RE: [patch 00/38] x86/retbleed: Call depth tracking mitigation
From: David Laight
Date: Thu Jul 21 2022 - 18:01:22 EST
From: Linus Torvalds
> Sent: 21 July 2022 19:07
...
> (b) since you have that r10 use anyway, why can't you just generate the simpler
>
> movl $-IMM,%r10d
> addl -4(%calldest),%r10d
>
> instead? You only need ZF anyway.
>
> Maybe you need to add some "r10 is clobbered" thing, I don't know.
>
> But again: I don't know llvm, so the above is basically me just doing
> the "pattern matching monkey" thing.
>
> Linus
Since: "If the callee is a variadic function, then the number of floating
point arguments passed to the function in vector registers must be provided
by the caller in the AL register."
And that that never happens in the kernel you can use %eax instead
of %r10d.
Even in userspace %al can be set non-zero after the signature check.
If you are willing to cut the signature down to 26 bits and
then ensure that one of the bytes of -IMM (or ~IMM if you
use xor) is 0xcc and jump back to that on error the check
becomes:
movl $-IMM,%eax
1: addl -4(%calldest),%eax
jnz 1b-1 // or -2, -3, -4
add $num_fp_args,%eax // If needed non-zero
call %calldest
I think that adds 10 bytes to the call site.
Although with retpoline thunks (and no fp varargs calls)
all but the initial movl can go into the thunk.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)