80eb5fea3c
We failed to activate the mitigation for Spectre-RSB (Return Stack Buffer, aka. ret2spec) on context switch, on CPUs prior to Power9 DD2.3. That allows a process to poison the RSB (called Link Stack on Power CPUs) and possibly misdirect speculative execution of another process. If the victim process can be induced to execute a leak gadget then it may be possible to extract information from the victim via a side channel. The fix is to correctly activate the link stack flush mitigation on all CPUs that have any mitigation of Spectre v2 in userspace enabled. There's a second commit which adds a link stack flush in the KVM guest exit path. A leak via that path has not been demonstrated, but we believe it's at least theoretically possible. This is the fix for CVE-2019-18660. -----BEGIN PGP SIGNATURE----- iQJHBAABCAAxFiEEJFGtCPCthwEv2Y/bUevqPMjhpYAFAl3eUXsTHG1wZUBlbGxl cm1hbi5pZC5hdQAKCRBR6+o8yOGlgEXtD/4qiCp4OHo+MEFbDyqZHZSYdFihpZ2B 9s8yQKMaL0WWVJU0rlKSY0fDW/W0pLUn1zoREY9kRIHrQQi9wd5kg6s2kZtDeIPZ XPANeOpicMJjKGA+s/CqJfJZmGhzQ6VYplg/qevjvgOZqn8QsQhljg85w3Tr2wjo oXyi/0ZNv957pYrTHu08YIRr5OxalcE6Cxb4hZBqwbcubwKANSifLb72hcDEkNdR wshmt6mZUMtW8ToaGGt2b0csF2I0TClvBLQV8bxlbMZNFPYgUfBaHyCtHnv6bX65 Jlgyw46pv9o0aeIF24rmP9jDEX+Hcig5Qu/EdLkd9lDl5YMxxVv9LlGq8tt7TQjI J97DeUFYjvePGMzirPFc7EvEoN35f19/5IuZUEQQ8wE4I/R1gNqOxbpGUqvReTbA +WJHqqT6sbJ1ys/mWRlGYMkn1xPNG3scpTNNh9/f3f/+ci3knOeYNeieVjjFvIv0 4+toMQGIU7gB0mU67oLyClygOvC0DeBSQk8nFk0pznzUqdQlsqnbbI5O0KWFjf57 jZV9l5khfdkkZiTIkGEZ3RY7X4pcrKd4kI+5+2OLiZOQVw2rudE3+ocysxP0osmA Ec+dr3uxL1YKdR4GVvk5mCMNlln6PpfT5Y21YSiipnGsWC1hvYkbPaj4u/T5oV5T B1bP/R7gQw4yfQ== =NQFt -----END PGP SIGNATURE----- Merge tag 'powerpc-spectre-rsb' of powerpc-CVE-2019-18660.bundle Pull powerpc Spectre-RSB fixes from Michael Ellerman: "We failed to activate the mitigation for Spectre-RSB (Return Stack Buffer, aka. ret2spec) on context switch, on CPUs prior to Power9 DD2.3. That allows a process to poison the RSB (called Link Stack on Power CPUs) and possibly misdirect speculative execution of another process. If the victim process can be induced to execute a leak gadget then it may be possible to extract information from the victim via a side channel. The fix is to correctly activate the link stack flush mitigation on all CPUs that have any mitigation of Spectre v2 in userspace enabled. There's a second commit which adds a link stack flush in the KVM guest exit path. A leak via that path has not been demonstrated, but we believe it's at least theoretically possible. This is the fix for CVE-2019-18660" * tag 'powerpc-spectre-rsb' of /home/torvalds/Downloads/powerpc-CVE-2019-18660.bundle: KVM: PPC: Book3S HV: Flush link stack on guest exit to host kernel powerpc/book3s64: Fix link stack flush on context switch |
||
---|---|---|
.. | ||
book3s_32_mmu_host.c | ||
book3s_32_mmu.c | ||
book3s_32_sr.S | ||
book3s_64_mmu_host.c | ||
book3s_64_mmu_hv.c | ||
book3s_64_mmu_radix.c | ||
book3s_64_mmu.c | ||
book3s_64_slb.S | ||
book3s_64_vio_hv.c | ||
book3s_64_vio.c | ||
book3s_emulate.c | ||
book3s_exports.c | ||
book3s_hv_builtin.c | ||
book3s_hv_hmi.c | ||
book3s_hv_interrupts.S | ||
book3s_hv_nested.c | ||
book3s_hv_ras.c | ||
book3s_hv_rm_mmu.c | ||
book3s_hv_rm_xics.c | ||
book3s_hv_rm_xive.c | ||
book3s_hv_rmhandlers.S | ||
book3s_hv_tm_builtin.c | ||
book3s_hv_tm.c | ||
book3s_hv.c | ||
book3s_interrupts.S | ||
book3s_mmu_hpte.c | ||
book3s_paired_singles.c | ||
book3s_pr_papr.c | ||
book3s_pr.c | ||
book3s_rmhandlers.S | ||
book3s_rtas.c | ||
book3s_segment.S | ||
book3s_xics.c | ||
book3s_xics.h | ||
book3s_xive_native.c | ||
book3s_xive_template.c | ||
book3s_xive.c | ||
book3s_xive.h | ||
book3s.c | ||
book3s.h | ||
booke_emulate.c | ||
booke_interrupts.S | ||
booke.c | ||
booke.h | ||
bookehv_interrupts.S | ||
e500_emulate.c | ||
e500_mmu_host.c | ||
e500_mmu_host.h | ||
e500_mmu.c | ||
e500.c | ||
e500.h | ||
e500mc.c | ||
emulate_loadstore.c | ||
emulate.c | ||
fpu.S | ||
irq.h | ||
Kconfig | ||
Makefile | ||
mpic.c | ||
powerpc.c | ||
timing.c | ||
timing.h | ||
tm.S | ||
trace_book3s.h | ||
trace_booke.h | ||
trace_hv.h | ||
trace_pr.h | ||
trace.h |