Re: [PATCH v6 11/10] x86/retpoline: Avoid return buffer underflows on context switch

[Andi Kleen]

> If we clear the registers, what the hell are you going to put in the
> RSB that helps you?

RSB allows you to control chains of gadgets.

You can likely find some chain of gadgets that set up constants in registers in a
lot of useful ways. Perhaps not any way (so may be hard to scan through all of
memory), but it's likely you could find gadgets that result in a lot of useful
direct mapped addresses, which the next gadget can then reference.

Especially RAX is quite vulnerable to this because there will be a lot 
of code that does "modify RAX in interesting ways ; RET"

> So instead of saying "we have to flush the return stack", I'm saying
> that we should look at things that make flushing the return stack
> _unnecessary_, simply because even if the attacker were to control it
> entirely, they'd still be up shit creek without a paddle.

I agree that clearing registers is useful (was just hacking on that patch).

-Andi