[SRU][Xenial][Patch 0/3] Follow-up fixes for CVE-2017-5715 (Spectre v2) for s390x

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU][Xenial][Patch 0/3] Follow-up fixes for CVE-2017-5715 (Spectre v2) for s390x

Kleber Souza
Patches requested by IBM for Spectre v2.

Build-tested for s390x.

Martin Schwidefsky (3):
  s390: detect etoken facility
  s390/lib: use expoline for all bcr instructions
  UBUNTU: SAUCE: s390: use expoline thunks for all branches generated by
    the BPF JIT

 arch/s390/kernel/nospec-branch.c | 12 +++++++++++-
 arch/s390/kernel/nospec-sysfs.c  |  2 ++
 arch/s390/lib/mem.S              |  6 ++++--
 arch/s390/net/bpf_jit_comp.c     |  9 +++++++--
 4 files changed, 24 insertions(+), 5 deletions(-)

--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][Xenial][Patch 1/3] s390: detect etoken facility

Kleber Souza
From: Martin Schwidefsky <[hidden email]>

CVE-2017-5715 (Spectre v2 s390x)

Detect and report the etoken facility. With spectre_v2=auto or
CONFIG_EXPOLINE_AUTO=y automatically disable expolines and use
the full branch prediction mode for the kernel.

Signed-off-by: Martin Schwidefsky <[hidden email]>
(cherry picked from commit aeaf7002a76c8da60c0f503badcbddc07650678c)
Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
---
 arch/s390/kernel/nospec-branch.c | 12 +++++++++++-
 arch/s390/kernel/nospec-sysfs.c  |  2 ++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/arch/s390/kernel/nospec-branch.c b/arch/s390/kernel/nospec-branch.c
index d5eed651b5ab..acc9957a59d9 100644
--- a/arch/s390/kernel/nospec-branch.c
+++ b/arch/s390/kernel/nospec-branch.c
@@ -36,6 +36,8 @@ early_param("nospec", nospec_setup_early);
 
 static int __init nospec_report(void)
 {
+ if (test_facility(156))
+ pr_info("Spectre V2 mitigation: etokens\n");
  if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable)
  pr_info("Spectre V2 mitigation: execute trampolines.\n");
  if (__test_facility(82, S390_lowcore.alt_stfle_fac_list))
@@ -57,7 +59,15 @@ early_param("nospectre_v2", nospectre_v2_setup_early);
 
 void __init nospec_auto_detect(void)
 {
- if (IS_ENABLED(CC_USING_EXPOLINE)) {
+ if (test_facility(156)) {
+ /*
+ * The machine supports etokens.
+ * Disable expolines and disable nobp.
+ */
+ if (IS_ENABLED(CC_USING_EXPOLINE))
+ nospec_disable = 1;
+ __clear_facility(82, S390_lowcore.alt_stfle_fac_list);
+ } else if (IS_ENABLED(CC_USING_EXPOLINE)) {
  /*
  * The kernel has been compiled with expolines.
  * Keep expolines enabled and disable nobp.
diff --git a/arch/s390/kernel/nospec-sysfs.c b/arch/s390/kernel/nospec-sysfs.c
index 8affad5f18cb..e30e580ae362 100644
--- a/arch/s390/kernel/nospec-sysfs.c
+++ b/arch/s390/kernel/nospec-sysfs.c
@@ -13,6 +13,8 @@ ssize_t cpu_show_spectre_v1(struct device *dev,
 ssize_t cpu_show_spectre_v2(struct device *dev,
     struct device_attribute *attr, char *buf)
 {
+ if (test_facility(156))
+ return sprintf(buf, "Mitigation: etokens\n");
  if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable)
  return sprintf(buf, "Mitigation: execute trampolines\n");
  if (__test_facility(82, S390_lowcore.alt_stfle_fac_list))
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][Xenial][Patch 2/3] s390/lib: use expoline for all bcr instructions

Kleber Souza
In reply to this post by Kleber Souza
From: Martin Schwidefsky <[hidden email]>

CVE-2017-5715 (Spectre v2 s390x)

The memove, memset, memcpy, __memset16, __memset32 and __memset64
function have an additional indirect return branch in form of a
"bzr" instruction. These need to use expolines as well.

Cc: <[hidden email]> # v4.17+
Fixes: 97489e0663 ("s390/lib: use expoline for indirect branches")
Reviewed-by: Heiko Carstens <[hidden email]>
Signed-off-by: Martin Schwidefsky <[hidden email]>
(backported from commit 5eda25b10297684c1f46a14199ec00210f3c346e)
[ kleber: memove, __memset16, __memset32 and __memset64 are not
  implemented on 4.4 kernel ]
Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
---
 arch/s390/lib/mem.S | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/arch/s390/lib/mem.S b/arch/s390/lib/mem.S
index 16c5998b9792..1b7ca2de3af1 100644
--- a/arch/s390/lib/mem.S
+++ b/arch/s390/lib/mem.S
@@ -26,7 +26,7 @@
  */
 ENTRY(memset)
  ltgr %r4,%r4
- bzr %r14
+ jz .Lmemset_exit
  ltgr %r3,%r3
  jnz .Lmemset_fill
  aghi %r4,-1
@@ -41,6 +41,7 @@ ENTRY(memset)
 .Lmemset_clear_rest:
  larl %r3,.Lmemset_xc
  ex %r4,0(%r3)
+.Lmemset_exit:
  BR_EX %r14
 .Lmemset_fill:
  stc %r3,0(%r2)
@@ -71,7 +72,7 @@ ENTRY(memset)
  */
 ENTRY(memcpy)
  ltgr %r4,%r4
- bzr %r14
+ jz .Lmemcpy_exit
  aghi %r4,-1
  srlg %r5,%r4,8
  ltgr %r5,%r5
@@ -80,6 +81,7 @@ ENTRY(memcpy)
 .Lmemcpy_rest:
  larl %r5,.Lmemcpy_mvc
  ex %r4,0(%r5)
+.Lmemcpy_exit:
  BR_EX %r14
 .Lmemcpy_loop:
  mvc 0(256,%r1),0(%r3)
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][Xenial][Patch 3/3] UBUNTU: SAUCE: s390: use expoline thunks for all branches generated by the BPF JIT

Kleber Souza
In reply to this post by Kleber Souza
From: Martin Schwidefsky <[hidden email]>

CVE-2017-5715 (Spectre v2 s390x)

git commit e1cf4befa297b149149f633eff746593e400c030
"bpf, s390x: remove ld_abs/ld_ind"
removed the code that generated the indirect branch "basr %b5,%w1"
from the BPF JIT. Older versions of the BPF which still have support
for LD_ABS/LD_IND need a patch to add the execute trampoline for
this branch instruction.

Signed-off-by: Martin Schwidefsky <[hidden email]>
Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
---
 arch/s390/net/bpf_jit_comp.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
index 2d3ba0acc592..5683d9c13b63 100644
--- a/arch/s390/net/bpf_jit_comp.c
+++ b/arch/s390/net/bpf_jit_comp.c
@@ -1277,8 +1277,13 @@ call_fn:
  /* agfr %b2,%src (%src is s32 here) */
  EMIT4(0xb9180000, BPF_REG_2, src_reg);
 
- /* basr %b5,%w1 (%b5 is call saved) */
- EMIT2(0x0d00, BPF_REG_5, REG_W1);
+ if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable) {
+ /* brasl %r5,__s390_indirect_jump_r1 */
+ EMIT6_PCREL_RILB(0xc0050000, BPF_REG_5, jit->r1_thunk_ip);
+ } else {
+ /* basr %b5,%w1 (%b5 is call saved) */
+ EMIT2(0x0d00, BPF_REG_5, REG_W1);
+ }
 
  /*
  * Note: For fast access we jump directly after the
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

NAK: [SRU][Xenial][Patch 0/3] Follow-up fixes for CVE-2017-5715 (Spectre v2) for s390x

Kleber Souza
In reply to this post by Kleber Souza
On 09/10/18 16:26, Kleber Sacilotto de Souza wrote:

> Patches requested by IBM for Spectre v2.
>
> Build-tested for s390x.
>
> Martin Schwidefsky (3):
>   s390: detect etoken facility
>   s390/lib: use expoline for all bcr instructions
>   UBUNTU: SAUCE: s390: use expoline thunks for all branches generated by
>     the BPF JIT
>
>  arch/s390/kernel/nospec-branch.c | 12 +++++++++++-
>  arch/s390/kernel/nospec-sysfs.c  |  2 ++
>  arch/s390/lib/mem.S              |  6 ++++--
>  arch/s390/net/bpf_jit_comp.c     |  9 +++++++--
>  4 files changed, 24 insertions(+), 5 deletions(-)
>

Please ignore this submission, a v2 is on the way.

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team