Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp397674rdg; Tue, 10 Oct 2023 13:43:00 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHbl8kozBKkt+VrshzVbmuKqbOBjZZyb1qcVS6jatIOOD6+0lfe40mAWiHn7RharUUBcorR X-Received: by 2002:a05:6358:784:b0:13a:4855:d885 with SMTP id n4-20020a056358078400b0013a4855d885mr21540949rwj.10.1696970580467; Tue, 10 Oct 2023 13:43:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696970580; cv=none; d=google.com; s=arc-20160816; b=cJgOWdECxm5YXKbLs8JgZRfTqk/b1/XNaAxdnBoLcoLc8ReQGvyOcHvd4khFy605Rh 8iLwp6zHE8SNln9XK1Yq/Vw4lXh1julpLLD/wzbkDNrGsNxBEoFDHFHR18EEYnphHkQY w2Fvc8uF2uVNZQLLWUfNpFsW+buO4Zqk8N8nP6H1N6ZJRVDIkQUx3ukiTGk273OyrYeO uGinkGQagTWPNsVw7iJuF4cTQvu+utxPRX9/ZDMLBe4dAv7vYsMrDNe21k2RQQmwcegU bnFlCiNjkAlI5Jv1sERQJpSzvCePboJqF2IhfucGuFT8D6jlXzSL3gKcXHK3v7bmJkfQ GK2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=3hLzUUAqQA2LVdYihFBpoLpthne89bNj5sfLzx1qiGc=; fh=7QXnpgeVLngJOa0an8szNan2v+x8OzDbHI/UyNpY0Ww=; b=Tx6cKlJN7W1W9g374pQ/JGmHY1jkSx8aFLBwYanmbuWfe0guDDL0c4SUXZd3ZlIQW4 Djm4XszvxrP+HdE2UyLcz8+syQ8zJsiM6oHSnxu90J2t0cIRHXTw3CiTkuNFGH7VUZoO H8HEnLMXs0UW+XkVKF8iD28jTz040zFMMrwySFgmz3zqQg8WufXMlRynzPTXqtzMwUtC 1bodYLdyKDQR03BBUCiJaJmx8v0XpQ0srGMsutz8/zCCgqFFu3yZ4n16I2NXyhqT+OMQ /VIZME4jaFwJ3YVBUateFEvG6QuU/6T5/E7Ip0GxUVMR2Ob2vrAK0yXLolZwNDV5cEFx 3GxQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=gZbToJHH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from howler.vger.email (howler.vger.email. [2620:137:e000::3:4]) by mx.google.com with ESMTPS id cw4-20020a056a00450400b0068a140568b4si652301pfb.348.2023.10.10.13.43.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:43:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) client-ip=2620:137:e000::3:4; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=gZbToJHH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 0525A8054BF2; Tue, 10 Oct 2023 13:42:52 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343781AbjJJUln (ORCPT + 99 others); Tue, 10 Oct 2023 16:41:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33448 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234481AbjJJUlY (ORCPT ); Tue, 10 Oct 2023 16:41:24 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A1728E1 for ; Tue, 10 Oct 2023 13:41:21 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DC287C433C9; Tue, 10 Oct 2023 20:41:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1696970481; bh=Bnd4fS4lpjScJDelZFnaw36gFOCQV836uDYvVRt8kkQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=gZbToJHHyHxLcoLX35DZpTmHZT8E9+CnT+QCi9O3Ap12TByUHcnAU4luy715JPUqB 6BgyxBmQIewMxNXWzgApFnAvQsG1oJ2UD+i47yIeUokz6VyOjkEHwwep6S0maEnf1f tp8vfNqc5+tsWyQCrpCBSYw2Sql76KjTSW8HpfvOV8lvVsqC5g6WyFhIMOUA7Y+UZd lDRjyFYanrwzfQcpkc5YvrTfHP7jJxGystAzljEAG6eb+W9+731yMi/44p6KQo7fQq H8zhOMRBWeidZOkrLK2ZH8IUzcbwRwXQnu25lnNQDZGGytKy+5c16tfZukuZ/f7e80 clGoL8NlVEMzQ== Date: Tue, 10 Oct 2023 13:41:19 -0700 From: Josh Poimboeuf To: "Kaplan, David" Cc: "x86@kernel.org" , "luto@kernel.org" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH 3/3] x86/retpoline: Ensure default return thunk isn't used at runtime Message-ID: <20231010204119.76i7vwecmeo6ex6d@treble> References: <20231010171020.462211-1-david.kaplan@amd.com> <20231010171020.462211-4-david.kaplan@amd.com> <20231010193643.su6iqjniuxqqke6d@treble> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=2.4 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on howler.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Tue, 10 Oct 2023 13:42:52 -0700 (PDT) X-Spam-Level: ** On Tue, Oct 10, 2023 at 08:14:33PM +0000, Kaplan, David wrote: > [AMD Official Use Only - General] > > > -----Original Message----- > > From: Josh Poimboeuf > > Sent: Tuesday, October 10, 2023 2:37 PM > > To: Kaplan, David > > Cc: x86@kernel.org; luto@kernel.org; linux-kernel@vger.kernel.org > > Subject: Re: [PATCH 3/3] x86/retpoline: Ensure default return thunk isn't used > > at runtime > > > > > * > > > - * This code is only used during kernel boot or module init. All > > > + * This code is only used during kernel boot. All > > > * 'JMP __x86_return_thunk' sites are changed to something else by > > > * apply_returns(). > > > + * > > > + * This thunk is turned into a ud2 to ensure it is never used at runtime. > > > + * Alternative instructions are applied after apply_returns(). > > > */ > > > SYM_CODE_START(__x86_return_thunk) > > > UNWIND_HINT_FUNC > > > ANNOTATE_NOENDBR > > > - ANNOTATE_UNRET_SAFE > > > - ret > > > + ALTERNATIVE __stringify(ANNOTATE_UNRET_SAFE;ret),"ud2", > > > + X86_FEATURE_RETHUNK > > > > If it's truly never used after boot (even for non-rethunk cases) then can we use > > X86_FEATURE_ALWAYS? > > > > I think that could work. There is one subtlety though I'll point out: > > The use of __x86_return_thunk when X86_FEATURE_RETHUNK is set is a > potential security issue, as it means the required return thunk is not > being used. The use of __x86_return_thunk when X86_FEATURE_RETHUNK is > not set is only a performance issue, as it means there is a return > that was not rewritten to be an inline 'ret' by apply_returns(). > > The ud2 was primarily intended to capture cases where there is a > potential security hole, while it is a bit overkill just to point out > a return that was not optimized. Even if it's not a security hole, I'd still view it as a major BUG() as it would directly contradict our understanding (and the comments above) and could cause performance or other correctness issues that would otherwise go unnoticed. So I think an unconditional UD2 is warranted. -- Josh