Re: [PATCH] Fixing an uninitialized variable that can lead to #GP.

Sun, 09 Feb 2020 19:12:59 -0800 

On Sun, Feb 09, 2020 at 06:17:47PM -0800, Anthony Steinhauser wrote:
> In the current implementation of the TAA mitigation if the cpuid_level
> is 6 and it's an Intel CPU, the sefflags_edx variable is used without
> being initialized. If the SEFF0EDX_ARCH_CAP bit is accidentally flipped
> in it, the rdmsr on the unimplemented MSR_ARCH_CAPABILITIES index leads
> to a #GP fault.
> 
> This change initializes the sefflags_edx variable to 0 which is
> consistent with the MSR_ARCH_CAPABILITIES being unavailable.

Thanks for the report.  Committed a different fix:

Index: i386/i386/cpu.c
===================================================================
RCS file: /cvs/src/sys/arch/i386/i386/cpu.c,v
retrieving revision 1.98
diff -u -p -r1.98 cpu.c
--- i386/i386/cpu.c     20 Dec 2019 07:55:30 -0000      1.98
+++ i386/i386/cpu.c     10 Feb 2020 03:04:02 -0000
@@ -476,8 +476,10 @@ cpu_tsx_disable(struct cpu_info *ci)
        uint32_t dummy, sefflags_edx;
 
        /* this runs before identifycpu() populates ci_feature_sefflags_edx */
-       if (cpuid_level >= 0x07)
-               CPUID_LEAF(0x7, 0, dummy, dummy, dummy, sefflags_edx);
+       if (cpuid_level < 0x07)
+               return;
+       CPUID_LEAF(0x7, 0, dummy, dummy, dummy, sefflags_edx);
+
        if (strcmp(cpu_vendor, "GenuineIntel") == 0 &&
            (sefflags_edx & SEFF0EDX_ARCH_CAP)) {
                msr = rdmsr(MSR_ARCH_CAPABILITIES);
Index: amd64/amd64/cpu.c
===================================================================
RCS file: /cvs/src/sys/arch/amd64/amd64/cpu.c,v
retrieving revision 1.143
diff -u -p -r1.143 cpu.c
--- amd64/amd64/cpu.c   20 Dec 2019 07:49:31 -0000      1.143
+++ amd64/amd64/cpu.c   10 Feb 2020 03:03:51 -0000
@@ -1167,8 +1167,10 @@ cpu_tsx_disable(struct cpu_info *ci)
        uint32_t dummy, sefflags_edx;
 
        /* this runs before identifycpu() populates ci_feature_sefflags_edx */
-       if (cpuid_level >= 0x07)
-               CPUID_LEAF(0x7, 0, dummy, dummy, dummy, sefflags_edx);
+       if (cpuid_level < 0x07)
+               return;
+       CPUID_LEAF(0x7, 0, dummy, dummy, dummy, sefflags_edx);
+
        if (strcmp(cpu_vendor, "GenuineIntel") == 0 &&
            (sefflags_edx & SEFF0EDX_ARCH_CAP)) {
                msr = rdmsr(MSR_ARCH_CAPABILITIES);

Reply via email to