kernel / kernel-source

Clone
Source Code
GIT

Blame patches.suse/x86-kexec-disable-ret-on-kexec.patch

ALP-current ALP-current-GA ALP-current-RT ALP-current-RT-GA SLE12-SP5 SLE12-SP5-AZURE SLE12-SP5-RT SLE15-SP2-EB SLE15-SP3-RT-LTSS SLE15-SP4-RT-LTSS SLE15-SP5 SLE15-SP5-AZURE SLE15-SP5-RT SLE15-SP6 SLE15-SP6-AZURE SLE15-SP6-AZURE-GA SLE15-SP6-GA SLE15-SP6-RT SLE15-SP6-RT-GA linux-next master packaging scripts slowroll stable vanilla
  1.   888eddd4fd1e487559f6a6cf1b44bfe17b8ae897
  2.   patches.suse
  3.   x86-kexec-disable-ret-on-kexec.patch
Blob History Raw
Borislav Petkov b5316f 
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Borislav Petkov b5316f 
Date: Fri, 8 Jul 2022 19:10:11 +0200
Borislav Petkov d06c64 
Subject: x86/kexec: Disable RET on kexec
Borislav Petkov d06c64 
Git-commit: 697977d8415d61f3acbc4ee6d564c9dcf0309507
Borislav Petkov d06c64 
Patch-mainline: v5.19-rc7
Borislav Petkov b5316f 
References: bsc#1199657 CVE-2022-29900 CVE-2022-29901
Borislav Petkov b5316f
Borislav Petkov b5316f 
All the invocations unroll to __x86_return_thunk and this file
Borislav Petkov b5316f 
must be PIC independent.
Borislav Petkov b5316f
Borislav Petkov b5316f 
This fixes kexec on 64-bit AMD boxes.
Borislav Petkov b5316f
Borislav Petkov d06c64 
  [ bp: Fix 32-bit build. ]
Borislav Petkov d06c64
Borislav Petkov b5316f 
Reported-by: Edward Tran <edward.tran@oracle.com>
Borislav Petkov b5316f 
Reported-by: Awais Tanveer <awais.tanveer@oracle.com>
Borislav Petkov b5316f 
Suggested-by: Ankur Arora <ankur.a.arora@oracle.com>
Borislav Petkov b5316f 
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Borislav Petkov b5316f 
Signed-off-by: Alexandre Chartre <alexandre.chartre@oracle.com>
Borislav Petkov b5316f 
Signed-off-by: Borislav Petkov <bp@suse.de>
Borislav Petkov b5316f 
---
Borislav Petkov d06c64 
 arch/x86/kernel/relocate_kernel_32.S |   17 ++++++++++++-----
Borislav Petkov b5316f 
 arch/x86/kernel/relocate_kernel_64.S |   18 ++++++++++++------
Borislav Petkov d06c64 
 2 files changed, 24 insertions(+), 11 deletions(-)
Borislav Petkov b5316f
Borislav Petkov b5316f 
--- a/arch/x86/kernel/relocate_kernel_32.S
Borislav Petkov b5316f 
+++ b/arch/x86/kernel/relocate_kernel_32.S
Borislav Petkov d06c64 
@@ -9,10 +9,12 @@
Borislav Petkov d06c64 
 #include <linux/linkage.h>
Borislav Petkov d06c64 
 #include <asm/page_types.h>
Borislav Petkov d06c64 
 #include <asm/kexec.h>
Borislav Petkov d06c64 
+#include <asm/nospec-branch.h>
Borislav Petkov b5316f 
 #include <asm/processor-flags.h>
Borislav Petkov b5316f
Borislav Petkov b5316f 
 /*
Borislav Petkov b5316f 
- * Must be relocatable PIC code callable as a C function
Borislav Petkov b5316f 
+ * Must be relocatable PIC code callable as a C function, in particular
Borislav Petkov b5316f 
+ * there must be a plain RET and not jump to return thunk.
Borislav Petkov b5316f 
  */
Borislav Petkov b5316f
Borislav Petkov b5316f 
 #define PTR(x) (x << 2)
Borislav Petkov d06c64 
@@ -94,7 +96,8 @@ relocate_kernel:
Borislav Petkov b5316f 
 	movl    %edi, %eax
Borislav Petkov b5316f 
 	addl    $(identity_mapped - relocate_kernel), %eax
Borislav Petkov b5316f 
 	pushl   %eax
Borislav Petkov b5316f 
-	RET
Borislav Petkov b5316f 
+	ret
Borislav Petkov b5316f 
+	int3
Borislav Petkov b5316f
Borislav Petkov b5316f 
 identity_mapped:
Borislav Petkov b5316f 
 	/* set return address to 0 if not preserving context */
Borislav Petkov d06c64 
@@ -161,12 +164,14 @@ identity_mapped:
Borislav Petkov b5316f 
 	xorl    %edx, %edx
Borislav Petkov b5316f 
 	xorl    %esi, %esi
Borislav Petkov b5316f 
 	xorl    %ebp, %ebp
Borislav Petkov b5316f 
-	RET
Borislav Petkov b5316f 
+	ret
Borislav Petkov b5316f 
+	int3
Borislav Petkov b5316f 
 1:
Borislav Petkov b5316f 
 	popl	%edx
Borislav Petkov b5316f 
 	movl	CP_PA_SWAP_PAGE(%edi), %esp
Borislav Petkov b5316f 
 	addl	$PAGE_SIZE, %esp
Borislav Petkov b5316f 
 2:
Borislav Petkov b5316f 
+	ANNOTATE_RETPOLINE_SAFE
Borislav Petkov b5316f 
 	call	*%edx
Borislav Petkov b5316f
Borislav Petkov b5316f 
 	/* get the re-entry point of the peer system */
Borislav Petkov d06c64 
@@ -209,7 +214,8 @@ virtual_mapped:
Borislav Petkov b5316f 
 	popl	%edi
Borislav Petkov b5316f 
 	popl	%esi
Borislav Petkov b5316f 
 	popl	%ebx
Borislav Petkov b5316f 
-	RET
Borislav Petkov b5316f 
+	ret
Borislav Petkov b5316f 
+	int3
Borislav Petkov b5316f
Borislav Petkov b5316f 
 	/* Do the copies */
Borislav Petkov b5316f 
 swap_pages:
Borislav Petkov d06c64 
@@ -271,7 +277,8 @@ swap_pages:
Borislav Petkov b5316f 
 	popl	%edi
Borislav Petkov b5316f 
 	popl	%ebx
Borislav Petkov b5316f 
 	popl	%ebp
Borislav Petkov b5316f 
-	RET
Borislav Petkov b5316f 
+	ret
Borislav Petkov b5316f 
+	int3
Borislav Petkov b5316f
Borislav Petkov b5316f 
 	.globl kexec_control_code_size
Borislav Petkov b5316f 
 .set kexec_control_code_size, . - relocate_kernel
Borislav Petkov b5316f 
--- a/arch/x86/kernel/relocate_kernel_64.S
Borislav Petkov b5316f 
+++ b/arch/x86/kernel/relocate_kernel_64.S
Borislav Petkov b5316f 
@@ -13,7 +13,8 @@
Borislav Petkov b5316f 
 #include <asm/pgtable_types.h>
Borislav Petkov b5316f
Borislav Petkov b5316f 
 /*
Borislav Petkov b5316f 
- * Must be relocatable PIC code callable as a C function
Borislav Petkov b5316f 
+ * Must be relocatable PIC code callable as a C function, in particular
Borislav Petkov b5316f 
+ * there must be a plain RET and not jump to return thunk.
Borislav Petkov b5316f 
  */
Borislav Petkov b5316f
Borislav Petkov b5316f 
 #define PTR(x) (x << 3)
Borislav Petkov b5316f 
@@ -104,7 +105,8 @@ relocate_kernel:
Borislav Petkov b5316f 
 	/* jump to identity mapped page */
Borislav Petkov b5316f 
 	addq	$(identity_mapped - relocate_kernel), %r8
Borislav Petkov b5316f 
 	pushq	%r8
Borislav Petkov b5316f 
-	RET
Borislav Petkov b5316f 
+	ret
Borislav Petkov b5316f 
+	int3
Borislav Petkov b5316f
Borislav Petkov b5316f 
 identity_mapped:
Borislav Petkov b5316f 
 	/* set return address to 0 if not preserving context */
Borislav Petkov b5316f 
@@ -189,7 +191,8 @@ identity_mapped:
Borislav Petkov b5316f 
 	xorl	%r14d, %r14d
Borislav Petkov b5316f 
 	xorl	%r15d, %r15d
Borislav Petkov b5316f
Borislav Petkov b5316f 
-	RET
Borislav Petkov b5316f 
+	ret
Borislav Petkov b5316f 
+	int3
Borislav Petkov b5316f
Borislav Petkov b5316f 
 1:
Borislav Petkov b5316f 
 	popq	%rdx
Borislav Petkov b5316f 
@@ -210,7 +213,8 @@ identity_mapped:
Borislav Petkov b5316f 
 	call	swap_pages
Borislav Petkov b5316f 
 	movq	$virtual_mapped, %rax
Borislav Petkov b5316f 
 	pushq	%rax
Borislav Petkov b5316f 
-	RET
Borislav Petkov b5316f 
+	ret
Borislav Petkov b5316f 
+	int3
Borislav Petkov b5316f
Borislav Petkov b5316f 
 virtual_mapped:
Borislav Petkov b5316f 
 	movq	RSP(%r8), %rsp
Borislav Petkov b5316f 
@@ -229,7 +233,8 @@ virtual_mapped:
Borislav Petkov b5316f 
 	popq	%r12
Borislav Petkov b5316f 
 	popq	%rbp
Borislav Petkov b5316f 
 	popq	%rbx
Borislav Petkov b5316f 
-	RET
Borislav Petkov b5316f 
+	ret
Borislav Petkov b5316f 
+	int3
Borislav Petkov b5316f
Borislav Petkov b5316f 
 	/* Do the copies */
Borislav Petkov b5316f 
 swap_pages:
Borislav Petkov b5316f 
@@ -284,7 +289,8 @@ swap_pages:
Borislav Petkov b5316f 
 	lea	PAGE_SIZE(%rax), %rsi
Borislav Petkov b5316f 
 	jmp	0b
Borislav Petkov b5316f 
 3:
Borislav Petkov b5316f 
-	RET
Borislav Petkov b5316f 
+	ret
Borislav Petkov b5316f 
+	int3
Borislav Petkov b5316f
Borislav Petkov b5316f 
 	.globl kexec_control_code_size
Borislav Petkov b5316f 
 .set kexec_control_code_size, . - relocate_kernel
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.