From: Peter Zijlstra <peterz@infradead.org>

Date: Tue, 14 Jun 2022 23:15:41 +0200

Subject: x86/bpf: Use alternative RET encoding

Git-commit: d77cfe594ad50e0bf95d457e02ccd578791b2a15

Patch-mainline: v5.19-rc4

References: bsc#1199657 CVE-2022-29900 CVE-2022-29901

Use the return thunk in eBPF generated code, if needed.

Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>

Signed-off-by: Borislav Petkov <bp@suse.de>

Reviewed-by: Josh Poimboeuf <jpoimboe@kernel.org>

Signed-off-by: Borislav Petkov <bp@suse.de>

---

 arch/x86/net/bpf_jit_comp.c |   20 ++++++++++++++++++--

 1 file changed, 18 insertions(+), 2 deletions(-)

--- a/arch/x86/net/bpf_jit_comp.c

+++ b/arch/x86/net/bpf_jit_comp.c

@@ -322,6 +322,22 @@ int bpf_arch_text_poke(void *ip, enum bp

 	return __bpf_arch_text_poke(ip, t, old_addr, new_addr, true);

 }

+static void emit_return(u8 **pprog, u8 *ip)

+{

+	u8 *prog = *pprog;

+	int cnt = 0;

+

+	if (cpu_feature_enabled(X86_FEATURE_RETHUNK)) {

+		emit_jump(&prog, &__x86_return_thunk, ip);

+	} else {

+		EMIT1(0xC3);		/* ret */

+		if (IS_ENABLED(CONFIG_SLS))

+			EMIT1(0xCC);	/* int3 */

+	}

+

+	*pprog = prog;

+}

+

 /*

  * Generate the following code:

  *

@@ -1380,7 +1396,7 @@ emit_jmp:

 			EMIT2(0x41, 0x5D);   /* pop r13 */

 			EMIT1(0x5B);         /* pop rbx */

 			EMIT1(0xC9);         /* leave */

-			EMIT1(0xC3);         /* ret */

+			emit_return(&prog, image + addrs[i - 1] + (prog - temp));

 			break;

 		default:

@@ -1622,7 +1638,7 @@ int arch_prepare_bpf_trampoline(void *im

 	if (flags & BPF_TRAMP_F_SKIP_FRAME)

 		/* skip our return address and return to parent */

 		EMIT4(0x48, 0x83, 0xC4, 8); /* add rsp, 8 */

-	EMIT1(0xC3); /* ret */

+	emit_return(&prog, prog);

 	/* One half of the page has active running trampoline.

 	 * Another half is an area for next trampoline.

 	 * Make sure the trampoline generation logic doesn't overflow.