diff --git a/patches.suse/x86-kexec-Disable-RET-on-kexec.patch b/patches.suse/x86-kexec-Disable-RET-on-kexec.patch new file mode 100644 index 0000000..1373cad --- /dev/null +++ b/patches.suse/x86-kexec-Disable-RET-on-kexec.patch @@ -0,0 +1,144 @@ +From: Konrad Rzeszutek Wilk +Date: Fri, 8 Jul 2022 19:10:11 +0200 +Subject: x86/kexec: Disable RET on kexec +Git-commit: 4c5d5e03fbcc1ebfee05498edc7b47915921c76c +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +All the invocations unroll to __x86_return_thunk and this file +must be PIC independent. + +This fixes kexec on 64-bit AMD boxes. + +Reported-by: Edward Tran +Reported-by: Awais Tanveer +Suggested-by: Ankur Arora +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Alexandre Chartre +Signed-off-by: Borislav Petkov +--- + arch/x86/kernel/relocate_kernel_32.S | 16 +++++++++++----- + arch/x86/kernel/relocate_kernel_64.S | 18 ++++++++++++------ + 2 files changed, 23 insertions(+), 11 deletions(-) + +--- a/arch/x86/kernel/relocate_kernel_32.S ++++ b/arch/x86/kernel/relocate_kernel_32.S +@@ -10,7 +10,8 @@ + #include + + /* +- * Must be relocatable PIC code callable as a C function ++ * Must be relocatable PIC code callable as a C function, in particular ++ * there must be a plain RET and not jump to return thunk. + */ + + #define PTR(x) (x << 2) +@@ -92,7 +93,8 @@ relocate_kernel: + movl %edi, %eax + addl $(identity_mapped - relocate_kernel), %eax + pushl %eax +- RET ++ ret ++ int3 + + identity_mapped: + /* set return address to 0 if not preserving context */ +@@ -159,12 +161,14 @@ identity_mapped: + xorl %edx, %edx + xorl %esi, %esi + xorl %ebp, %ebp +- RET ++ ret ++ int3 + 1: + popl %edx + movl CP_PA_SWAP_PAGE(%edi), %esp + addl $PAGE_SIZE, %esp + 2: ++ ANNOTATE_RETPOLINE_SAFE + call *%edx + + /* get the re-entry point of the peer system */ +@@ -207,7 +211,8 @@ virtual_mapped: + popl %edi + popl %esi + popl %ebx +- RET ++ ret ++ int3 + + /* Do the copies */ + swap_pages: +@@ -269,7 +274,8 @@ swap_pages: + popl %edi + popl %ebx + popl %ebp +- RET ++ ret ++ int3 + + .globl kexec_control_code_size + .set kexec_control_code_size, . - relocate_kernel +--- a/arch/x86/kernel/relocate_kernel_64.S ++++ b/arch/x86/kernel/relocate_kernel_64.S +@@ -11,7 +11,8 @@ + #include + + /* +- * Must be relocatable PIC code callable as a C function ++ * Must be relocatable PIC code callable as a C function, in particular ++ * there must be a plain RET and not jump to return thunk. + */ + + #define PTR(x) (x << 3) +@@ -102,7 +103,8 @@ relocate_kernel: + /* jump to identity mapped page */ + addq $(identity_mapped - relocate_kernel), %r8 + pushq %r8 +- RET ++ ret ++ int3 + + identity_mapped: + /* set return address to 0 if not preserving context */ +@@ -187,7 +189,8 @@ identity_mapped: + xorl %r14d, %r14d + xorl %r15d, %r15d + +- RET ++ ret ++ int3 + + 1: + popq %rdx +@@ -208,7 +211,8 @@ identity_mapped: + call swap_pages + movq $virtual_mapped, %rax + pushq %rax +- RET ++ ret ++ int3 + + virtual_mapped: + movq RSP(%r8), %rsp +@@ -227,7 +231,8 @@ virtual_mapped: + popq %r12 + popq %rbp + popq %rbx +- RET ++ ret ++ int3 + + /* Do the copies */ + swap_pages: +@@ -282,7 +287,8 @@ swap_pages: + lea PAGE_SIZE(%rax), %rsi + jmp 0b + 3: +- RET ++ ret ++ int3 + + .globl kexec_control_code_size + .set kexec_control_code_size, . - relocate_kernel diff --git a/series.conf b/series.conf index 706b95c..fc50352 100644 --- a/series.conf +++ b/series.conf @@ -23128,6 +23128,7 @@ patches.suse/x86-common-Stamp-out-the-stepping-madness.patch patches.suse/x86-cpu-amd-Enumerate-BTC_NO.patch patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-not-supp.patch + patches.suse/x86-kexec-Disable-RET-on-kexec.patch ######################################################## # kbuild/module infrastructure fixes