lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 25 Feb 2022 09:22:26 +0000
From:   Andrew Cooper <Andrew.Cooper3@...rix.com>
To:     Kees Cook <keescook@...omium.org>,
        Peter Zijlstra <peterz@...radead.org>
CC:     "x86@...nel.org" <x86@...nel.org>,
        "joao@...rdrivepizza.com" <joao@...rdrivepizza.com>,
        "hjl.tools@...il.com" <hjl.tools@...il.com>,
        "jpoimboe@...hat.com" <jpoimboe@...hat.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "ndesaulniers@...gle.com" <ndesaulniers@...gle.com>,
        "samitolvanen@...gle.com" <samitolvanen@...gle.com>,
        "mark.rutland@....com" <mark.rutland@....com>,
        "alyssa.milburn@...el.com" <alyssa.milburn@...el.com>,
        "mbenes@...e.cz" <mbenes@...e.cz>,
        "rostedt@...dmis.org" <rostedt@...dmis.org>,
        "mhiramat@...nel.org" <mhiramat@...nel.org>,
        "alexei.starovoitov@...il.com" <alexei.starovoitov@...il.com>,
        Andrew Cooper <Andrew.Cooper3@...rix.com>
Subject: Re: [PATCH v2 07/39] x86/entry: Sprinkle ENDBR dust

On 25/02/2022 00:42, Kees Cook wrote:
> On Thu, Feb 24, 2022 at 03:51:45PM +0100, Peter Zijlstra wrote:
>> The SYSCALL entry points are found through taking their respective
>> address in order to program them in the MSRs, while the exception
>> entry points are found through UNWIND_HINT_IRET_REGS.
> Stupid question: does CET consider exception and syscall entry points to
> be indirect calls? (I would expect so, but they're ever so slightly
> differently executed...)

Yes it does.  What happens is that on ring transition, microcode forces
the WAIT-FOR-ENDBR state.

For IDT entries, this protects against a single stray write hijacking
control flow.

SYSCALL/SYSENTER in principle don't need to be, IMO.  They're rooted in
MSRs rather than RAM, and if an attacker has hijacked the system enough
to change those, then the absence of ENDBR is not going to save you.

However, from a consistency and implementation point of view, you don't
want to be special casing how a ring transition was triggered.

~Andrew

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ