Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp9087760rwi; Tue, 25 Oct 2022 15:08:34 -0700 (PDT) X-Google-Smtp-Source: AMsMyM65TNPByhqv1N5BZYMghSHejl9EMR/Bvy5UPGbsapC4zf14AL6Dq+ophERbj2k1vMXLSPWY X-Received: by 2002:a17:90b:3d8b:b0:20d:3e7f:32d3 with SMTP id pq11-20020a17090b3d8b00b0020d3e7f32d3mr518072pjb.22.1666735714763; Tue, 25 Oct 2022 15:08:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666735714; cv=none; d=google.com; s=arc-20160816; b=xPJ5asYRH2bdX5ZTFYTmrrVcHi6fWCrU1Qq4L0D0MaFFNotAuG4ojnD0gxAKSSfkSz I4zf0GcrvL8MdBdNIonlrOzMOcs3GasD9vaJNRcDzDGx9/Msx9kiU1HXw/egzIpwmBkx S5EUp2Td8lqlwG3lEnqQk5U6a/ynbtnlMDR1biSH35rDy1AGNtCwqw+Ga1WlHftd/519 w9OIS/UpsJcDKJNm0YP9op+xfseDjJAAExEE6V3bNgES9Z6LLuuscBpomx25Vfdog4F+ sVRkvLQUx+Zt0jF5BQ7MIyPmvcrf5CBNxvPq6UpitXG9O0nt1RqDl2x2ghrB8Sf1x2kV UwqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=eRvLYQHmbBMFgh3tFBCT/MjPLO1fLcn4SUfREyEUKRQ=; b=NHn9G0QZ/mO6sIXR27JAzYfBljEk60Dl2tzCrKddLMpDIXP0LlzDW+35K0Bg05lTEI Og1eDY76QX9Vv3St50SsxXeiSTfkrBqwMhTAFJqfsZI+ZSbyPnnpYKSMzjjVpnxFyC8X As228oRpHT1+oC8Yv2h+MvMqawJ7vZaWXEDT/4rTXiJhqTni+uZbKU05nXGixFYHrYSA D+60dGKlLkyZfGGwoa2rUXZHxRjmZscRYp2f5gZph76T/XjWYDJMS5la3ktJrnAjSTPr kdJbgXlOsmFG+U2FYw6rTTPD6b8cgr9HTgY1zfl0HUirNvrr6EePglda+YWBFkJB/aVp iUzg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=jvFDf5cN; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b20-20020a656694000000b0044af51e7d4bsi4859684pgw.75.2022.10.25.15.07.34; Tue, 25 Oct 2022 15:08:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=jvFDf5cN; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231628AbiJYWAk (ORCPT + 65 others); Tue, 25 Oct 2022 18:00:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51574 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229937AbiJYWAi (ORCPT ); Tue, 25 Oct 2022 18:00:38 -0400 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 074987E82A; Tue, 25 Oct 2022 15:00:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1666735238; x=1698271238; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=44neLNb+622C3/v3IvkT8+w76MsPFc0VdmFApC/mlJI=; b=jvFDf5cNiksrX72OlI1IwLQf/ZzzlsYqYiIVmJp5VDxQ8TlFsDHklOIl rHX5pM0k90uRSzu+uG0SxL6S8JgiSgtZemdWOZ5bhZkPI+EUMucDQz5SX SKaWQlJCUxVIZCLddJkRSoFjNB9kJ1FP6CenG1CPCjujwuihDnwu8UVFm i3+sY1mY/aljTNKlRsBB+/lfUQj0OjTIzIo3pNby1CLhJyrxBGIqDqmxl fFFLbHcHMDa7uRHSafTTUqI5U+vlgbnfo/xJnDolOGfpRbMmZTkA5ITXk xzQwJS5qw0K/NhPhu7eE7nm3C52550uhKLTbv7y1QCVmCmhGatjQMPSGe g==; X-IronPort-AV: E=McAfee;i="6500,9779,10511"; a="308895372" X-IronPort-AV: E=Sophos;i="5.95,213,1661842800"; d="scan'208";a="308895372" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Oct 2022 15:00:37 -0700 X-IronPort-AV: E=McAfee;i="6500,9779,10511"; a="774360203" X-IronPort-AV: E=Sophos;i="5.95,213,1661842800"; d="scan'208";a="774360203" Received: from jlluce-mobl1.amr.corp.intel.com (HELO [10.212.217.182]) ([10.212.217.182]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Oct 2022 15:00:36 -0700 Message-ID: Date: Tue, 25 Oct 2022 15:00:35 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.2.2 Subject: Re: [RFC PATCH 0/2] Branch Target Injection (BTI) gadget in minstrel Content-Language: en-US To: Peter Zijlstra , Pawan Gupta Cc: scott.d.constable@intel.com, daniel.sneddon@linux.intel.com, Jakub Kicinski , Johannes Berg , Paolo Abeni , antonio.gomez.iglesias@linux.intel.com, "David S. Miller" , Eric Dumazet , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, x86@kernel.org, gregkh@linuxfoundation.org, netdev@vger.kernel.org References: From: Dave Hansen In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On 10/25/22 04:07, Peter Zijlstra wrote: > I think the focus should be on finding the source sites, not protecting > the target sites. Where can an attacker control the register content and > have an indirect jump/call. How would this work with something like 'struct file_operations' which provide a rich set of indirect calls that frequently have fully user-controlled values in registers? It certainly wouldn't *hurt* to be zeroing out the registers that are unused at indirect call sites. But, the majority of gadgets in this case used rdi and rsi, which are the least likely to be able to be zapped at call sites.