[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v11 6/11] x86/entry: Organise the clobbering of the RSB/RAS on entry to Xen

>>> On 25.01.18 at 17:54, <andrew.cooper3@xxxxxxxxxx> wrote:
> ret instructions are speculated directly to values recorded in the Return
> Stack Buffer/Return Address Stack, as there is no uncertainty in well-formed
> code.  Guests can take advantage of this in two ways:
>   1) If they can find a path in Xen which executes more ret instructions than
>      call instructions.  (At least one in the waitqueue infrastructure,
>      probably others.)
>   2) Use the fact that the RSB/RAS in hardware is actually a circular stack
>      without a concept of empty.  (When it logically empties, stale values
>      will start being used.)
> To mitigate, overwrite the RSB on entry to Xen with gadgets which will capture
> and contain rogue speculation.
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.