_buffers(); return; } #endif ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/2] x86/speculation/mds: Improve CPU buffer clear documentation 2019-05-14 20:24 [PATCH 0/2] x86/speculation/mds: Minor fixes Andy Lutomirski 2019-05-14 20:24 ` [PATCH 1/2] x86/speculation/mds: Revert CPU buffer clear on double fault exit Andy Lutomirski @ 2019-05-14 20:24 ` Andy Lutomirski 2019-05-16 7:11 ` [tip:x86/urgent] " tip-bot for Andy Lutomirski 1 sibling, 1 reply; 5+ messages in thread From: Andy Lutomirski @ 2019-05-14 20:24 UTC (permalink / raw) To: x86 Cc: LKML, Andy Lutomirski, stable, Greg Kroah-Hartman, Borislav Petkov, Frederic Weisbecker, Jon Masters On x86_64, all returns to usermode go through prepare_exit_to_usermode(), with the sole exception of do_nmi(). This even includes machine checks -- this was added several years ago to support MCE recovery. Update the documentation. Cc: stable@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Borislav Petkov <bp@suse.de> Cc: Frederic Weisbecker <frederic@kernel.org> Cc: Jon Masters <jcm@redhat.com> Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user") Signed-off-by: Andy Lutomirski <luto@kernel.org> --- Documentation/x86/mds.rst | 39 +++++++-------------------------------- 1 file changed, 7 insertions(+), 32 deletions(-) diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst index 0dc812bb9249..5d4330be200f 100644 --- a/Documentation/x86/mds.rst +++ b/Documentation/x86/mds.rst @@ -142,38 +142,13 @@ Mitigation points mds_user_clear. The mitigation is invoked in prepare_exit_to_usermode() which covers - most of the kernel to user space transitions. There are a few exceptions - which are not invoking prepare_exit_to_usermode() on return to user - space. These exceptions use the paranoid exit code. - - - Non Maskable Interrupt (NMI): - - Access to sensible data like keys, credentials in the NMI context is - mostly theoretical: The CPU can do prefetching or execute a - misspeculated code path and thereby fetching data which might end up - leaking through a buffer. - - But for mounting other attacks the kernel stack address of the task is - already valuable information. So in full mitigation mode, the NMI is - mitigated on the return from do_nmi() to provide almost complete - coverage. - - - Machine Check Exception (#MC): - - Another corner case is a #MC which hits between the CPU buffer clear - invocation and the actual return to user. As this still is in kernel - space it takes the paranoid exit path which does not clear the CPU - buffers. So the #MC handler repopulates the buffers to some - extent. Machine checks are not reliably controllable and the window is - extremly small so mitigation would just tick a checkbox that this - theoretical corner case is covered. To keep the amount of special - cases small, ignore #MC. - - - Debug Exception (#DB): - - This takes the paranoid exit path only when the INT1 breakpoint is in - kernel space. #DB on a user space address takes the regular exit path, - so no extra mitigation required. + all but one of the kernel to user space transitions. The exception + is when we return from a Non Maskable Interrupt (NMI), which is + handled directly in do_nmi(). + + (The reason that NMI is special is that prepare_exit_to_usermode() can + enable IRQs. In NMI context, NMIs are blocked, and we don't want to + enable IRQs with NMIs blocked.) 2. C-State transition -- 2.21.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [tip:x86/urgent] x86/speculation/mds: Improve CPU buffer clear documentation 2019-05-14 20:24 ` [PATCH 2/2] x86/speculation/mds: Improve CPU buffer clear documentation Andy Lutomirski @ 2019-05-16 7:11 ` tip-bot for Andy Lutomirski 0 siblings, 0 replies; 5+ messages in thread From: tip-bot for Andy Lutomirski @ 2019-05-16 7:11 UTC (permalink / raw) To: linux-tip-commits Cc: mingo, tglx, hpa, torvalds, linux-kernel, frederic, bp, luto, gregkh, peterz, jcm Commit-ID: 9d8d0294e78a164d407133dea05caf4b84247d6a Gitweb: https://git.kernel.org/tip/9d8d0294e78a164d407133dea05caf4b84247d6a Author: Andy Lutomirski <luto@kernel.org> AuthorDate: Tue, 14 May 2019 13:24:40 -0700 Committer: Ingo Molnar <mingo@kernel.org> CommitDate: Thu, 16 May 2019 09:05:12 +0200 x86/speculation/mds: Improve CPU buffer clear documentation On x86_64, all returns to usermode go through prepare_exit_to_usermode(), with the sole exception of do_nmi(). This even includes machine checks -- this was added several years ago to support MCE recovery. Update the documentation. Signed-off-by: Andy Lutomirski <luto@kernel.org> Cc: Borislav Petkov <bp@suse.de> Cc: Frederic Weisbecker <frederic@kernel.org> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Jon Masters <jcm@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: stable@vger.kernel.org Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user") Link: http://lkml.kernel.org/r/999fa9e126ba6a48e9d214d2f18dbde5c62ac55c.1557865329.git.luto@kernel.org Signed-off-by: Ingo Molnar <mingo@kernel.org> --- Documentation/x86/mds.rst | 39 +++++++-------------------------------- 1 file changed, 7 insertions(+), 32 deletions(-) diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst index 0dc812bb9249..5d4330be200f 100644 --- a/Documentation/x86/mds.rst +++ b/Documentation/x86/mds.rst @@ -142,38 +142,13 @@ Mitigation points mds_user_clear. The mitigation is invoked in prepare_exit_to_usermode() which covers - most of the kernel to user space transitions. There are a few exceptions - which are not invoking prepare_exit_to_usermode() on return to user - space. These exceptions use the paranoid exit code. - - - Non Maskable Interrupt (NMI): - - Access to sensible data like keys, credentials in the NMI context is - mostly theoretical: The CPU can do prefetching or execute a - misspeculated code path and thereby fetching data which might end up - leaking through a buffer. - - But for mounting other attacks the kernel stack address of the task is - already valuable information. So in full mitigation mode, the NMI is - mitigated on the return from do_nmi() to provide almost complete - coverage. - - - Machine Check Exception (#MC): - - Another corner case is a #MC which hits between the CPU buffer clear - invocation and the actual return to user. As this still is in kernel - space it takes the paranoid exit path which does not clear the CPU - buffers. So the #MC handler repopulates the buffers to some - extent. Machine checks are not reliably controllable and the window is - extremly small so mitigation would just tick a checkbox that this - theoretical corner case is covered. To keep the amount of special - cases small, ignore #MC. - - - Debug Exception (#DB): - - This takes the paranoid exit path only when the INT1 breakpoint is in - kernel space. #DB on a user space address takes the regular exit path, - so no extra mitigation required. + all but one of the kernel to user space transitions. The exception + is when we return from a Non Maskable Interrupt (NMI), which is + handled directly in do_nmi(). + + (The reason that NMI is special is that prepare_exit_to_usermode() can + enable IRQs. In NMI context, NMIs are blocked, and we don't want to + enable IRQs with NMIs blocked.) 2. C-State transition ^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-05-16 7:11 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-05-14 20:24 [PATCH 0/2] x86/speculation/mds: Minor fixes Andy Lutomirski 2019-05-14 20:24 ` [PATCH 1/2] x86/speculation/mds: Revert CPU buffer clear on double fault exit Andy Lutomirski 2019-05-16 7:10 ` [tip:x86/urgent] " tip-bot for Andy Lutomirski 2019-05-14 20:24 ` [PATCH 2/2] x86/speculation/mds: Improve CPU buffer clear documentation Andy Lutomirski 2019-05-16 7:11 ` [tip:x86/urgent] " tip-bot for Andy Lutomirski
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).