Re: [PATCH v2 1/3] x86/entry: Clear extra registers beyond syscall arguments for 64bit kernels

From: Ingo Molnar
Date: Tue Feb 06 2018 - 02:19:50 EST

Next message: Hanjun Guo: "Re: [PATCH v4] ACPI / tables: Add IORT to injectable table list"
Previous message: Horia Geantă: "Re: [PATCH v6 1/2] staging: fsl-mc: Move core bus out of staging"
In reply to: Andi Kleen: "Re: [PATCH v2 1/3] x86/entry: Clear extra registers beyond syscall arguments for 64bit kernels"
Next in thread: Ingo Molnar: "Re: [PATCH v2 1/3] x86/entry: Clear extra registers beyond syscall arguments for 64bit kernels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Andi Kleen <ak@xxxxxxxxxxxxxxx> wrote:

> > - There's various conditional pieces of entry code that run before any
> > RBP-clobbering C function is called. While none of them has an exploitable
> > Spectre 'gadget' at the moment, we'd have to consider this for every future
> > change.
>
> The Frame Pointer is always set up in assembler too, just in another macro.

As I replied to Andy, that's not universally true: there are code paths where RBP
is not set before calling C code or going into the more complex parts of the
kernel entry code.

This RBP value leak in fact demonstrates the validity of my robustness argument:

> > I.e. we cannot universally rely on RBP being sanitized. In _practice_ it
> > will be sanitized, but we don't know for sure without expending quite some
> > effort to think through all the cases.

Thanks,

Ingo

Next message: Hanjun Guo: "Re: [PATCH v4] ACPI / tables: Add IORT to injectable table list"
Previous message: Horia Geantă: "Re: [PATCH v6 1/2] staging: fsl-mc: Move core bus out of staging"
In reply to: Andi Kleen: "Re: [PATCH v2 1/3] x86/entry: Clear extra registers beyond syscall arguments for 64bit kernels"
Next in thread: Ingo Molnar: "Re: [PATCH v2 1/3] x86/entry: Clear extra registers beyond syscall arguments for 64bit kernels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]