Re: [tip: x86/bugs] x86/retpoline: Ensure default return thunk isn't used at runtime

[Borislav Petkov]

On Wed, Oct 18, 2023 at 11:59:28PM -0700, Josh Poimboeuf wrote:
> One last idea, since the return thunk is used everywhere (even non-ABI
> compliant functions) it might be possible the "call check_thunks" (and
> its call to warn_printk) is clobbering some registers which some code
> (exception handling entry code?) doesn't appreciate.

Yeah, that is still unclean, I'd say. gcc doesn't know that we patch in
a CALL insn in the alternative. What should work is to have

	alternative_call

there which alternates between two calls and gcc knows there's a call so
it can act accordingly wrt callee-* regs.

Considering how __x86_return_thunk is there only until alternatives have
run, we could do something like

	ALTERNATIVE_CALL nop, check_thunks

where nop is a function which doesn't do anything.

I say "ALTERNATIVE_CALL" because we don't have a _CALL asm macro yet.

And then in check_thunks() we can do all kinds of screaming, tainting
and setting mitigation status to vulnerable, etc.

Anyway something along those lines.

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette