Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752704AbeADTdh (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Thu, 4 Jan 2018 14:33:37 -0500
Received: from mail-ot0-f193.google.com ([74.125.82.193]:33916 "EHLO
        mail-ot0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751952AbeADTdf (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 4 Jan 2018 14:33:35 -0500
X-Google-Smtp-Source: ACJfBotNijUaXkjNAIznYq693LpDopI//IuKgW9jxu8Dz9WxDx/AjHqoSe9GusQ/uF9sVGqvaOy7YoM2MG942egG0jU=
MIME-Version: 1.0
In-Reply-To: <1515093549.29312.11.camel@infradead.org>
References: <cover.1515086770.git.tim.c.chen@linux.intel.com>
 <CA+55aFx+5dUyKRjXEavnxzfXbiQnrmiSCw3PgPtSb+6OP-Qhcg@mail.gmail.com> <1515093549.29312.11.camel@infradead.org>
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Thu, 4 Jan 2018 11:33:34 -0800
X-Google-Sender-Auth: 9d9o00vQauJ1g5cQRnvxZdUuLmA
Message-ID: <CA+55aFz+QcnA91H=bUh_oUogwhOaCY9qPqQkTdbeM-VanYGJVA@mail.gmail.com>
Subject: Re: [PATCH 0/7] IBRS patch series
To: David Woodhouse <dwmw2@infradead.org>
Cc: Tim Chen <tim.c.chen@linux.intel.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Andy Lutomirski <luto@kernel.org>,
        Greg KH <gregkh@linuxfoundation.org>,
        Dave Hansen <dave.hansen@intel.com>,
        Andrea Arcangeli <aarcange@redhat.com>,
        Andi Kleen <ak@linux.intel.com>,
        Arjan Van De Ven <arjan.van.de.ven@intel.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

On Thu, Jan 4, 2018 at 11:19 AM, David Woodhouse <dwmw2@infradead.org> wrote:
>
> On Skylake the target for a 'ret' instruction may also come from the
> BTB. So if you ever let the RSB (which remembers where the 'call's came
> from get empty, you end up vulnerable.

That sounds like it could cause mispredicts, but it doesn't sound _exploitable_.

Sure, interrupts in between the call instruction and the 'ret' could
overflow the return stack. And we could migrate to another CPU. And so
apparently SMM clears the return stack too.

... but again, none of them sound even remotely _exploitable_.

Remember: it's not mispredicts that leak information. It's *exploits"
that use forced very specific  mispredicts to leak information.

There's a big difference there. And I think patch authors should keep
that difference in mind.

For example, flushing the BTB at kernel entry doesn't mean that later
in-kernel indirect branches don't get predicted, and doesn't even mean
that they don't get mis-predicted. It only means that an exploit can't
pre-populate those things and use them for exploits.

               Linus