lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 19 Jul 2022 15:19:26 +0200
From:   "Maciej S. Szmigiero" <mail@...iej.szmigiero.name>
To:     Peter Zijlstra <peterz@...radead.org>
Cc:     linux-kernel@...r.kernel.org, keescook@...omium.org,
        hjl.tools@...il.com, andrew.cooper3@...rix.com,
        mark.rutland@....com, will@...nel.org, ndesaulniers@...gle.com,
        x86@...nel.org, Ankur Arora <ankur.a.arora@...cle.com>
Subject: Missing SLS int3 in JMP_NOSPEC? (Was: [PATCH v2 6/6] x86: Add
 straight-line-speculation mitigation)

On 4.12.2021 14:43, Peter Zijlstra wrote:
> Make use of an upcomming GCC feature to mitigate
> straight-line-speculation for x86:
> 
>    https://gcc.gnu.org/g:53a643f8568067d7700a9f2facc8ba39974973d3
>    https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102952
>    https://bugs.llvm.org/show_bug.cgi?id=52323
> 
> It's built tested on x86_64-allyesconfig using GCC-12 and GCC-11.
> 
> Maintenace overhead of this should be fairly low due to objtool
> validation.
> 
> Size overhead of all these additional int3 instructions comes to:
> 
>     text	   data	    bss	    dec	    hex	filename
> 22267751	6933356	2011368	31212475	1dc43bb	defconfig-build/vmlinux
> 22804126	6933356	1470696	31208178	1dc32f2	defconfig-build/vmlinux.sls
> 
> Or roughly 2.4% additional text.
> 
> Signed-off-by: Peter Zijlstra (Intel) <peterz@...radead.org>
> ---
(..)
> --- a/arch/x86/lib/retpoline.S
> +++ b/arch/x86/lib/retpoline.S
> @@ -34,7 +34,7 @@ SYM_INNER_LABEL(__x86_indirect_thunk_\re
>   
>   	ALTERNATIVE_2 __stringify(ANNOTATE_RETPOLINE_SAFE; jmp *%\reg), \
>   		      __stringify(RETPOLINE \reg), X86_FEATURE_RETPOLINE, \
> -		      __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; jmp *%\reg), X86_FEATURE_RETPOLINE_AMD
> +		      __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; jmp *%\reg; int3), X86_FEATURE_RETPOLINE_AMD
>   
>   .endm
>   

Looking at this __x86_indirect_thunk_* change makes me wonder why there is
no similar int3 SLS protection in the X86_FEATURE_RETPOLINE_LFENCE case of
JMP_NOSPEC in arch/x86/include/asm/nospec-branch.h:
> .macro JMP_NOSPEC reg:req
> #ifdef CONFIG_RETPOLINE
> 	ALTERNATIVE_2 __stringify(ANNOTATE_RETPOLINE_SAFE; jmp *%\reg), \
> 		      __stringify(jmp __x86_indirect_thunk_\reg), X86_FEATURE_RETPOLINE, \
> 		      __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; jmp *%\reg), X86_FEATURE_RETPOLINE_LFENCE
> #else

JMP_NOSPEC users seem to have no explicit trailing int3 instructions
either.

Or am I missing something here?

Thanks,
Maciej

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ