From patchwork Wed Feb 28 03:56:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alex Shi X-Patchwork-Id: 129900 Delivered-To: patch@linaro.org Received: by 10.46.66.2 with SMTP id p2csp568461lja; Tue, 27 Feb 2018 19:59:36 -0800 (PST) X-Google-Smtp-Source: AH8x225z/sUA8t3zvDQF2ew9L/YYCb3KelXca6zz7qCL8HnxPrSO04D5g+TTAIe9gidRDLerd1+a X-Received: by 2002:a17:902:2de4:: with SMTP id p91-v6mr16669192plb.405.1519790376120; Tue, 27 Feb 2018 19:59:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519790376; cv=none; d=google.com; s=arc-20160816; b=TLe7cQn/K3fVYCoD6zzZIcTu3GlVwLPhHw7DhZsoub6GJcwsuM09tlTgVj5jsVrCFo RMy7aZWFbpevfzr7cj1UgvtirykhEynbGRKd0kI2VMZwgFQKkvgmdO2r4enFCj6b53Hg xL5a7/ouMGv/jFVl5P0znXiyGO6eggd0/+a1R89zL8PqPKciTwf9gRc22PvA1+vyvYkf syygcGH+QED9vb5lbJa1qxt9+9PjqJ5g9SJowaa19R/FAPkIZz3TXNuJaU24MvzrtQ30 iXbQVnAktrKFVo1N+klQHV47mVfHWbNs28TT0W8/0R4znXUaTJLSPYZeRpDmnkDIIOGn H3qA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=maE1x+zHtUmA+lsl2Bxum/L+15vTg0UTcHBJ7wI7oeM=; b=CDT/W9m0DqsXPap7gFjVdnnM+lt9CX0MW8t0I3Z+tnyymQF7FspUbMkK6HAH2IYM8c HpDZ3vTDhEHEfTi7Gx6+oBwLU3KK6c3D50OGV8JACfODoQ6FewkM5F7tNQ6I5U1yqfRP Sz0ef/6ZKXh+Mi+uKhkMIgjYBtUNEY9JxmBc3B80dcRSl5salolvhIhRoTEqjHYcRFgq 2YqqWWvxSi3KyZCBdtRV2rOIi6o+i0CIXDuGT5t0fjpfUN0I50jbSpatHB8y08NxmuYt 67Ll4yhng8mWgnZOYZe1FdcmFj/Fgd9VOE3JW0m4RuLWzWSbnpFUD7hTi2Qk7MZVQlQQ kPog== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=CM93PBOv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q25si464141pge.457.2018.02.27.19.59.35; Tue, 27 Feb 2018 19:59:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=CM93PBOv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932148AbeB1D7d (ORCPT + 28 others); Tue, 27 Feb 2018 22:59:33 -0500 Received: from mail-pf0-f193.google.com ([209.85.192.193]:42014 "EHLO mail-pf0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932088AbeB1D7a (ORCPT ); Tue, 27 Feb 2018 22:59:30 -0500 Received: by mail-pf0-f193.google.com with SMTP id a16so504584pfn.9 for ; Tue, 27 Feb 2018 19:59:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=maE1x+zHtUmA+lsl2Bxum/L+15vTg0UTcHBJ7wI7oeM=; b=CM93PBOvq9YTR78mUyTMRhpb0Ktj4IgHME1yNysliZ/Ihlc2LSpzL1bGbyuulv1Rla BsTENFh85LjhkRGPMI9q4yET9zW3A9DydSCcsJ1Ahycs2PIbmyLYr6PAkJ5NPgs9y3ox QNQAz9xNQ5ZVeDqdN3KJsPa3OddGIWXJRC+JI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=maE1x+zHtUmA+lsl2Bxum/L+15vTg0UTcHBJ7wI7oeM=; b=BDPU1OGAPwmtY4NmXhEBpaECIdg7eSrRfcefGlztJHx2//czVG7WHJivly3XWIC48p mL4oAAHGT1tcadJ+MvXy6ZWKK/lggEwHUTMw1/lfszY/6yEqQ58kkR/leKL14QFnu1jm kFEQgrN8GYNteW6pRk9KGczV0z0LEAmu6NFBDVEotWY5ThBss/h+sSHFzBKQk6p/zi6F 9iIQKVEJBkPLI3OtnOQHEirzIbeFHTBB/N1SwVUfxmc3Oi72KY1HZfZFqahnKmYxsJpn cSwUrNZzGYiAW+2d/x5qc28y/iHf4qWrXFclHTj0Klwwg6qKknq4LemGZ7Zz8MI4SQRK j/6g== X-Gm-Message-State: APf1xPB+VxNYAd1RtDqZOayZ6c7e2FeRk0e6V8vEW2QwNBYNSNHPKs8g tILKqCtpA3BSxBZ0p81dIzV4dg== X-Received: by 10.98.67.78 with SMTP id q75mr16016208pfa.98.1519790370200; Tue, 27 Feb 2018 19:59:30 -0800 (PST) Received: from localhost.localdomain (176.122.172.82.16clouds.com. [176.122.172.82]) by smtp.gmail.com with ESMTPSA id q17sm739911pgt.7.2018.02.27.19.59.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 27 Feb 2018 19:59:29 -0800 (PST) From: Alex Shi To: Marc Zyngier , Will Deacon , Ard Biesheuvel , Catalin Marinas , stable@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Cc: Alex Shi Subject: [PATCH 16/29] arm64: use RET instruction for exiting the trampoline Date: Wed, 28 Feb 2018 11:56:38 +0800 Message-Id: <1519790211-16582-17-git-send-email-alex.shi@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1519790211-16582-1-git-send-email-alex.shi@linaro.org> References: <1519790211-16582-1-git-send-email-alex.shi@linaro.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Will Deacon commit be04a6d1126b upstream. Speculation attacks against the entry trampoline can potentially resteer the speculative instruction stream through the indirect branch and into arbitrary gadgets within the kernel. This patch defends against these attacks by forcing a misprediction through the return stack: a dummy BL instruction loads an entry into the stack, so that the predicted program flow of the subsequent RET instruction is to a branch-to-self instruction which is finally resolved as a branch to the kernel vectors with speculation suppressed. Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Alex Shi --- arch/arm64/kernel/entry.S | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) -- 2.7.4 diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 996c605..c00921e 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -902,6 +902,14 @@ __ni_sys_trace: .if \regsize == 64 msr tpidrro_el0, x30 // Restored in kernel_ventry .endif + /* + * Defend against branch aliasing attacks by pushing a dummy + * entry onto the return stack and using a RET instruction to + * enter the full-fat kernel vectors. + */ + bl 2f + b . +2: tramp_map_kernel x30 #ifdef CONFIG_RANDOMIZE_BASE adr x30, tramp_vectors + PAGE_SIZE @@ -913,7 +921,7 @@ __ni_sys_trace: msr vbar_el1, x30 add x30, x30, #(1b - tramp_vectors) isb - br x30 + ret .endm .macro tramp_exit, regsize = 64