Diffusion FreeBSD src repository 90e35b0a987f

amd64: prevents speculations over swapgs reload of %gs base.
90e35b0a987f
Actions

Description

amd64: prevents speculations over swapgs reload of %gs base.

Such speculations could use user-controlled %gs base, esp. since
FreeBSD supports WRGSBASE instructions.

Place LFENCEs on entry for each basic block after the test for
previous kernel/user mode on the kernel entry, which prevents the
speculation. Code accesses %gs-based PCPU before any serialization
instructions are executed, like %cr3 reload for KPTI.

With pti disabled, on haswell i7-4770S machine, "syscall_timings getppid"
shows when no lfence is added to syscall path:
test loop time iterations periteration
getppid 0 1.040918865 4643611 0.000000224
getppid 1 1.004985962 4481816 0.000000224
getppid 2 1.005196483 4482363 0.000000224
with lfence:
getppid 0 1.043701091 4554779 0.000000229
getppid 1 1.016930328 4438094 0.000000229
getppid 2 1.023223117 4466640 0.000000229
and ministat reports 'No difference proven at 95.0% confidence.'

Security: CVE-2019-1125
Sponsored by: The FreeBSD Foundation
MFC after: 1 week

Details

Provenance

kib	Authored on Aug 6 2019, 4:53 PM

Parents

rG814f33aafbfe: Since r350426 this KASSERT doesn't serve any useful purpose.

Branches

Unknown

Tags

Unknown

Event Timeline

Changes (2)

Path

Size

sys/

amd64/

exception.S

include/

asmacros.h

rG90e35b0a987f

View Options

sys/amd64/amd64/exception.S