Re: [patch 00/38] x86/retbleed: Call depth tracking mitigation

From: Linus Torvalds
Date: Mon Jul 18 2022 - 20:08:25 EST


On Mon, Jul 18, 2022 at 4:52 PM Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> Honestly, I think that would be a better model - yes, you lose 8 bits
> of hash, but considering that apparently the current KCFI code
> *guarantees* that the hash pattern will exist even outside the actual
> target pattern,

Gaah, I'm being stupid,. You still get the value collision, since the
int3 byte pattern would just be part of the compare pattern.

You'd have to use some multi-instruction compare to avoid having the
pattern in the instruction stream. Probably with another register.
Like

movl -FIXED_OFFSET(%eax),%rdx
addl $ANTI_PATTERN,%rdx
je ok

so that the "compare" wouldn't use the same pattern value, but be an
add with the negated pattern value instead.

The extra instruction is likely less of a problem than the extra register used.

Linus