x86/bugs: Fix the SRSO mitigation on Zen3/4

The original version of the mitigation would patch in the calls to the
untraining routines directly. That is, the alternative() in UNTRAIN_RET
will patch in the CALL to srso_alias_untrain_ret() directly.

However, even if commit e7c25c441e9e ("x86/cpu: Cleanup the untrain
mess") meant well in trying to clean up the situation, due to micro-
architectural reasons, the untraining routine srso_alias_untrain_ret()
must be the target of a CALL instruction and not of a JMP instruction as
it is done now.

Reshuffle the alternative macros to accomplish that.

Fixes: e7c25c441e9e ("x86/cpu: Cleanup the untrain mess")
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Borislav Petkov (AMD) and committed by

Linus Torvalds 2 years ago 4535e1a4 091619ba

+23 -10

3 changed files

expand all

arch

x86

include

asm

asm-prototypes.h

nospec-branch.h

lib

retpoline.S

arch/x86/include/asm/asm-prototypes.h

··· 14 14 #include <asm/asm.h> 15 15 #include <asm/fred.h> 16 16 #include <asm/gsseg.h> 17 + #include <asm/nospec-branch.h> 17 18 18 19 #ifndef CONFIG_X86_CMPXCHG64 19 20 extern void cmpxchg8b_emu(void);

+16 -5

arch/x86/include/asm/nospec-branch.h

··· 262 262 .Lskip_rsb_\@: 263 263 .endm 264 264 265 + /* 266 + * The CALL to srso_alias_untrain_ret() must be patched in directly at 267 + * the spot where untraining must be done, ie., srso_alias_untrain_ret() 268 + * must be the target of a CALL instruction instead of indirectly 269 + * jumping to a wrapper which then calls it. Therefore, this macro is 270 + * called outside of __UNTRAIN_RET below, for the time being, before the 271 + * kernel can support nested alternatives with arbitrary nesting. 272 + */ 273 + .macro CALL_UNTRAIN_RET 265 274 #if defined(CONFIG_MITIGATION_UNRET_ENTRY) || defined(CONFIG_MITIGATION_SRSO) 266 - #define CALL_UNTRAIN_RET "call entry_untrain_ret" 267 - #else 268 - #define CALL_UNTRAIN_RET "" 275 + ALTERNATIVE_2 "", "call entry_untrain_ret", X86_FEATURE_UNRET, \ 276 + "call srso_alias_untrain_ret", X86_FEATURE_SRSO_ALIAS 269 277 #endif 278 + .endm 270 279 271 280 /* 272 281 * Mitigate RETBleed for AMD/Hygon Zen uarch. Requires KERNEL CR3 because the ··· 291 282 .macro __UNTRAIN_RET ibpb_feature, call_depth_insns 292 283 #if defined(CONFIG_MITIGATION_RETHUNK) || defined(CONFIG_MITIGATION_IBPB_ENTRY) 293 284 VALIDATE_UNRET_END 294 - ALTERNATIVE_3 "", \ 295 - CALL_UNTRAIN_RET, X86_FEATURE_UNRET, \ 285 + CALL_UNTRAIN_RET 286 + ALTERNATIVE_2 "", \ 296 287 "call entry_ibpb", \ibpb_feature, \ 297 288 __stringify(\call_depth_insns), X86_FEATURE_CALL_DEPTH 298 289 #endif ··· 350 341 #else 351 342 static inline void retbleed_return_thunk(void) {} 352 343 #endif 344 + 345 + extern void srso_alias_untrain_ret(void); 353 346 354 347 #ifdef CONFIG_MITIGATION_SRSO 355 348 extern void srso_return_thunk(void);

+6 -5

arch/x86/lib/retpoline.S

··· 163 163 lfence 164 164 jmp srso_alias_return_thunk 165 165 SYM_FUNC_END(srso_alias_untrain_ret) 166 + __EXPORT_THUNK(srso_alias_untrain_ret) 166 167 .popsection 167 168 168 169 .pushsection .text..__x86.rethunk_safe ··· 225 224 SYM_CODE_END(srso_return_thunk) 226 225 227 226 #define JMP_SRSO_UNTRAIN_RET "jmp srso_untrain_ret" 228 - #define JMP_SRSO_ALIAS_UNTRAIN_RET "jmp srso_alias_untrain_ret" 229 227 #else /* !CONFIG_MITIGATION_SRSO */ 228 + /* Dummy for the alternative in CALL_UNTRAIN_RET. */ 229 + SYM_CODE_START(srso_alias_untrain_ret) 230 + RET 231 + SYM_FUNC_END(srso_alias_untrain_ret) 230 232 #define JMP_SRSO_UNTRAIN_RET "ud2" 231 - #define JMP_SRSO_ALIAS_UNTRAIN_RET "ud2" 232 233 #endif /* CONFIG_MITIGATION_SRSO */ 233 234 234 235 #ifdef CONFIG_MITIGATION_UNRET_ENTRY ··· 322 319 #if defined(CONFIG_MITIGATION_UNRET_ENTRY) || defined(CONFIG_MITIGATION_SRSO) 323 320 324 321 SYM_FUNC_START(entry_untrain_ret) 325 - ALTERNATIVE_2 JMP_RETBLEED_UNTRAIN_RET, \ 326 - JMP_SRSO_UNTRAIN_RET, X86_FEATURE_SRSO, \ 327 - JMP_SRSO_ALIAS_UNTRAIN_RET, X86_FEATURE_SRSO_ALIAS 322 + ALTERNATIVE JMP_RETBLEED_UNTRAIN_RET, JMP_SRSO_UNTRAIN_RET, X86_FEATURE_SRSO 328 323 SYM_FUNC_END(entry_untrain_ret) 329 324 __EXPORT_THUNK(entry_untrain_ret) 330 325

Configure Feed

Configure Feed