Rollup merge of #65810 - raoulstrackx:ac_mitigation, r=nagisa

JohnTitor · web-flow · commit d40c6afba04c · 2019-10-26T02:46:02.000+09:00
SGX: Clear additional flag on enclave entry

An attacker could set both the AC flag in CR0 as in rflags. This causes the enclave to perform an AEX upon a misaligned memory access, and an attacker learns some information about the internal enclave state.
The AC flag in rflags is copied from userspace upon an enclave entry. Upon AEX it is copied and later restored. This patch forces the rflag.AC bit to be reset right after an enter.
diff --git a/src/libstd/sys/sgx/abi/entry.S b/src/libstd/sys/sgx/abi/entry.S
@@ -119,8 +119,14 @@ sgx_entry:
     mov %rbx,%gs:tcsls_tcs_addr
     stmxcsr %gs:tcsls_user_mxcsr
     fnstcw %gs:tcsls_user_fcw
+
 /*  reset user state */
-    cld /* x86-64 ABI requires DF to be unset at function entry/exit */
+/*    - DF flag: x86-64 ABI requires DF to be unset at function entry/exit */
+/*    - AC flag: AEX on misaligned memory accesses leaks side channel info */
+    pushfq
+    andq $~0x40400, (%rsp)
+    popfq
+
 /*  check for debug buffer pointer */
     testb  $0xff,DEBUG(%rip)
     jz .Lskip_debug_init
