lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 5 Feb 2018 16:38:33 +0000
From:   Andy Lutomirski <luto@...nel.org>
To:     Ingo Molnar <mingo@...nel.org>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        Dan Williams <dan.j.williams@...el.com>,
        Brian Gerst <brgerst@...il.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Andi Kleen <ak@...ux.intel.com>,
        "the arch/x86 maintainers" <x86@...nel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Ingo Molnar <mingo@...hat.com>,
        Andy Lutomirski <luto@...nel.org>,
        "H. Peter Anvin" <hpa@...or.com>
Subject: Re: [PATCH 1/3] x86/entry: Clear extra registers beyond syscall
 arguments for 64bit kernels

On Mon, Feb 5, 2018 at 4:26 PM, Ingo Molnar <mingo@...nel.org> wrote:
>
> * Linus Torvalds <torvalds@...ux-foundation.org> wrote:
>
>> [...]
>>
>> But as the commit message says, the system call argument registers are
>> also likely to be aggressively clobbered unless used, since the low
>> registers are preferred for code generation (smaller code, and many of
>> them are special anyway in various ways and have forced uses for
>> shifts, function arguments, or just are special in general like %rax).
>>
>> So the actual argument registers tend to not be an issue anyway.
>

>
> So I submit that we should probably extend the register clearing/sanitization to
> R10 and R11 as well, because while they are technically caller-saved and freely
> clobberable, in practice they don't get clobbered all that often and there might
> be various code paths into complex system calls where these R10/R11 values survive
> just fine and can be used in Spectre gadgets.


Maybe R11, but we have to be careful, since R11 is used as scratch
space in a bunch of the asm.  Clearing R10 is mostly useless in the
syscall path because we'll just unconditionally reload it in
do_syscall_64().  If we manage to change the way syscall wrappers
work, then we can think about clearing R10 and maybe even more regs.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ