On Tue, Feb 23, 2016 at 4:19 PM, Andy Lutomirski <l...@kernel.org> wrote:
> Both before and after 5f310f739b4c ("x86/entry/32: Re-implement
> SYSENTER using the new C path"), we relied on a uaccess very early
> in the SYSENTER path to clear AC. After that change, though, we can
> potentially make it all the way into C code with AC set, which
> enlarges the attack surface for SMAP bypass by doing SYSENTER with
> AC set.
>
> Strengthen the SMAP protection by addding the missing ASM_CLAC right
> at the beginning.
>
> Signed-off-by: Andy Lutomirski <l...@kernel.org>
> ---
>
> This is probably an x86/urgent candidate. It fixes a minor
> hardening regression in 4.4.
>
> It's lightly tested. It's hard to test well right now because the
> 4.5 series is completely broken for 32-bit SMAP sytems.
>
> arch/x86/entry/entry_32.S | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S
> index f3facd40fd2d..9d6165c171eb 100644
> --- a/arch/x86/entry/entry_32.S
> +++ b/arch/x86/entry/entry_32.S
> @@ -294,6 +294,7 @@ sysenter_past_esp:
> pushl $__USER_DS /* pt_regs->ss */
> pushl %ebp /* pt_regs->sp (stashed in bp) */
> pushfl /* pt_regs->flags (except IF = 0) */
> + ASM_CLAC /* Clear AC after saving FLAGS */
> orl $X86_EFLAGS_IF, (%esp) /* Fix IF */
> pushl $__USER_CS /* pt_regs->cs */
> pushl $0 /* pt_regs->ip = 0 (placeholder) */
> --
> 2.5.0
>
It looks like entry_INT80_compat is also missing a CLAC.
--
Brian Gerst
