Re: [patch 00/38] x86/retbleed: Call depth tracking mitigation

From: Sami Tolvanen
Date: Wed Jul 20 2022 - 12:56:10 EST

Next message: Andrzej Hajda: "Re: [Intel-gfx] [PATCH] drm/i915/selftests: Fix comment typo"
Previous message: Krzysztof Kozlowski: "Re: [PATCH] arm64: dts: qcom: Add SKU6 for sc7180-trogdor-pazquel-lte-parade"
In reply to: Thomas Gleixner: "Re: [patch 00/38] x86/retbleed: Call depth tracking mitigation"
Next in thread: Sami Tolvanen: "Re: [patch 00/38] x86/retbleed: Call depth tracking mitigation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jul 19, 2022 at 01:51:14AM +0200, Peter Zijlstra wrote:
> So if we assume \func starts with ENDBR, and further assume we've fixed
> up every direct jmp/call to land at +4, we can overwrite the ENDBR with
> part of the SARQ, that leaves us 6 more byte, placing the immediate at
> -10 if I'm not mis-counting.
>
> Now, the call sites are:
>
> 41 81 7b fa 78 56 34 12 cmpl $0x12345678, -6(%r11)
> 74 02 je 1f
> 0f 0b ud2
> e8 00 00 00 00 1: call __x86_indirect_thunk_r11
>
> That means the offset of +10 lands in the middle of the CALL
> instruction, and since we only have 16 thunks there is a limited number
> of byte patterns available there.
>
> This really isn't as nice as the -6 but might just work well enough,
> hmm?

I agree, this is probably fine, or at least low enough risk.

Did you have thoughts about changing the check instruction sequence
to split the hash into multiple instructions and thus avoiding this
issue altogether?

Sami

Next message: Andrzej Hajda: "Re: [Intel-gfx] [PATCH] drm/i915/selftests: Fix comment typo"
Previous message: Krzysztof Kozlowski: "Re: [PATCH] arm64: dts: qcom: Add SKU6 for sc7180-trogdor-pazquel-lte-parade"
In reply to: Thomas Gleixner: "Re: [patch 00/38] x86/retbleed: Call depth tracking mitigation"
Next in thread: Sami Tolvanen: "Re: [patch 00/38] x86/retbleed: Call depth tracking mitigation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]