Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756284AbeAIBQO (ORCPT + 1 other); Mon, 8 Jan 2018 20:16:14 -0500 Received: from mga14.intel.com ([192.55.52.115]:14490 "EHLO mga14.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755123AbeAIBQM (ORCPT ); Mon, 8 Jan 2018 20:16:12 -0500 X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,333,1511856000"; d="scan'208";a="17712987" Date: Mon, 8 Jan 2018 17:16:02 -0800 From: Andi Kleen To: Linus Torvalds Cc: "Woodhouse, David" , "linux-kernel@vger.kernel.org" , "tim.c.chen@linux.intel.com" , "peterz@infradead.org" , "tglx@linutronix.de" , "riel@redhat.com" , "keescook@google.com" , "gnomes@lxorguk.ukuu.org.uk" , "pjt@google.com" , "dave.hansen@intel.com" , "luto@amacapital.net" , "jikos@kernel.org" , "gregkh@linux-foundation.org" Subject: Re: [PATCH v6 11/10] x86/retpoline: Avoid return buffer underflows on context switch Message-ID: <20180109011602.GH6718@tassilo.jf.intel.com> References: <1515363085-4219-1-git-send-email-dwmw@amazon.co.uk> <1515455051.15588.7.camel@infradead.org> <1515455902.4423.59.camel@amazon.co.uk> <20180109004415.GG6718@tassilo.jf.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.1 (2017-09-22) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: > If we clear the registers, what the hell are you going to put in the > RSB that helps you? RSB allows you to control chains of gadgets. You can likely find some chain of gadgets that set up constants in registers in a lot of useful ways. Perhaps not any way (so may be hard to scan through all of memory), but it's likely you could find gadgets that result in a lot of useful direct mapped addresses, which the next gadget can then reference. Especially RAX is quite vulnerable to this because there will be a lot of code that does "modify RAX in interesting ways ; RET" > So instead of saying "we have to flush the return stack", I'm saying > that we should look at things that make flushing the return stack > _unnecessary_, simply because even if the attacker were to control it > entirely, they'd still be up shit creek without a paddle. I agree that clearing registers is useful (was just hacking on that patch). -Andi