| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YtfG5NYAgfTzboid@worktop.programming.kicks-ass.net>
Date: Wed, 20 Jul 2022 11:12:04 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: "Maciej S. Szmigiero" <mail@...iej.szmigiero.name>
Cc: linux-kernel@...r.kernel.org, keescook@...omium.org,
hjl.tools@...il.com, andrew.cooper3@...rix.com,
mark.rutland@....com, will@...nel.org, ndesaulniers@...gle.com,
x86@...nel.org, Ankur Arora <ankur.a.arora@...cle.com>,
joao@...rdrivepizza.com
Subject: Re: [RFC][PATCH] x86,nospec: Simplify {JMP,CALL}_NOSPEC
On Wed, Jul 20, 2022 at 02:01:39AM +0200, Maciej S. Szmigiero wrote:
> > Obviously I meant: apply_retpolines() ...
>
> Will apply_retpolines() actually patch in that trailing int3 in
> the X86_FEATURE_RETPOLINE_LFENCE case?
>
> Looking at its code it uses just ordinary NOPs as fill:
> > /*
> > * For RETPOLINE_LFENCE: prepend the indirect CALL/JMP with an LFENCE.
> > */
> > if (cpu_feature_enabled(X86_FEATURE_RETPOLINE_LFENCE)) {
> > bytes[i++] = 0x0f;
> > bytes[i++] = 0xae;
> > bytes[i++] = 0xe8; /* LFENCE */
> > }
> >
> > ret = emit_indirect(op, reg, bytes + i);
> > if (ret < 0)
> > return ret;
> > i += ret;
> >
> > for (; i < insn->length;)
> > bytes[i++] = BYTES_NOP1;
There is no space for int3 in that case. You get 3 bytes for LFENCE and
{2,3} bytes for 'jmp *%reg', which fully consumes the {5,6} bytes
available.
There will be no nops added.
But this is what all regular retpolines get to look like.
The plan was; and that's still pending, to get the INT3 from the AMD BTC
mitigation that adds INT3 after regular JMPs but those compiler patches
still need to happen I think.
Powered by blists - more mailing lists