Re: [PATCH 01/11] arm64: use RET instruction for exiting the trampoline

From: Ard Biesheuvel
Date: Thu Jan 04 2018 - 13:35:08 EST

Next message: Russell King - ARM Linux: "Re: [kernel-hardening] [PATCH] arm: Always use REFCOUNT_FULL"
Previous message: Andrea Arcangeli: "Re: [PATCH 6/7] x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature"
In reply to: Will Deacon: "Re: [PATCH 01/11] arm64: use RET instruction for exiting the trampoline"
Next in thread: Will Deacon: "[PATCH 03/11] arm64: Take into account ID_AA64PFR0_EL1.CSV3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 4 January 2018 at 18:31, Will Deacon <will.deacon@xxxxxxx> wrote:
> Hi Ard,
>
> On Thu, Jan 04, 2018 at 04:24:22PM +0000, Ard Biesheuvel wrote:
>> On 4 January 2018 at 15:08, Will Deacon <will.deacon@xxxxxxx> wrote:
>> > Speculation attacks against the entry trampoline can potentially resteer
>> > the speculative instruction stream through the indirect branch and into
>> > arbitrary gadgets within the kernel.
>> >
>> > This patch defends against these attacks by forcing a misprediction
>> > through the return stack: a dummy BL instruction loads an entry into
>> > the stack, so that the predicted program flow of the subsequent RET
>> > instruction is to a branch-to-self instruction which is finally resolved
>> > as a branch to the kernel vectors with speculation suppressed.
>> >
>> > Signed-off-by: Will Deacon <will.deacon@xxxxxxx>
>> > ---
>> > arch/arm64/kernel/entry.S | 5 ++++-
>> > 1 file changed, 4 insertions(+), 1 deletion(-)
>> >
>> > diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
>> > index 031392ee5f47..b9feb587294d 100644
>> > --- a/arch/arm64/kernel/entry.S
>> > +++ b/arch/arm64/kernel/entry.S
>> > @@ -1029,6 +1029,9 @@ alternative_else_nop_endif
>> > .if \regsize == 64
>> > msr tpidrro_el0, x30 // Restored in kernel_ventry
>> > .endif
>> > + bl 2f
>> > + b .
>> > +2:
>>
>> This deserves a comment, I guess?
>
> Yeah, I suppose ;) I'll lift something out of the commit message.
>
>> Also, is deliberately unbalancing the return stack likely to cause
>> performance problems, e.g., in libc hot paths?
>
> I don't think so, because it remains balanced after this code. We push an
> entry on with the BL and pop it with the RET; the rest of the return stack
> remains unchanged.

Ah, of course. For some reason, I had it in my mind that the failed
prediction affects the state of the return stack but that doesn't make
sense.

> That said, I'm also not sure what we could do differently
> here!
>
> Will

Next message: Russell King - ARM Linux: "Re: [kernel-hardening] [PATCH] arm: Always use REFCOUNT_FULL"
Previous message: Andrea Arcangeli: "Re: [PATCH 6/7] x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature"
In reply to: Will Deacon: "Re: [PATCH 01/11] arm64: use RET instruction for exiting the trampoline"
Next in thread: Will Deacon: "[PATCH 03/11] arm64: Take into account ID_AA64PFR0_EL1.CSV3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]