[src/trunk]: src/sys/arch/amd64/amd64 Add a layer of mitigation against the i...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/a81f9b502413
branches:  trunk
changeset: 356088:a81f9b502413
user:      maxv <maxv%NetBSD.org@localhost>
date:      Thu Aug 31 10:30:58 2017 +0000

description:
Add a layer of mitigation against the intel sysret vuln: restore %gs when
sysretq faults. Right now we try to make sure that %rip is canonical by
performing sanity checks in several places, but I've already found missing
checks two times already, and there may be others.

By performing an additional swapgs here, we are turning ring0 exploits to
simple DoSes - which are still security bugs, but of a lower impact.

diffstat:

 sys/arch/amd64/amd64/amd64_trap.S |  14 ++++++++++----
 sys/arch/amd64/amd64/locore.S     |   4 +++-
 2 files changed, 13 insertions(+), 5 deletions(-)

diffs (67 lines):

diff -r 795378b59ccc -r a81f9b502413 sys/arch/amd64/amd64/amd64_trap.S
--- a/sys/arch/amd64/amd64/amd64_trap.S Thu Aug 31 09:33:19 2017 +0000
+++ b/sys/arch/amd64/amd64/amd64_trap.S Thu Aug 31 10:30:58 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: amd64_trap.S,v 1.8 2017/08/31 09:33:19 maxv Exp $      */
+/*     $NetBSD: amd64_trap.S,v 1.9 2017/08/31 10:30:58 maxv Exp $      */
 
 /*
  * Copyright (c) 1998, 2007, 2008, 2017 The NetBSD Foundation, Inc.
@@ -66,7 +66,7 @@
 
 #if 0
 #include <machine/asm.h>
-__KERNEL_RCSID(0, "$NetBSD: amd64_trap.S,v 1.8 2017/08/31 09:33:19 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: amd64_trap.S,v 1.9 2017/08/31 10:30:58 maxv Exp $");
 #endif
 
 /*
@@ -378,7 +378,13 @@
        /*
         * Trap in kernel mode.
         */
-       /* Case 1: fault on iretq? */
+
+       /* Case 1: fault on sysretq? */
+       leaq    do_sysret(%rip),%rdi
+       cmpq    %rdi,TF_RIP(%rsp)
+       je      1b
+
+       /* Case 2: fault on iretq? */
        movq    TF_RIP(%rsp),%rax
        cmpw    $0xcf48,(%rax)          /* Faulting instruction is iretq ? */
        jne     5f                      /* Jump if not */
@@ -388,7 +394,7 @@
        jmp     1b                      /* to user - must restore %gs */
 5:
 
-       /* Case 2: move to %gs? */
+       /* Case 3: move to %gs? */
        movw    (%rax),%ax
        andb    $070,%ah                /* mask mod/rm from mod/reg/rm */
        cmpw    $0x8e+050*256,%ax       /* Any move to %gs (reg 5) */
diff -r 795378b59ccc -r a81f9b502413 sys/arch/amd64/amd64/locore.S
--- a/sys/arch/amd64/amd64/locore.S     Thu Aug 31 09:33:19 2017 +0000
+++ b/sys/arch/amd64/amd64/locore.S     Thu Aug 31 10:30:58 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: locore.S,v 1.127 2017/08/31 09:27:28 maxv Exp $        */
+/*     $NetBSD: locore.S,v 1.128 2017/08/31 10:30:58 maxv Exp $        */
 
 /*
  * Copyright-o-rama!
@@ -328,6 +328,7 @@
        .globl  _C_LABEL(bootinfo)
        .globl  _C_LABEL(biosbasemem)
        .globl  _C_LABEL(biosextmem)
+       .globl  do_sysret
 
        .type   _C_LABEL(tablesize), @object
 _C_LABEL(tablesize):   .long   TABLESIZE
@@ -1313,6 +1314,7 @@
        movq    TF_RIP(%rsp),%rcx       /* %rip for sysret */
        movq    TF_RFLAGS(%rsp),%r11    /* %flags for sysret */
        movq    TF_RSP(%rsp),%rsp
+do_sysret:
        sysretq
 #else
        addq    $TF_RIP,%rsp