On Wed, Feb 24, 2016 at 7:46 AM, Brian Gerst <brge...@gmail.com> wrote:
> On Tue, Feb 23, 2016 at 4:19 PM, Andy Lutomirski <l...@kernel.org> wrote:
>> Both before and after 5f310f739b4c ("x86/entry/32: Re-implement
>> SYSENTER using the new C path"), we relied on a uaccess very early
>> in the SYSENTER path to clear AC. After that change, though, we can
>> potentially make it all the way into C code with AC set, which
>> enlarges the attack surface for SMAP bypass by doing SYSENTER with
>> AC set.
>>
>> Strengthen the SMAP protection by addding the missing ASM_CLAC right
>> at the beginning.
>>
>> Signed-off-by: Andy Lutomirski <l...@kernel.org>
>> ---
>>
>> This is probably an x86/urgent candidate. It fixes a minor
>> hardening regression in 4.4.
>>
>> It's lightly tested. It's hard to test well right now because the
>> 4.5 series is completely broken for 32-bit SMAP sytems.
>>
>> arch/x86/entry/entry_32.S | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S
>> index f3facd40fd2d..9d6165c171eb 100644
>> --- a/arch/x86/entry/entry_32.S
>> +++ b/arch/x86/entry/entry_32.S
>> @@ -294,6 +294,7 @@ sysenter_past_esp:
>> pushl $__USER_DS /* pt_regs->ss */
>> pushl %ebp /* pt_regs->sp (stashed in bp) */
>> pushfl /* pt_regs->flags (except IF = 0) */
>> + ASM_CLAC /* Clear AC after saving FLAGS */
>> orl $X86_EFLAGS_IF, (%esp) /* Fix IF */
>> pushl $__USER_CS /* pt_regs->cs */
>> pushl $0 /* pt_regs->ip = 0 (placeholder) */
>> --
>> 2.5.0
>>
>
> It looks like entry_INT80_compat is also missing a CLAC.
>
Indeed, and that's a much worse bug. For better or for worse, I think
it's been buggy since the beginning (3.10).
Patch coming.
--Andy
--
Andy Lutomirski
AMA Capital Management, LLC
