[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] x86: guard against straight-line speculation past RET

To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Jan Beulich <jbeulich@xxxxxxxx>
Date: Mon, 24 Aug 2020 14:50:43 +0200
Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
Delivery-date: Mon, 24 Aug 2020 12:50:48 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Under certain conditions CPUs can speculate into the instruction stream
past a RET instruction. Guard against this just like 3b7dab93f240
("x86/spec-ctrl: Protect against CALL/JMP straight-line speculation")
did - by inserting an "INT $3" insn. It's merely the mechanics of how to
achieve this that differ: A pair of macros gets introduced to post-
process RET insns issued by the compiler (or living in assembly files).

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
---
Should this depend on CONFIG_SPECULATIVE_HARDEN_BRANCH?
---
This depends on the "x86: some assembler macro rework" series posted
over a month ago.

--- a/xen/include/asm-x86/asm-defns.h
+++ b/xen/include/asm-x86/asm-defns.h
@@ -50,3 +50,19 @@
 .macro INDIRECT_JMP arg:req
     INDIRECT_BRANCH jmp \arg
 .endm
+
+/*
+ * To guard against speculation past RET, insert a breakpoint insn
+ * immediately after them.
+ */
+.macro ret operand:vararg
+    ret$ \operand
+.endm
+.macro ret$ operand:vararg
+    .purgem ret
+    ret \operand
+    int $3
+    .macro ret operand:vararg
+        ret$ \\(operand)
+    .endm
+.endm

Prev by Date: Re: [PATCH v2 5/5] x86: simplify is_guest_l2_slot()
Next by Date: Re: [PATCH v2 5/5] x86: simplify is_guest_l2_slot()
Previous by thread: Ping: [PATCH] x86: guard against port I/O overlapping the RTC/CMOS range
Next by thread: MFN on ARM
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.