From 0aca66e99a22f8f083168c244fa67dc7993fb157 Mon Sep 17 00:00:00 2001
From: Michael Young <m.a.young@durham.ac.uk>
Date: Nov 08 2022 22:29:29 +0000
Subject: x86: Multiple speculative security issues


---

diff --git a/xen.spec b/xen.spec
index db387f5..27ed461 100644
--- a/xen.spec
+++ b/xen.spec
@@ -55,7 +55,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.16.2
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
 Source0: https://downloads.xenproject.org/release/xen/%{version}/xen-%{version}.tar.gz
@@ -169,6 +169,8 @@ Patch101: xsa419-xenstored-03.patch
 Patch102: xsa420.patch
 Patch103: xsa421-01.patch
 Patch104: xsa421-02.patch
+Patch105: xsa422-4.16-1.patch
+Patch106: xsa422-4.16-2.patch
 
 
 %if %build_qemutrad
@@ -439,6 +441,8 @@ manage Xen virtual machines.
 %patch102 -p1
 %patch103 -p1
 %patch104 -p1
+%patch105 -p1
+%patch106 -p1
 
 # qemu-xen-traditional patches
 pushd tools/qemu-xen-traditional
@@ -1054,6 +1058,9 @@ fi
 %endif
 
 %changelog
+* Tue Nov 08 2022 Michael Young <m.a.young@durham.ac.uk> - 4.16.2-4
+- x86: Multiple speculative security issues [XSA-422, CVE-2022-23824]
+
 * Tue Nov 01 2022 Michael Young <m.a.young@durham.ac.uk> - 4.16.2-3
 - x86: unintended memory sharing between guests [XSA-412, CVE-2022-42327]
 - Xenstore: Guests can crash xenstored [XSA-414, CVE-2022-42309]
diff --git a/xsa422-4.16-1.patch b/xsa422-4.16-1.patch
new file mode 100644
index 0000000..1d36873
--- /dev/null
+++ b/xsa422-4.16-1.patch
@@ -0,0 +1,70 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/spec-ctrl: Enumeration for IBPB_RET
+
+The IBPB_RET bit indicates that the CPU's implementation of MSR_PRED_CMD.IBPB
+does flush the RSB/RAS too.
+
+This is part of XSA-422 / CVE-2022-23824.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+
+diff --git a/tools/libs/light/libxl_cpuid.c b/tools/libs/light/libxl_cpuid.c
+index bf6fdee360a9..691d5c6b2a68 100644
+--- a/tools/libs/light/libxl_cpuid.c
++++ b/tools/libs/light/libxl_cpuid.c
+@@ -289,6 +289,7 @@ int libxl_cpuid_parse_config(libxl_cpuid_policy_list *cpuid, const char* str)
+         {"ssb-no",       0x80000008, NA, CPUID_REG_EBX, 26,  1},
+         {"psfd",         0x80000008, NA, CPUID_REG_EBX, 28,  1},
+         {"btc-no",       0x80000008, NA, CPUID_REG_EBX, 29,  1},
++        {"ibpb-ret",     0x80000008, NA, CPUID_REG_EBX, 30,  1},
+ 
+         {"nc",           0x80000008, NA, CPUID_REG_ECX,  0,  8},
+         {"apicidsize",   0x80000008, NA, CPUID_REG_ECX, 12,  4},
+diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c
+index fe22f5f5b68b..cd094427dd4c 100644
+--- a/tools/misc/xen-cpuid.c
++++ b/tools/misc/xen-cpuid.c
+@@ -159,6 +159,7 @@ static const char *const str_e8b[32] =
+     [24] = "amd-ssbd",         [25] = "virt-ssbd",
+     [26] = "ssb-no",
+     [28] = "psfd",             [29] = "btc-no",
++    [30] = "ibpb-ret",
+ };
+ 
+ static const char *const str_7d0[32] =
+diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
+index 0f4bad3d3abb..16a562d3a172 100644
+--- a/xen/arch/x86/spec_ctrl.c
++++ b/xen/arch/x86/spec_ctrl.c
+@@ -419,7 +419,7 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps)
+      * Hardware read-only information, stating immunity to certain issues, or
+      * suggestions of which mitigation to use.
+      */
+-    printk("  Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
++    printk("  Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
+            (caps & ARCH_CAPS_RDCL_NO)                        ? " RDCL_NO"        : "",
+            (caps & ARCH_CAPS_IBRS_ALL)                       ? " IBRS_ALL"       : "",
+            (caps & ARCH_CAPS_RSBA)                           ? " RSBA"           : "",
+@@ -436,7 +436,8 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps)
+            (e8b  & cpufeat_mask(X86_FEATURE_STIBP_ALWAYS))   ? " STIBP_ALWAYS"   : "",
+            (e8b  & cpufeat_mask(X86_FEATURE_IBRS_FAST))      ? " IBRS_FAST"      : "",
+            (e8b  & cpufeat_mask(X86_FEATURE_IBRS_SAME_MODE)) ? " IBRS_SAME_MODE" : "",
+-           (e8b  & cpufeat_mask(X86_FEATURE_BTC_NO))         ? " BTC_NO"         : "");
++           (e8b  & cpufeat_mask(X86_FEATURE_BTC_NO))         ? " BTC_NO"         : "",
++           (e8b  & cpufeat_mask(X86_FEATURE_IBPB_RET))       ? " IBPB_RET"       : "");
+ 
+     /* Hardware features which need driving to mitigate issues. */
+     printk("  Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s\n",
+diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h
+index e7b8167800a2..e0731221404c 100644
+--- a/xen/include/public/arch-x86/cpufeatureset.h
++++ b/xen/include/public/arch-x86/cpufeatureset.h
+@@ -267,6 +267,7 @@ XEN_CPUFEATURE(VIRT_SSBD,     8*32+25) /*   MSR_VIRT_SPEC_CTRL.SSBD */
+ XEN_CPUFEATURE(SSB_NO,        8*32+26) /*A  Hardware not vulnerable to SSB */
+ XEN_CPUFEATURE(PSFD,          8*32+28) /*S  MSR_SPEC_CTRL.PSFD */
+ XEN_CPUFEATURE(BTC_NO,        8*32+29) /*A  Hardware not vulnerable to Branch Type Confusion */
++XEN_CPUFEATURE(IBPB_RET,      8*32+30) /*A  IBPB clears RSB/RAS too. */
+ 
+ /* Intel-defined CPU features, CPUID level 0x00000007:0.edx, word 9 */
+ XEN_CPUFEATURE(AVX512_4VNNIW, 9*32+ 2) /*A  AVX512 Neural Network Instructions */
diff --git a/xsa422-4.16-2.patch b/xsa422-4.16-2.patch
new file mode 100644
index 0000000..a1a2f8d
--- /dev/null
+++ b/xsa422-4.16-2.patch
@@ -0,0 +1,100 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/spec-ctrl: Mitigate IBPB not flushing the RSB/RAS
+
+Introduce spec_ctrl_new_guest_context() to encapsulate all logic pertaining to
+using MSR_PRED_CMD for a new guest context, even if it only has one user
+presently.
+
+Introduce X86_BUG_IBPB_NO_RET, and use it extend spec_ctrl_new_guest_context()
+with a manual fixup for hardware which mis-implements IBPB.
+
+This is part of XSA-422 / CVE-2022-23824.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+
+diff --git a/xen/arch/x86/asm-macros.c b/xen/arch/x86/asm-macros.c
+index 7e536b0d82f5..891d86c7655c 100644
+--- a/xen/arch/x86/asm-macros.c
++++ b/xen/arch/x86/asm-macros.c
+@@ -1,2 +1,3 @@
+ #include <asm/asm-defns.h>
+ #include <asm/alternative-asm.h>
++#include <asm/spec_ctrl_asm.h>
+diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
+index 3fab2364be8d..3080cde62b5b 100644
+--- a/xen/arch/x86/domain.c
++++ b/xen/arch/x86/domain.c
+@@ -2092,7 +2092,7 @@ void context_switch(struct vcpu *prev, struct vcpu *next)
+              */
+             if ( *last_id != next_id )
+             {
+-                wrmsrl(MSR_PRED_CMD, PRED_CMD_IBPB);
++                spec_ctrl_new_guest_context();
+                 *last_id = next_id;
+             }
+         }
+diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
+index 16a562d3a172..90d86fe5cb47 100644
+--- a/xen/arch/x86/spec_ctrl.c
++++ b/xen/arch/x86/spec_ctrl.c
+@@ -805,6 +805,14 @@ static void __init ibpb_calculations(void)
+     }
+ 
+     /*
++     * AMD/Hygon CPUs to date (June 2022) don't flush the the RAS.  Future
++     * CPUs are expected to enumerate IBPB_RET when this has been fixed.
++     * Until then, cover the difference with the software sequence.
++     */
++    if ( boot_cpu_has(X86_FEATURE_IBPB) && !boot_cpu_has(X86_FEATURE_IBPB_RET) )
++        setup_force_cpu_cap(X86_BUG_IBPB_NO_RET);
++
++    /*
+      * IBPB-on-entry mitigations for Branch Type Confusion.
+      *
+      * IBPB && !BTC_NO selects all AMD/Hygon hardware, not known to be safe,
+diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufeatures.h
+index 672c9ee22ba2..ecc1bb09505a 100644
+--- a/xen/include/asm-x86/cpufeatures.h
++++ b/xen/include/asm-x86/cpufeatures.h
+@@ -49,6 +49,7 @@ XEN_CPUFEATURE(IBPB_ENTRY_HVM,    X86_SYNTH(29)) /* MSR_PRED_CMD used by Xen for
+ #define X86_BUG_FPU_PTRS          X86_BUG( 0) /* (F)X{SAVE,RSTOR} doesn't save/restore FOP/FIP/FDP. */
+ #define X86_BUG_NULL_SEG          X86_BUG( 1) /* NULL-ing a selector preserves the base and limit. */
+ #define X86_BUG_CLFLUSH_MFENCE    X86_BUG( 2) /* MFENCE needed to serialise CLFLUSH */
++#define X86_BUG_IBPB_NO_RET       X86_BUG( 3) /* IBPB doesn't flush the RSB/RAS */
+ 
+ /* Total number of capability words, inc synth and bug words. */
+ #define NCAPINTS (FSCAPINTS + X86_NR_SYNTH + X86_NR_BUG) /* N 32-bit words worth of info */
+diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h
+index 9403b81dc7af..6a77c3937844 100644
+--- a/xen/include/asm-x86/spec_ctrl.h
++++ b/xen/include/asm-x86/spec_ctrl.h
+@@ -65,6 +65,28 @@
+ void init_speculation_mitigations(void);
+ void spec_ctrl_init_domain(struct domain *d);
+ 
++/*
++ * Switch to a new guest prediction context.
++ *
++ * This flushes all indirect branch predictors (BTB, RSB/RAS), so guest code
++ * which has previously run on this CPU can't attack subsequent guest code.
++ *
++ * As this flushes the RSB/RAS, it destroys the predictions of the calling
++ * context.  For best performace, arrange for this to be used when we're going
++ * to jump out of the current context, e.g. with reset_stack_and_jump().
++ *
++ * For hardware which mis-implements IBPB, fix up by flushing the RSB/RAS
++ * manually.
++ */
++static always_inline void spec_ctrl_new_guest_context(void)
++{
++    wrmsrl(MSR_PRED_CMD, PRED_CMD_IBPB);
++
++    /* (ab)use alternative_input() to specify clobbers. */
++    alternative_input("", "DO_OVERWRITE_RSB", X86_BUG_IBPB_NO_RET,
++                      : "rax", "rcx");
++}
++
+ extern int8_t opt_ibpb_ctxt_switch;
+ extern bool opt_ssbd;
+ extern int8_t opt_eager_fpu;