Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2f27bfff authored by Andy Lutomirski's avatar Andy Lutomirski Committed by Greg Kroah-Hartman
Browse files

x86/speculation/mds: Improve CPU buffer clear documentation 



commit 9d8d0294e78a164d407133dea05caf4b84247d6a upstream.

On x86_64, all returns to usermode go through
prepare_exit_to_usermode(), with the sole exception of do_nmi().
This even includes machine checks -- this was added several years
ago to support MCE recovery.  Update the documentation.

Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@suse.de>
Cc: Frederic Weisbecker <frederic@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jon Masters <jcm@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user")
Link: http://lkml.kernel.org/r/999fa9e126ba6a48e9d214d2f18dbde5c62ac55c.1557865329.git.luto@kernel.org


Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent f7154aa5

Documentation/x86/mds.rst

+7 −32
Original line number Diff line number Diff line
@@ -142,38 +142,13 @@ Mitigation points 
   mds_user_clear.



   The mitigation is invoked in prepare_exit_to_usermode() which covers

   most of the kernel to user space transitions. There are a few exceptions

   which are not invoking prepare_exit_to_usermode() on return to user

   space. These exceptions use the paranoid exit code.



   - Non Maskable Interrupt (NMI):



     Access to sensible data like keys, credentials in the NMI context is

     mostly theoretical: The CPU can do prefetching or execute a

     misspeculated code path and thereby fetching data which might end up

     leaking through a buffer.



     But for mounting other attacks the kernel stack address of the task is

     already valuable information. So in full mitigation mode, the NMI is

     mitigated on the return from do_nmi() to provide almost complete

     coverage.



   - Machine Check Exception (#MC):



     Another corner case is a #MC which hits between the CPU buffer clear

     invocation and the actual return to user. As this still is in kernel

     space it takes the paranoid exit path which does not clear the CPU

     buffers. So the #MC handler repopulates the buffers to some

     extent. Machine checks are not reliably controllable and the window is

     extremly small so mitigation would just tick a checkbox that this

     theoretical corner case is covered. To keep the amount of special

     cases small, ignore #MC.



   - Debug Exception (#DB):



     This takes the paranoid exit path only when the INT1 breakpoint is in

     kernel space. #DB on a user space address takes the regular exit path,

     so no extra mitigation required.

   all but one of the kernel to user space transitions.  The exception

   is when we return from a Non Maskable Interrupt (NMI), which is

   handled directly in do_nmi().



   (The reason that NMI is special is that prepare_exit_to_usermode() can

    enable IRQs.  In NMI context, NMIs are blocked, and we don't want to

    enable IRQs with NMIs blocked.)





2. C-State transition