lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <11e9589a1489d9a7d9cca99a2c0673ae99e8166e.camel@amazon.com>
Date: Thu, 15 May 2025 22:28:55 +0000
From: "Jitindar Singh, Suraj" <surajjs@...zon.com>
To: "pawan.kumar.gupta@...ux.intel.com" <pawan.kumar.gupta@...ux.intel.com>,
	"bp@...en8.de" <bp@...en8.de>
CC: "dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>,
	"x86@...nel.org" <x86@...nel.org>, "peterz@...radead.org"
	<peterz@...radead.org>, "mingo@...hat.com" <mingo@...hat.com>,
	"tglx@...utronix.de" <tglx@...utronix.de>, "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>, "stable@...r.kernel.org"
	<stable@...r.kernel.org>, "jpoimboe@...nel.org" <jpoimboe@...nel.org>
Subject: Re: [PATCH] x86/bugs: Don't warn when overwriting
 retbleed_return_thunk with srso_return_thunk

On Thu, 2025-05-15 at 10:38 -0700, Pawan Gupta wrote:
> CAUTION: This email originated from outside of the organization. Do
> not click links or open attachments unless you can confirm the sender
> and know the content is safe.
> 
> 
> 
> On Thu, May 15, 2025 at 07:23:55PM +0200, Borislav Petkov wrote:
> > On Thu, May 15, 2025 at 10:06:33AM -0700, Pawan Gupta wrote:
> > > As I said above, a mitigation unintentionally make another
> > > mitigation
> > > ineffective.
> > 
> > I actually didn't need an analysis - my point is: if you're going
> > to warn
> > about it, then make it big so that it gets caught.
> > 
> > > Yes, maybe a WARN_ON() conditional to sanity checks for
> > > retbleed/SRSO.
> > 
> > Yes, that.
> > 
> > At least.
> > 
> > The next step would be if this whole "let's set a thunk without
> > overwriting
> > a previously set one" can be fixed differently.
> > 
> > For now, though, the *least* what should be done here is catch the
> > critical
> > cases where a mitigation is rendered ineffective. And warning Joe
> > Normal User
> > about it doesn't bring anything. We do decide for the user what is
> > safe or
> > not, practically. At least this has been the strategy until now.
> > 
> > So the goal here should be to make Joe catch this and tell us to
> > fix it.
> > 
> > Makes sense?
> 
> Absolutely makes sense.
> 
> Suraj, do want to revise this patch? Or else I can do it too.

Happy to revise it.

To be clear, based on my understanding the request is to make the
warning more obvious with a WARN()?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ