From 0161c6cc5994473b67a4c9773da60a0d44221220 Mon Sep 17 00:00:00 2001 From: Borislav Petkov Date: Mar 09 2022 11:41:43 +0000 Subject: x86/speculation: Warn about eIBRS + LFENCE + Unprivileged eBPF + SMT (bsc#1191580 CVE-2022-0001 CVE-2022-0002). --- diff --git a/patches.suse/x86-speculation-warn-about-eibrs-lfence-unprivileged-ebpf-smt.patch b/patches.suse/x86-speculation-warn-about-eibrs-lfence-unprivileged-ebpf-smt.patch new file mode 100644 index 0000000..97d5bbb --- /dev/null +++ b/patches.suse/x86-speculation-warn-about-eibrs-lfence-unprivileged-ebpf-smt.patch @@ -0,0 +1,93 @@ +From: Josh Poimboeuf +Date: Fri, 25 Feb 2022 14:32:28 -0800 +Subject: x86/speculation: Warn about eIBRS + LFENCE + Unprivileged eBPF + SMT +Git-commit: 0de05d056afdb00eca8c7bbb0c79a3438daf700c +Patch-mainline: v5.17 or v5.17-rc8 (next release) +References: bsc#1191580 CVE-2022-0001 CVE-2022-0002 + +The commit + + 44a3918c8245 ("x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting") + +added a warning for the "eIBRS + unprivileged eBPF" combination, which +has been shown to be vulnerable against Spectre v2 BHB-based attacks. + +However, there's no warning about the "eIBRS + LFENCE retpoline + +unprivileged eBPF" combo. The LFENCE adds more protection by shortening +the speculation window after a mispredicted branch. That makes an attack +significantly more difficult, even with unprivileged eBPF. So at least +for now the logic doesn't warn about that combination. + +But if you then add SMT into the mix, the SMT attack angle weakens the +effectiveness of the LFENCE considerably. + +So extend the "eIBRS + unprivileged eBPF" warning to also include the +"eIBRS + LFENCE + unprivileged eBPF + SMT" case. + + [ bp: Massage commit message. ] + +Suggested-by: Alyssa Milburn +Signed-off-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +--- + arch/x86/kernel/cpu/bugs.c | 27 +++++++++++++++++++++++++-- + 1 file changed, 25 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index cfd116423908..6296e1ebed1d 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -653,12 +653,27 @@ static inline const char *spectre_v2_module_string(void) { return ""; } + + #define SPECTRE_V2_LFENCE_MSG "WARNING: LFENCE mitigation is not recommended for this CPU, data leaks possible!\n" + #define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n" ++#define SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS+LFENCE mitigation and SMT, data leaks possible via Spectre v2 BHB attacks!\n" + + #ifdef CONFIG_BPF_SYSCALL + void unpriv_ebpf_notify(int new_state) + { +- if (spectre_v2_enabled == SPECTRE_V2_EIBRS && !new_state) ++ if (new_state) ++ return; ++ ++ /* Unprivileged eBPF is enabled */ ++ ++ switch (spectre_v2_enabled) { ++ case SPECTRE_V2_EIBRS: + pr_err(SPECTRE_V2_EIBRS_EBPF_MSG); ++ break; ++ case SPECTRE_V2_EIBRS_LFENCE: ++ if (sched_smt_active()) ++ pr_err(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG); ++ break; ++ default: ++ break; ++ } + } + #endif + +@@ -1118,6 +1133,10 @@ void cpu_bugs_smt_update(void) + { + mutex_lock(&spec_ctrl_mutex); + ++ if (sched_smt_active() && unprivileged_ebpf_enabled() && ++ spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE) ++ pr_warn_once(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG); ++ + switch (spectre_v2_user_stibp) { + case SPECTRE_V2_USER_NONE: + break; +@@ -1793,7 +1812,11 @@ static ssize_t spectre_v2_show_state(char *buf) + return sprintf(buf, "Vulnerable: LFENCE\n"); + + if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled()) +- return sprintf(buf, "Vulnerable: Unprivileged eBPF enabled\n"); ++ return sprintf(buf, "Vulnerable: eIBRS with unprivileged eBPF\n"); ++ ++ if (sched_smt_active() && unprivileged_ebpf_enabled() && ++ spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE) ++ return sprintf(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n"); + + return sprintf(buf, "%s%s%s%s%s%s\n", + spectre_v2_strings[spectre_v2_enabled], + diff --git a/series.conf b/series.conf index 8ce7874..92daef6 100644 --- a/series.conf +++ b/series.conf @@ -8273,6 +8273,7 @@ patches.suse/x86-speculation-include-unprivileged-ebpf-status-in-spectre-v2-mitigation-reporting.patch patches.suse/x86-speculation-use-generic-retpoline-by-default-on-amd.patch patches.suse/x86-speculation-warn-about-spectre-v2-lfence-mitigation.patch + patches.suse/x86-speculation-warn-about-eibrs-lfence-unprivileged-ebpf-smt.patch # jejb/scsi for-next patches.suse/scsi-smartpqi-Add-PCI-IDs