Re: [patch 00/38] x86/retbleed: Call depth tracking mitigation

From: Linus Torvalds
Date: Mon Jul 18 2022 - 20:08:25 EST

Next message: Sean Christopherson: "Re: [PATCH 2/2] KVM: X86: Fix the comments in prepare_vmcs02_rare()"
Previous message: kernel test robot: "toeplitz.c:335:23: warning: excess elements in struct initializer"
In reply to: Thomas Gleixner: "Re: [patch 00/38] x86/retbleed: Call depth tracking mitigation"
Next in thread: Joao Moreira: "Re: [patch 00/38] x86/retbleed: Call depth tracking mitigation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jul 18, 2022 at 4:52 PM Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> Honestly, I think that would be a better model - yes, you lose 8 bits
> of hash, but considering that apparently the current KCFI code
> *guarantees* that the hash pattern will exist even outside the actual
> target pattern,

Gaah, I'm being stupid,. You still get the value collision, since the
int3 byte pattern would just be part of the compare pattern.

You'd have to use some multi-instruction compare to avoid having the
pattern in the instruction stream. Probably with another register.
Like

movl -FIXED_OFFSET(%eax),%rdx
addl $ANTI_PATTERN,%rdx
je ok

so that the "compare" wouldn't use the same pattern value, but be an
add with the negated pattern value instead.

The extra instruction is likely less of a problem than the extra register used.

Linus

Next message: Sean Christopherson: "Re: [PATCH 2/2] KVM: X86: Fix the comments in prepare_vmcs02_rare()"
Previous message: kernel test robot: "toeplitz.c:335:23: warning: excess elements in struct initializer"
In reply to: Thomas Gleixner: "Re: [patch 00/38] x86/retbleed: Call depth tracking mitigation"
Next in thread: Joao Moreira: "Re: [patch 00/38] x86/retbleed: Call depth tracking mitigation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]