Re: [PATCH RFC 4/4] x86/srso: Use CALL-based return thunks to reduce overhead

From: Peter Zijlstra
Date: Wed Sep 13 2023 - 08:50:57 EST

Next message: David Hildenbrand: "[PATCH v1 0/6] Anon rmap cleanups"
Previous message: Tony Lindgren: "Re: [PATCH] drm/omap: dsi: Fix deferred probe warnings"
Next in thread: Peter Zijlstra: "Re: [PATCH RFC 4/4] x86/srso: Use CALL-based return thunks to reduce overhead"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Aug 22, 2023 at 03:18:28PM -0700, Josh Poimboeuf wrote:

> The problem is the call-site, not the thunk. Ideally we'd have an
> option which adds an INT3 after the 'JMP __x86_return_thunk'.

The -mharden-sls=all option *SHOULD* be extended to unconditionally emit
INT3 after everyt JMP instruction -- including the one used for
-mfunction-return=thunk-extern.

This is a known missing mitigation for an AMD SLS issue.

Due to the whole branch-type-confusion thing, AMD CPUs can predict the
JMP as 'not-a-branch' and continue to the next instruction.

I'm sure Andrew has the proper name and CVE stashed away somewhere. IIRC
he even has a GCC bugzilla entry for it.

Next message: David Hildenbrand: "[PATCH v1 0/6] Anon rmap cleanups"
Previous message: Tony Lindgren: "Re: [PATCH] drm/omap: dsi: Fix deferred probe warnings"
Next in thread: Peter Zijlstra: "Re: [PATCH RFC 4/4] x86/srso: Use CALL-based return thunks to reduce overhead"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]