Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756290AbeAIRxF (ORCPT + 1 other); Tue, 9 Jan 2018 12:53:05 -0500 Received: from mail-ua0-f193.google.com ([209.85.217.193]:43597 "EHLO mail-ua0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753067AbeAIRxD (ORCPT ); Tue, 9 Jan 2018 12:53:03 -0500 X-Google-Smtp-Source: ACJfBot4VOoF5B6GavdBgSYat2zctJ9z9KCDma/1av48plHAaIMTgVvCc5BvKPggabIuefXAAi9MwXQOtohAvkmR60w= MIME-Version: 1.0 In-Reply-To: <1515503060.22302.19.camel@infradead.org> References: <1515363085-4219-1-git-send-email-dwmw@amazon.co.uk> <1515455051.15588.7.camel@infradead.org> <1515455902.4423.59.camel@amazon.co.uk> <20180109004415.GG6718@tassilo.jf.intel.com> <3aadb8a0-08c8-bdf9-7b91-0fa774a9e1ab@citrix.com> <1515503060.22302.19.camel@infradead.org> From: Kees Cook Date: Tue, 9 Jan 2018 09:53:00 -0800 Message-ID: Subject: Re: [PATCH v6 11/10] x86/retpoline: Avoid return buffer underflows on context switch To: David Woodhouse Cc: Andy Lutomirski , Andrew Cooper , Linus Torvalds , Andi Kleen , "linux-kernel@vger.kernel.org" , "tim.c.chen@linux.intel.com" , "peterz@infradead.org" , "tglx@linutronix.de" , "riel@redhat.com" , "gnomes@lxorguk.ukuu.org.uk" , "pjt@google.com" , "dave.hansen@intel.com" , "jikos@kernel.org" , "gregkh@linux-foundation.org" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Tue, Jan 9, 2018 at 5:04 AM, David Woodhouse wrote: > On Mon, 2018-01-08 at 19:27 -0800, Andy Lutomirski wrote: >> > >> > If SMEP is not active, speculation can go anywhere, including to a user >> > controlled gadget which can reload any registers it needs, including >> > with immediate constants. >> >> I thought that, even on pre-SMEP hardware, the CPU wouldn't >> speculatively execute from NX pages. And PTI marks user memory NX >> in kernel mode. > > Hm, now that could be useful. > > Do *all* the KPTI backports (some of which are reimplementations rather > than strictly backports) mark user memory NX? Yup. The KAISERish ports (4.9 and 4.4) have the same feature. -Kees -- Kees Cook Pixel Security