Re: [patch 00/38] x86/retbleed: Call depth tracking mitigation

From: Sami Tolvanen
Date: Mon Jul 18 2022 - 18:56:10 EST


On Mon, Jul 18, 2022 at 3:47 PM Joao Moreira <joao@xxxxxxxxxxxxxxxxxx> wrote:
> Thus the hash will be 6 bytes before the function entry point. Then we
> can get the compiler to emit a padding area before the __cfi_\func
> snippet and, during boot, if the CPU needs the call depth tracking
> mitigation, we:
> - move the __cfi_func into the padding area
> - patch the call depth tracking snippet ahead of it (overwriting the old
> __cfi_\func:)
> - fix the cmpl offset in the caller
>
> func_whatever:
> ...
> cmpl $0x\hash, -FIXED_OFFSET(%rax)
> je 1f
> ud2
> 1:
> call *%rax
> ...

The problem with this is that the cmpl instruction contains the full
type hash, which means that any instruction that's FIXED_OFFSET from
the cmpl is a valid indirect call target as far as KCFI is concerned.
-6 was chosen specifically to make the ud2 the only possible target.

Sami