[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] Choose retpoline only when it is safe to use

On 06/02/2018 09:13, Zhenzhong Duan wrote:
> 在 2018/2/6 16:59, Andrew Cooper 写道:
>> On 06/02/2018 08:43, Zhenzhong Duan wrote:
>>> When ( ibrs && thunk == THUNK_DEFAULT && !retpoline_safe() ) is true,
>>> thunk is set to THUNK_JMP rather than THUNK_RETPOLINE.
>>> When (!ibrs && thunk == THUNK_DEFAULT && !retpoline_safe() ) is true,
>>> we should do the same.
>>> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@xxxxxxxxxx>
>> Why?  What improvement is this intended to give?
> No improvement, I just feel if retpoline isn't safe, THUNK_JMP is
> better and safer.
> Above first check is working that way.

If your only two choices are unsafe repoline or plain jumps, then unsafe
repoline is far far far safer.

Its unsafe properties only kick in on an RSB underflow, and an attacker
would have to do call-depths analysis of the running binary to identify
which rets to attempt to poison.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.