Commit d3a5e492 authored by Borislav Petkov (AMD)'s avatar Borislav Petkov (AMD) Committed by Jialin Zhang
Browse files

x86/CPU/AMD: Do not leak quotient data after a division by 0 

stable inclusion
from stable-v5.10.190
commit b6fc2fbf89089ecfb8eb9a89a7fc91d444f4fec7
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7WY4J
CVE: CVE-2023-20588

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b6fc2fbf89089ecfb8eb9a89a7fc91d444f4fec7



--------------------------------

commit 77245f1c upstream.

Under certain circumstances, an integer division by 0 which faults, can
leave stale quotient data from a previous division operation on Zen1
microarchitectures.

Do a dummy division 0/1 before returning from the #DE exception handler
in order to avoid any leaks of potentially sensitive data.

Signed-off-by: default avatarBorislav Petkov (AMD) <bp@alien8.de>
Cc: <stable@kernel.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>

 Conflicts:
	arch/x86/include/asm/cpufeatures.h
	arch/x86/include/asm/processor.h

Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parent f5d546f4

arch/x86/include/asm/cpufeatures.h

+1 −0
Original line number Diff line number Diff line
@@ -478,5 +478,6 @@ 
#define X86_BUG_EIBRS_PBRSB		X86_BUG(28) /* EIBRS is vulnerable to Post Barrier RSB Predictions */

#define X86_BUG_SMT_RSB			X86_BUG(29) /* CPU is vulnerable to Cross-Thread Return Address Predictions */

#define X86_BUG_GDS			X86_BUG(30) /* CPU is affected by Gather Data Sampling */

#define X86_BUG_DIV0			X86_BUG(31) /* AMD DIV0 speculation bug */



#endif /* _ASM_X86_CPUFEATURES_H */

arch/x86/include/asm/processor.h

+2 −0
Original line number Diff line number Diff line
@@ -834,9 +834,11 @@ extern u16 get_llc_id(unsigned int cpu); 
#ifdef CONFIG_CPU_SUP_AMD

extern u16 amd_get_nb_id(int cpu);

extern u32 amd_get_nodes_per_socket(void);

extern void amd_clear_divider(void);

#else

static inline u16 amd_get_nb_id(int cpu)		{ return 0; }

static inline u32 amd_get_nodes_per_socket(void)	{ return 0; }

static inline void amd_clear_divider(void)		{ }

#endif



static inline uint32_t hypervisor_cpuid_base(const char *sig, uint32_t leaves)

arch/x86/kernel/cpu/amd.c

+19 −0
Original line number Diff line number Diff line
@@ -77,6 +77,10 @@ static const int amd_zenbleed[] = 
			   AMD_MODEL_RANGE(0x17, 0x90, 0x0, 0x91, 0xf),

			   AMD_MODEL_RANGE(0x17, 0xa0, 0x0, 0xaf, 0xf));



static const int amd_div0[] =

	AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0x00, 0x0, 0x2f, 0xf),

			   AMD_MODEL_RANGE(0x17, 0x50, 0x0, 0x5f, 0xf));



static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum)

{

	int osvw_id = *erratum++;
@@ -1160,6 +1164,11 @@ static void init_amd(struct cpuinfo_x86 *c) 
	check_null_seg_clears_base(c);



	zenbleed_check(c);



	if (cpu_has_amd_erratum(c, amd_div0)) {

		pr_notice_once("AMD Zen1 DIV0 bug detected. Disable SMT for full protection.\n");

		setup_force_cpu_bug(X86_BUG_DIV0);

	}

}



#ifdef CONFIG_X86_32
@@ -1285,3 +1294,13 @@ void amd_check_microcode(void) 
{

	on_each_cpu(zenbleed_check_cpu, NULL, 1);

}



/*

 * Issue a DIV 0/1 insn to clear any division data from previous DIV

 * operations.

 */

void noinstr amd_clear_divider(void)

{

	asm volatile(ALTERNATIVE("", "div %2\n\t", X86_BUG_DIV0)

		     :: "a" (0), "d" (0), "r" (1));

}

arch/x86/kernel/traps.c

+2 −0
Original line number Diff line number Diff line
@@ -207,6 +207,8 @@ DEFINE_IDTENTRY(exc_divide_error) 
{

	do_error_trap(regs, 0, "divide error", X86_TRAP_DE, SIGFPE,

		      FPE_INTDIV, error_get_trap_addr(regs));



	amd_clear_divider();

}



DEFINE_IDTENTRY(exc_overflow)