Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750816AbeAOUDt (ORCPT + 1 other); Mon, 15 Jan 2018 15:03:49 -0500 Received: from mail-ua0-f179.google.com ([209.85.217.179]:45956 "EHLO mail-ua0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750714AbeAOUDr (ORCPT ); Mon, 15 Jan 2018 15:03:47 -0500 X-Google-Smtp-Source: ACJfBovQ1S0Ad37+XB8S3TTuBPEuvv11zGKlwnXnuVPQ6mnL+LPiCNkTAzMa2w0wsXaM+YMB70xYYLfIcYKMLBUCG1k= MIME-Version: 1.0 In-Reply-To: References: <1515779365-9032-1-git-send-email-dwmw@amazon.co.uk> From: Kees Cook Date: Mon, 15 Jan 2018 12:03:45 -0800 Message-ID: Subject: Re: [tip:x86/pti] x86/retpoline: Fill RSB on context switch for affected CPUs To: Arjan van de Ven Cc: David Laight , "dwmw@amazon.co.uk" , "riel@redhat.com" , "tglx@linutronix.de" , "linux-kernel@vger.kernel.org" , "tim.c.chen@linux.intel.com" , "pjt@google.com" , "jpoimboe@redhat.com" , "ak@linux.intel.com" , "gregkh@linux-foundation.org" , "torvalds@linux-foundation.org" , "dave.hansen@intel.com" , "luto@amacapital.net" , "jikos@kernel.org" , "peterz@infradead.org" , "mingo@kernel.org" , "hpa@zytor.com" , "linux-tip-commits@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Mon, Jan 15, 2018 at 6:42 AM, Arjan van de Ven wrote: >> >> This would means that userspace would see return predictions based >> on the values the kernel 'stuffed' into the RSB to fill it. >> >> Potentially this leaks a kernel address to userspace. > > > KASLR pretty much died in May this year to be honest with the KAISER paper > (if not before then) KASLR was always on shaky ground for local attacks. For pure remote attacks, it's still useful. And for driving forward research, it appears to be quite useful. ;) -Kees -- Kees Cook Pixel Security