|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v11 6/11] x86/entry: Organise the clobbering of the RSB/RAS on entry to Xen
>>> On 25.01.18 at 17:54, <andrew.cooper3@xxxxxxxxxx> wrote: > ret instructions are speculated directly to values recorded in the Return > Stack Buffer/Return Address Stack, as there is no uncertainty in well-formed > code. Guests can take advantage of this in two ways: > > 1) If they can find a path in Xen which executes more ret instructions than > call instructions. (At least one in the waitqueue infrastructure, > probably others.) > > 2) Use the fact that the RSB/RAS in hardware is actually a circular stack > without a concept of empty. (When it logically empties, stale values > will start being used.) > > To mitigate, overwrite the RSB on entry to Xen with gadgets which will capture > and contain rogue speculation. > > Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |