Re: [patch 00/38] x86/retbleed: Call depth tracking mitigation

From: Linus Torvalds
Date: Mon Jul 18 2022 - 19:42:55 EST

Next message: Frank Rowand: "Re: [PATCH 0/2] of: overlay: Miscellaneous improvements"
Previous message: Daniil Lunev: "Re: [dm-devel] [PATCH 1/1] dm: add message command to disallow device open"
In reply to: Thomas Gleixner: "Re: [patch 00/38] x86/retbleed: Call depth tracking mitigation"
Next in thread: Linus Torvalds: "Re: [patch 00/38] x86/retbleed: Call depth tracking mitigation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jul 18, 2022 at 4:19 PM Thomas Gleixner <tglx@xxxxxxxxxxxxx> wrote:
>
> But that's an implementation detail, right? Whatever we put in between
> will still be a fixed offset, no? It's a different offset, but that's
> what patching can deal with.

No, what Sami is sayin that because the "cmpl" *inside* the function
that checks the hash value will have that same (valid) hash value
encoded as part of it, then you actually have *two* valid markers with
that hash value.

You have the "real" marker before the function.

But you also have the "false" marker that is part of the hash check
that is *inside* the function.

The "real marker + 6" points to the function head itself, and so is ok
as a target (normal operation).

The "false marker + 6" points to the "UD2", and so is *also* ok as a
target (bad guy trying to mis-use the false marker gets trapped by
UD2).

Linus

Next message: Frank Rowand: "Re: [PATCH 0/2] of: overlay: Miscellaneous improvements"
Previous message: Daniil Lunev: "Re: [dm-devel] [PATCH 1/1] dm: add message command to disallow device open"
In reply to: Thomas Gleixner: "Re: [patch 00/38] x86/retbleed: Call depth tracking mitigation"
Next in thread: Linus Torvalds: "Re: [patch 00/38] x86/retbleed: Call depth tracking mitigation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]