Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1756284AbeAIBQO (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Mon, 8 Jan 2018 20:16:14 -0500
Received: from mga14.intel.com ([192.55.52.115]:14490 "EHLO mga14.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1755123AbeAIBQM (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 8 Jan 2018 20:16:12 -0500
X-Amp-Result: UNKNOWN
X-Amp-Original-Verdict: FILE UNKNOWN
X-Amp-File-Uploaded: False
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.46,333,1511856000"; 
   d="scan'208";a="17712987"
Date: Mon, 8 Jan 2018 17:16:02 -0800
From: Andi Kleen <ak@linux.intel.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Woodhouse, David" <dwmw@amazon.co.uk>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "tim.c.chen@linux.intel.com" <tim.c.chen@linux.intel.com>,
        "peterz@infradead.org" <peterz@infradead.org>,
        "tglx@linutronix.de" <tglx@linutronix.de>,
        "riel@redhat.com" <riel@redhat.com>,
        "keescook@google.com" <keescook@google.com>,
        "gnomes@lxorguk.ukuu.org.uk" <gnomes@lxorguk.ukuu.org.uk>,
        "pjt@google.com" <pjt@google.com>,
        "dave.hansen@intel.com" <dave.hansen@intel.com>,
        "luto@amacapital.net" <luto@amacapital.net>,
        "jikos@kernel.org" <jikos@kernel.org>,
        "gregkh@linux-foundation.org" <gregkh@linux-foundation.org>
Subject: Re: [PATCH v6 11/10] x86/retpoline: Avoid return buffer underflows
 on context switch
Message-ID: <20180109011602.GH6718@tassilo.jf.intel.com>
References: <1515363085-4219-1-git-send-email-dwmw@amazon.co.uk>
 <1515455051.15588.7.camel@infradead.org>
 <CA+55aFwJLjNTDXBo-OkBhJ7ddrY+30MZY_HiY6TAc_tJNaL9-A@mail.gmail.com>
 <1515455902.4423.59.camel@amazon.co.uk>
 <CA+55aFztN+nGBnb1Wjvygvgkg2MfN9m88egsostaNJ5LoSQx7A@mail.gmail.com>
 <20180109004415.GG6718@tassilo.jf.intel.com>
 <CA+55aFy3sCY5xUwZtOYL1MLhRwYe1sU=5d8sWPZqAnEZ71u8-w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CA+55aFy3sCY5xUwZtOYL1MLhRwYe1sU=5d8sWPZqAnEZ71u8-w@mail.gmail.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

> If we clear the registers, what the hell are you going to put in the
> RSB that helps you?

RSB allows you to control chains of gadgets.

You can likely find some chain of gadgets that set up constants in registers in a
lot of useful ways. Perhaps not any way (so may be hard to scan through all of
memory), but it's likely you could find gadgets that result in a lot of useful
direct mapped addresses, which the next gadget can then reference.

Especially RAX is quite vulnerable to this because there will be a lot 
of code that does "modify RAX in interesting ways ; RET"

> So instead of saying "we have to flush the return stack", I'm saying
> that we should look at things that make flushing the return stack
> _unnecessary_, simply because even if the attacker were to control it
> entirely, they'd still be up shit creek without a paddle.

I agree that clearing registers is useful (was just hacking on that patch).

-Andi