Re: [tip:x86/pti] x86/retpoline: Fill RSB on context switch for affected CPUs

From: Kees Cook
Date: Mon Jan 15 2018 - 15:03:55 EST

Next message: Guenter Roeck: "Re: [PATCH] bcma: Fix 'allmodconfig' and BCMA builds on MIPS targets"
Previous message: Madhani, Himanshu: "Re: [PATCH] drivers/scsi/qla2xxx: fix double free bug after firmware timeout"
In reply to: Arjan van de Ven: "Re: [tip:x86/pti] x86/retpoline: Fill RSB on context switch for affected CPUs"
Next in thread: tip-bot for David Woodhouse: "[tip:x86/pti] x86/retpoline: Fill RSB on context switch for affected CPUs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jan 15, 2018 at 6:42 AM, Arjan van de Ven <arjan@xxxxxxxxxxxxxxx> wrote:
>>
>> This would means that userspace would see return predictions based
>> on the values the kernel 'stuffed' into the RSB to fill it.
>>
>> Potentially this leaks a kernel address to userspace.
>
>
> KASLR pretty much died in May this year to be honest with the KAISER paper
> (if not before then)

KASLR was always on shaky ground for local attacks. For pure remote
attacks, it's still useful. And for driving forward research, it
appears to be quite useful. ;)

-Kees

--
Kees Cook
Pixel Security

Next message: Guenter Roeck: "Re: [PATCH] bcma: Fix 'allmodconfig' and BCMA builds on MIPS targets"
Previous message: Madhani, Himanshu: "Re: [PATCH] drivers/scsi/qla2xxx: fix double free bug after firmware timeout"
In reply to: Arjan van de Ven: "Re: [tip:x86/pti] x86/retpoline: Fill RSB on context switch for affected CPUs"
Next in thread: tip-bot for David Woodhouse: "[tip:x86/pti] x86/retpoline: Fill RSB on context switch for affected CPUs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]