Re: [PATCH v6 11/10] x86/retpoline: Avoid return buffer underflows on context switch

From: Kees Cook
Date: Tue Jan 09 2018 - 12:53:09 EST

Next message: Tim Chen: "Re: [PATCH v2 1/8] x86/feature: Detect the x86 IBRS feature to control Speculation"
Previous message: Linus Torvalds: "Re: Re: dvb usb issues since kernel 4.9"
In reply to: Peter Zijlstra: "Re: [PATCH v6 11/10] x86/retpoline: Avoid return buffer underflows on context switch"
Next in thread: Linus Torvalds: "Re: [PATCH v6 11/10] x86/retpoline: Avoid return buffer underflows on context switch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jan 9, 2018 at 5:04 AM, David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote:
> On Mon, 2018-01-08 at 19:27 -0800, Andy Lutomirski wrote:
>> >
>> > If SMEP is not active, speculation can go anywhere, including to a user
>> > controlled gadget which can reload any registers it needs, including
>> > with immediate constants.
>>
>> I thought that, even on pre-SMEP hardware, the CPU wouldn't
>> speculatively execute from NX pages. And PTI marks user memory NX
>> in kernel mode.
>
> Hm, now that could be useful.
>
> Do *all* the KPTI backports (some of which are reimplementations rather
> than strictly backports) mark user memory NX?

Yup. The KAISERish ports (4.9 and 4.4) have the same feature.

-Kees

--
Kees Cook
Pixel Security

Next message: Tim Chen: "Re: [PATCH v2 1/8] x86/feature: Detect the x86 IBRS feature to control Speculation"
Previous message: Linus Torvalds: "Re: Re: dvb usb issues since kernel 4.9"
In reply to: Peter Zijlstra: "Re: [PATCH v6 11/10] x86/retpoline: Avoid return buffer underflows on context switch"
Next in thread: Linus Torvalds: "Re: [PATCH v6 11/10] x86/retpoline: Avoid return buffer underflows on context switch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]