From b2cd12602fb3252608db494b958afbf3b4d5c4f0 Mon Sep 17 00:00:00 2001 From: Andy Whitcroft Date: Fri, 26 Jan 2018 12:37:21 +0000 Subject: [PATCH 45/89] Revert "x86, bpf, jit: prevent speculative execution when JIT is enabled" CVE-2017-5753 (revert embargoed) CVE-2017-5715 (revert embargoed) This reverts commit cf9676859a05d0d784067072e8121e63888bacc7. Signed-off-by: Andy Whitcroft --- arch/x86/net/bpf_jit_comp.c | 33 +-------------------------------- 1 file changed, 1 insertion(+), 32 deletions(-) diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c index 879dbfefb66d..4d50ced94686 100644 --- a/arch/x86/net/bpf_jit_comp.c +++ b/arch/x86/net/bpf_jit_comp.c @@ -107,27 +107,6 @@ static void bpf_flush_icache(void *start, void *end) set_fs(old_fs); } -static void emit_memory_barrier(u8 **pprog) -{ - u8 *prog = *pprog; - int cnt = 0; - - if (bpf_jit_blinding_enabled()) { - if (boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) - /* x86 LFENCE opcode 0F AE E8 */ - EMIT3(0x0f, 0xae, 0xe8); - else if (boot_cpu_has(X86_FEATURE_MFENCE_RDTSC)) - /* AMD MFENCE opcode 0F AE F0 */ - EMIT3(0x0f, 0xae, 0xf0); - else - /* we should never end up here, - * but if we do, better not to emit anything*/ - return; - } - *pprog = prog; - return; -} - #define CHOOSE_LOAD_FUNC(K, func) \ ((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative_offset : func) : func##_positive_offset) @@ -420,7 +399,7 @@ static int do_jit(struct bpf_prog *bpf_prog, int *addrs, u8 *image, case BPF_ADD: b2 = 0x01; break; case BPF_SUB: b2 = 0x29; break; case BPF_AND: b2 = 0x21; break; - case BPF_OR: b2 = 0x09; emit_memory_barrier(&prog); break; + case BPF_OR: b2 = 0x09; break; case BPF_XOR: b2 = 0x31; break; } if (BPF_CLASS(insn->code) == BPF_ALU64) @@ -667,16 +646,6 @@ static int do_jit(struct bpf_prog *bpf_prog, int *addrs, u8 *image, case BPF_ALU64 | BPF_RSH | BPF_X: case BPF_ALU64 | BPF_ARSH | BPF_X: - /* If blinding is enabled, each - * BPF_LD | BPF_IMM | BPF_DW instruction - * is converted to 4 eBPF instructions with - * BPF_ALU64_IMM(BPF_LSH, BPF_REG_AX, 32) - * always present(number 3). Detect such cases - * and insert memory barriers. */ - if ((BPF_CLASS(insn->code) == BPF_ALU64) - && (BPF_OP(insn->code) == BPF_LSH) - && (src_reg == BPF_REG_AX)) - emit_memory_barrier(&prog); /* check for bad case when dst_reg == rcx */ if (dst_reg == BPF_REG_4) { /* mov r11, dst_reg */ -- 2.15.1