Commit 7a63184
x86/ibt: Keep IBT disabled during alternative patching
commit ebebe30 upstream.
cfi_rewrite_callers() updates the fineIBT hash matching at the caller side,
but except for paranoid-mode it relies on apply_retpoline() and friends for
any ENDBR relocation. This could temporarily cause an indirect branch to
land on a poisoned ENDBR.
For instance, with para-virtualization enabled, a simple wrmsrl() could
have an indirect branch pointing to native_write_msr() who's ENDBR has been
relocated due to fineIBT:
<wrmsrl>:
push %rbp
mov %rsp,%rbp
mov %esi,%eax
mov %rsi,%rdx
shr $0x20,%rdx
mov %edi,%edi
mov %rax,%rsi
call *0x21e65d0(%rip) # <pv_ops+0xb8>
^^^^^^^^^^^^^^^^^^^^^^^
Such an indirect call during the alternative patching could #CP if the
caller is not *yet* adjusted for the new target ENDBR. To prevent a false
#CP, keep CET-IBT disabled until all callers are patched.
Patching during the module load does not need to be guarded by IBT-disable
because the module code is not executed until the patching is complete.
[ pawan: Since apply_paravirt() happens before __apply_fineibt()
relocates the ENDBR, pv_ops in the example above is not relevant.
It is still safer to keep this commit because missing an ENDBR
means an oops. ]
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Alexandre Chartre <alexandre.chartre@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 6699bf27a47156baafde7e3f4a732aab2ad9f8cb)
Conflicts:
arch/x86/kernel/alternative.c1 parent 37f1148 commit 7a63184
1 file changed
Lines changed: 8 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
30 | 30 | | |
31 | 31 | | |
32 | 32 | | |
| 33 | + | |
33 | 34 | | |
34 | 35 | | |
35 | 36 | | |
| |||
1629 | 1630 | | |
1630 | 1631 | | |
1631 | 1632 | | |
| 1633 | + | |
| 1634 | + | |
1632 | 1635 | | |
1633 | 1636 | | |
1634 | 1637 | | |
| |||
1669 | 1672 | | |
1670 | 1673 | | |
1671 | 1674 | | |
| 1675 | + | |
| 1676 | + | |
| 1677 | + | |
1672 | 1678 | | |
1673 | 1679 | | |
1674 | 1680 | | |
| |||
1703 | 1709 | | |
1704 | 1710 | | |
1705 | 1711 | | |
| 1712 | + | |
| 1713 | + | |
1706 | 1714 | | |
1707 | 1715 | | |
1708 | 1716 | | |
| |||
0 commit comments