RE: [PATCH] x86/retpoline: Avoid return buffer underflows on context switch

From: David Laight
Date: Fri Jan 12 2018 - 06:14:53 EST

Next message: Thomas Gleixner: "Re: [PATCH v8.1 12/12] x86/retpoline: Fill return stack buffer on vmexit"
Previous message: David Woodhouse: "[PATCH v8.1 12/12] x86/retpoline: Fill return stack buffer on vmexit"
In reply to: David Woodhouse: "Re: [PATCH] x86/retpoline: Avoid return buffer underflows on context switch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andi Kleen
> Sent: 08 January 2018 20:16
>
> [This is on top of David's retpoline branch, as of 08-01 this morning]
>
> This patch further hardens retpoline
>
> CPUs have return buffers which store the return address for
> RET to predict function returns. Some CPUs (Skylake, some Broadwells)
> can fall back to indirect branch prediction on return buffer underflow.
>
> With retpoline we want to avoid uncontrolled indirect branches,
> which could be poisoned by ring 3, so we need to avoid uncontrolled
> return buffer underflows in the kernel.
>
> This can happen when we're context switching from a shallower to a
> deeper kernel stack. The deeper kernel stack would eventually underflow
> the return buffer, which again would fall back to the indirect branch predictor.
...

Is that really a usable attack vector?

Isn't it actually more likely to leak kernel addresses to userspace
in the return stack buffer - which might be usable to get around KASR.

David

Next message: Thomas Gleixner: "Re: [PATCH v8.1 12/12] x86/retpoline: Fill return stack buffer on vmexit"
Previous message: David Woodhouse: "[PATCH v8.1 12/12] x86/retpoline: Fill return stack buffer on vmexit"
In reply to: David Woodhouse: "Re: [PATCH] x86/retpoline: Avoid return buffer underflows on context switch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]