From owner-dev-commits-src-all@freebsd.org  Wed May 26 20:37:49 2021
Return-Path: <owner-dev-commits-src-all@freebsd.org>
Delivered-To: dev-commits-src-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 734FE645876;
 Wed, 26 May 2021 20:37:49 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4Fr2nm1Jdhz4gqn;
 Wed, 26 May 2021 20:37:48 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5964417731;
 Wed, 26 May 2021 20:37:47 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
 by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 14QKblY7054423;
 Wed, 26 May 2021 20:37:47 GMT (envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
 by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 14QKbl1O054422;
 Wed, 26 May 2021 20:37:47 GMT (envelope-from git)
Date: Wed, 26 May 2021 20:37:47 GMT
Message-Id: <202105262037.14QKbl1O054422@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
 dev-commits-src-branches@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: c69096577383 - releng/13.0 - amd64: clear PSL.AC in the right
 frame
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/releng/13.0
X-Git-Reftype: branch
X-Git-Commit: c690965773831b46f84a242b417372fc499302b4
Auto-Submitted: auto-generated
X-BeenThere: dev-commits-src-all@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commit messages for all branches of the src repository
 <dev-commits-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-src-all>, 
 <mailto:dev-commits-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-src-all/>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Help: <mailto:dev-commits-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all>, 
 <mailto:dev-commits-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 May 2021 20:37:49 -0000

The branch releng/13.0 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=c690965773831b46f84a242b417372fc499302b4

commit c690965773831b46f84a242b417372fc499302b4
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2021-05-22 19:48:36 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-26 19:31:22 +0000

    amd64: clear PSL.AC in the right frame
    
    If copyin family of routines fault, kernel does clear PSL.AC on the
    fault entry, but the AC flag of the faulted frame is kept intact.  Since
    onfault handler is effectively jump, AC survives until syscall exit.
    
    Approved by:    so
    Security:       FreeBSD-SA-21:11.smap
    Security:       CVE-2021-29628
    Reported by:    m00nbsd, via Sony
    Reviewed by:    markj
    Sponsored by:   The FreeBSD Foundation
    admbugs:        975
    
    (cherry picked from commit 91aae953cb807d6fb7a70782b323bf9beb60d7c9)
    (cherry picked from commit 6bbde34ae6088285af9d1cc587249c3e7a0159a9)
---
 sys/amd64/amd64/support.S           | 18 ++++++++++++------
 sys/amd64/linux/linux_support.s     |  5 ++++-
 sys/amd64/linux32/linux32_support.s |  5 ++++-
 3 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/sys/amd64/amd64/support.S b/sys/amd64/amd64/support.S
index b623fba277db..7963071303b7 100644
--- a/sys/amd64/amd64/support.S
+++ b/sys/amd64/amd64/support.S
@@ -853,9 +853,11 @@ ENTRY(copyin_smap_erms)
 END(copyin_smap_erms)
 
 	ALIGN_TEXT
-	/* Trap entry clears PSL.AC */
 copy_fault:
-	movq	$0,PCB_ONFAULT(%r11)
+	testl	$CPUID_STDEXT_SMAP,cpu_stdext_feature(%rip)
+	je	1f
+	clac
+1:	movq	$0,PCB_ONFAULT(%r11)
 	movl	$EFAULT,%eax
 	POP_FRAME_POINTER
 	ret
@@ -1292,9 +1294,11 @@ ENTRY(subyte_smap)
 END(subyte_smap)
 
 	ALIGN_TEXT
-	/* Fault entry clears PSL.AC */
 fusufault:
-	movq	PCPU(CURPCB),%rcx
+	testl	$CPUID_STDEXT_SMAP,cpu_stdext_feature(%rip)
+	je	1f
+	clac
+1:	movq	PCPU(CURPCB),%rcx
 	xorl	%eax,%eax
 	movq	%rax,PCB_ONFAULT(%rcx)
 	decq	%rax
@@ -1377,8 +1381,10 @@ ENTRY(copyinstr_smap)
 END(copyinstr_smap)
 
 cpystrflt:
-	/* Fault entry clears PSL.AC */
-	movl	$EFAULT,%eax
+	testl	$CPUID_STDEXT_SMAP,cpu_stdext_feature(%rip)
+	je	1f
+	clac
+1:	movl	$EFAULT,%eax
 cpystrflt_x:
 	/* set *lencopied and return %eax */
 	movq	$0,PCB_ONFAULT(%r9)
diff --git a/sys/amd64/linux/linux_support.s b/sys/amd64/linux/linux_support.s
index 391f76414f22..2de778e151bf 100644
--- a/sys/amd64/linux/linux_support.s
+++ b/sys/amd64/linux/linux_support.s
@@ -34,7 +34,10 @@
 #include "assym.inc"
 
 futex_fault:
-	movq	$0,PCB_ONFAULT(%r8)
+	testl	$CPUID_STDEXT_SMAP,cpu_stdext_feature(%rip)
+	je	1f
+	clac
+1:	movq	$0,PCB_ONFAULT(%r8)
 	movl	$-EFAULT,%eax
 	ret
 
diff --git a/sys/amd64/linux32/linux32_support.s b/sys/amd64/linux32/linux32_support.s
index 981bba9f5821..7ff3e2293f6e 100644
--- a/sys/amd64/linux32/linux32_support.s
+++ b/sys/amd64/linux32/linux32_support.s
@@ -34,7 +34,10 @@
 #include "assym.inc"
 
 futex_fault:
-	movq	$0,PCB_ONFAULT(%r8)
+	testl	$CPUID_STDEXT_SMAP,cpu_stdext_feature(%rip)
+	je	1f
+	clac
+1:	movq	$0,PCB_ONFAULT(%r8)
 	movl	$-EFAULT,%eax
 	ret