Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp292751rwi;
        Wed, 26 Oct 2022 00:35:52 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM7LNqY6LTb503B4CVt7yam0lsmXw41icWoiDNqgq3VwJCYM/+nkvIMlWoZjOSEBpbw/p+Bg
X-Received: by 2002:a50:cc07:0:b0:453:4427:a918 with SMTP id m7-20020a50cc07000000b004534427a918mr39615292edi.121.1666769751947;
        Wed, 26 Oct 2022 00:35:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666769751; cv=none;
        d=google.com; s=arc-20160816;
        b=RD5ToCG7b07GumaXcsd2AXZ3nDjESvm592vPgCgGv0kPe7/uof2go1Q27XxmOnhQOx
         iPOp+u8sZYWCV7CVmuQ3t3OK3Khx8Xav9pqcdy71smKuOLTG0jLh8QF0wHs7FGoh+G+4
         Re0cIS3nLdnXqXEGo0HIqKnJRZaQh+Ra6zrcWGf+3dGCAusqRa4DFGqpP3N6zwPBjsfT
         2aLy6hu0c2RxP0zNZVy7HIXEX1BCX0NkXV9eSpo5GCEf95nSLHD9qfA4+uSdf2Z+10dE
         RbaKid4+1sefwp7OFksi95MyOkZ2cC9E5D+T3nbTTN7QEDAGL9NZsU9d8jZ9u9lPQpzc
         pAQQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=a3GBx/1SEU4nlgFOr1WH1Nhc3cu82Haw2GQSxs/IRPE=;
        b=ya/qUp6iRO5Pk9XTrH0oA674/GQLj48IT7pdfdH+s0xaOHbQXKKVCfMKjbvIeYmcpI
         p5iuVG8Ffh/JuoHP+s9Wd6N9sRbeYn8h3LIZ55ogvjcFcApkax1kSohHvoaVEjCOdPlQ
         T+zbdujcOFrAXttiHpyfR5sl1ewCbidnH8X+PI6QZgDvP+JeqqArt9CqKWJ0DP4MhVKP
         k8/+Xyc9ZuU/QYCyuzTpxbg/o7WQiXEP1K9XismTT8UULIJaFa5Eq8nAbQEVofq0Wh8S
         fVxE+rlnYHtpYD2YhQ14Wnh0G26tEN3VkK1gbZ6guIwj4M4qPWZhs+jIPTaCNQpsGeBQ
         yBag==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@infradead.org header.s=desiato.20200630 header.b=N3xz1IF1;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id fe17-20020a1709072a5100b00782ff2649a7si3835642ejc.346.2022.10.26.00.35.33;
        Wed, 26 Oct 2022 00:35:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@infradead.org header.s=desiato.20200630 header.b=N3xz1IF1;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232988AbiJZHcV (ORCPT <rfc822;mudongliangabcd@gmail.com>
        + 65 others); Wed, 26 Oct 2022 03:32:21 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42938 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229904AbiJZHcU (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Wed, 26 Oct 2022 03:32:20 -0400
Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4F96DFD31;
        Wed, 26 Oct 2022 00:32:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=infradead.org; s=desiato.20200630; h=In-Reply-To:Content-Type:MIME-Version:
        References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:
        Content-Transfer-Encoding:Content-ID:Content-Description;
        bh=a3GBx/1SEU4nlgFOr1WH1Nhc3cu82Haw2GQSxs/IRPE=; b=N3xz1IF1GuT5qIXni60fN5NV/M
        DY2iml2OichCv/namBi8VhhKAqZTHW7QI/g5LSozDIBop3cQLqO+9Zcv1bKSK4p/eFRaBBj0iQUX7
        e7M5aYv0R96rJLCz7PVdjhZv05dduKUYgRoUQp82kMz/BU1TvwZA1VPnikPvPnEJlL6sk3pTTjieO
        NUUyR8oGIYf/xFcIFtCz9H49Mr48YLOgoR7odEJa1R8/ThJ/RmBH+SGr9OBUjWFM5VqRkes7IpKXu
        T9fo75aNFNE3+hm0F/yGjutnn1PTdpvvzXSLcJj+x9yXKzZkCdLrcZx1eIslmycVcmQSPKy8E1JD6
        ufR+feQg==;
Received: from j130084.upc-j.chello.nl ([24.132.130.84] helo=noisy.programming.kicks-ass.net)
        by desiato.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux))
        id 1onasu-006Wd7-Lb; Wed, 26 Oct 2022 07:31:34 +0000
Received: from hirez.programming.kicks-ass.net (hirez.programming.kicks-ass.net [192.168.1.225])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (4096 bits))
        (Client did not present a certificate)
        by noisy.programming.kicks-ass.net (Postfix) with ESMTPS id 99B323000DD;
        Wed, 26 Oct 2022 09:31:31 +0200 (CEST)
Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000)
        id 475ED2C259E96; Wed, 26 Oct 2022 09:31:31 +0200 (CEST)
Date:   Wed, 26 Oct 2022 09:31:31 +0200
From:   Peter Zijlstra <peterz@infradead.org>
To:     Dave Hansen <dave.hansen@intel.com>
Cc:     Pawan Gupta <pawan.kumar.gupta@linux.intel.com>,
        scott.d.constable@intel.com, daniel.sneddon@linux.intel.com,
        Jakub Kicinski <kuba@kernel.org>,
        Johannes Berg <johannes@sipsolutions.net>,
        Paolo Abeni <pabeni@redhat.com>,
        antonio.gomez.iglesias@linux.intel.com,
        "David S. Miller" <davem@davemloft.net>,
        Eric Dumazet <edumazet@google.com>,
        linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
        x86@kernel.org, gregkh@linuxfoundation.org, netdev@vger.kernel.org
Subject: Re: [RFC PATCH 0/2] Branch Target Injection (BTI) gadget in minstrel
Message-ID: <Y1jiUzw8QbXUW/+V@hirez.programming.kicks-ass.net>
References: <cover.1666651511.git.pawan.kumar.gupta@linux.intel.com>
 <Y1fDiJtxTe8mtBF8@hirez.programming.kicks-ass.net>
 <b4a64b97-32d2-d83d-9146-ebc9a4cc9ff6@intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <b4a64b97-32d2-d83d-9146-ebc9a4cc9ff6@intel.com>
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,
        SPF_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

On Tue, Oct 25, 2022 at 03:00:35PM -0700, Dave Hansen wrote:
> On 10/25/22 04:07, Peter Zijlstra wrote:
> > I think the focus should be on finding the source sites, not protecting
> > the target sites. Where can an attacker control the register content and
> > have an indirect jump/call.
> 
> How would this work with something like 'struct file_operations' which
> provide a rich set of indirect calls that frequently have fully
> user-controlled values in registers?
> 
> It certainly wouldn't *hurt* to be zeroing out the registers that are
> unused at indirect call sites.  But, the majority of gadgets in this
> case used rdi and rsi, which are the least likely to be able to be
> zapped at call sites.

Right; so FineIBT will limit the targets to the right set of functions,
and those functions must already assume the values are user controlled
and take appropriate measures.

If you really truly care about the old hardware, then one solution would
be to de-virtualize the call using LTO or something (yes, it will need
some compiler work and you might need to annotate the code a bit and
even have a fixed/predetermined set of loadable modules, but meh).

Barring that, you could perhaps put {min,max} range information next to
the function pointer such that you can impose value ranges before doing
the indirect call.

But given this is all theoretical and FineIBT solves a lot of it I can't
find myself to care too much.