90e35b0a98
Such speculations could use user-controlled %gs base, esp. since FreeBSD supports WRGSBASE instructions. Place LFENCEs on entry for each basic block after the test for previous kernel/user mode on the kernel entry, which prevents the speculation. Code accesses %gs-based PCPU before any serialization instructions are executed, like %cr3 reload for KPTI. With pti disabled, on haswell i7-4770S machine, "syscall_timings getppid" shows when no lfence is added to syscall path: test loop time iterations periteration getppid 0 1.040918865 4643611 0.000000224 getppid 1 1.004985962 4481816 0.000000224 getppid 2 1.005196483 4482363 0.000000224 with lfence: getppid 0 1.043701091 4554779 0.000000229 getppid 1 1.016930328 4438094 0.000000229 getppid 2 1.023223117 4466640 0.000000229 and ministat reports 'No difference proven at 95.0% confidence.' Security: CVE-2019-1125 Sponsored by: The FreeBSD Foundation MFC after: 1 week |
||
|---|---|---|
| .. | ||
| acpica | ||
| amd64 | ||
| cloudabi32 | ||
| cloudabi64 | ||
| conf | ||
| ia32 | ||
| include | ||
| linux | ||
| linux32 | ||
| pci | ||
| sgx | ||
| vmm | ||
| Makefile | ||