[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20231019141514.GCZTE58qPOvcJCiBp3@fat_crate.local>
Date: Thu, 19 Oct 2023 16:15:14 +0200
From: Borislav Petkov <bp@...en8.de>
To: Josh Poimboeuf <jpoimboe@...nel.org>
Cc: Ingo Molnar <mingo@...nel.org>, linux-kernel@...r.kernel.org,
linux-tip-commits@...r.kernel.org,
David Kaplan <david.kaplan@....com>,
"Peter Zijlstra (Intel)" <peterz@...radead.org>, x86@...nel.org,
David Howells <dhowells@...hat.com>
Subject: Re: [tip: x86/bugs] x86/retpoline: Ensure default return thunk isn't
used at runtime
On Wed, Oct 18, 2023 at 11:59:28PM -0700, Josh Poimboeuf wrote:
> One last idea, since the return thunk is used everywhere (even non-ABI
> compliant functions) it might be possible the "call check_thunks" (and
> its call to warn_printk) is clobbering some registers which some code
> (exception handling entry code?) doesn't appreciate.
Yeah, that is still unclean, I'd say. gcc doesn't know that we patch in
a CALL insn in the alternative. What should work is to have
alternative_call
there which alternates between two calls and gcc knows there's a call so
it can act accordingly wrt callee-* regs.
Considering how __x86_return_thunk is there only until alternatives have
run, we could do something like
ALTERNATIVE_CALL nop, check_thunks
where nop is a function which doesn't do anything.
I say "ALTERNATIVE_CALL" because we don't have a _CALL asm macro yet.
And then in check_thunks() we can do all kinds of screaming, tainting
and setting mitigation status to vulnerable, etc.
Anyway something along those lines.
Thx.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
Powered by blists - more mailing lists