MIME-Version: 1.0
In-Reply-To: <1515503060.22302.19.camel@infradead.org>
References: <1515363085-4219-1-git-send-email-dwmw@amazon.co.uk>
 <1515455051.15588.7.camel@infradead.org> <CA+55aFwJLjNTDXBo-OkBhJ7ddrY+30MZY_HiY6TAc_tJNaL9-A@mail.gmail.com>
 <1515455902.4423.59.camel@amazon.co.uk> <CA+55aFztN+nGBnb1Wjvygvgkg2MfN9m88egsostaNJ5LoSQx7A@mail.gmail.com>
 <20180109004415.GG6718@tassilo.jf.intel.com> <CA+55aFy3sCY5xUwZtOYL1MLhRwYe1sU=5d8sWPZqAnEZ71u8-w@mail.gmail.com>
 <3aadb8a0-08c8-bdf9-7b91-0fa774a9e1ab@citrix.com> <FC895787-D674-4BC5-B660-DD946EA9825A@amacapital.net>
 <1515503060.22302.19.camel@infradead.org>
From: Kees Cook <keescook@google.com>
Date: Tue, 9 Jan 2018 09:53:00 -0800
Message-ID: <CAGXu5jKiHvqEXM3H-Euij-acPF4BoDFJR-WinwXaeWOguf1+Hg@mail.gmail.com>
Subject: Re: [PATCH v6 11/10] x86/retpoline: Avoid return buffer underflows on
 context switch
To: David Woodhouse <dwmw2@infradead.org>
Cc: Andy Lutomirski <luto@amacapital.net>,
        Andrew Cooper <andrew.cooper3@citrix.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Andi Kleen <ak@linux.intel.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "tim.c.chen@linux.intel.com" <tim.c.chen@linux.intel.com>,
        "peterz@infradead.org" <peterz@infradead.org>,
        "tglx@linutronix.de" <tglx@linutronix.de>,
        "riel@redhat.com" <riel@redhat.com>,
        "gnomes@lxorguk.ukuu.org.uk" <gnomes@lxorguk.ukuu.org.uk>,
        "pjt@google.com" <pjt@google.com>,
        "dave.hansen@intel.com" <dave.hansen@intel.com>,
        "jikos@kernel.org" <jikos@kernel.org>,
        "gregkh@linux-foundation.org" <gregkh@linux-foundation.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org

On Tue, Jan 9, 2018 at 5:04 AM, David Woodhouse <dwmw2@infradead.org> wrote:
> On Mon, 2018-01-08 at 19:27 -0800, Andy Lutomirski wrote:
>> >
>> > If SMEP is not active, speculation can go anywhere, including to a user
>> > controlled gadget which can reload any registers it needs, including
>> > with immediate constants.
>>
>> I thought that, even on pre-SMEP hardware, the CPU wouldn't
>> speculatively execute from NX pages.  And PTI marks user memory NX
>> in kernel mode.
>
> Hm, now that could be useful.
>
> Do *all* the KPTI backports (some of which are reimplementations rather
> than strictly backports) mark user memory NX?

Yup. The KAISERish ports (4.9 and 4.4) have the same feature.

-Kees

-- 
Kees Cook
Pixel Security