This is the mail archive of the binutils@sourceware.org mailing list for the binutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Gold Linker Patch: Introduce the "retpoline" x86 mitigation technique for variant #2 of the speculative execution vulnerabilities disclosed today, specifically identified by CVE-2017-5715 and in some places called "spectre".

From: Florian Weimer <fweimer at redhat dot com>
To: Cary Coutant <ccoutant at gmail dot com>, Sriraman Tallam <tmsriram at google dot com>
Cc: binutils <binutils at sourceware dot org>, Chandler Carruth <chandlerc at google dot com>, Reid Kleckner <rnk at google dot com>, Eric Christopher <echristo at google dot com>, Rui Ueyama <ruiu at google dot com>, Brooks Moses <bmoses at google dot com>, Sidney Hummert <shummert at google dot com>, Xinliang David Li <davidxl at google dot com>
Date: Fri, 5 Jan 2018 12:42:00 +0100
Subject: Re: Gold Linker Patch: Introduce the "retpoline" x86 mitigation technique for variant #2 of the speculative execution vulnerabilities disclosed today, specifically identified by CVE-2017-5715 and in some places called "spectre".
Authentication-results: sourceware.org; auth=none
References: <CAAs8HmzJkLiGaUWf9czpNfEejM=uCP=zFvudADEuxsA2wHk+fQ@mail.gmail.com> <CAJimCsGGcXCxQUWD9XGmEHdJ+w01Tr0u29yowA9b16YGHHxMkA@mail.gmail.com>

On 01/05/2018 12:08 AM, Cary Coutant wrote:

* options.h (retpolineplt): New -z option to use retpoline PLT.
* x86_64.cc (Output_data_plt_x86_64_retpoline): New class.
(Target_x86_64<64>::do_make_data_plt): Create retpoline PLT when
the option is used.
* testsuite/Makefile.am (retpoline_plt_1.sh): New test.
* testsuite/Makefile.in: Regenerate.
* testsuite/retpoline_plt_1.sh: New test script.
* testsuite/retpoline_plt_1.s: New test source.


This makes the -z bndplt and -z retpolineplt options mutually
exclusive. Please add a check in options.cc
(General_options::finalize) for this.

It's also incompatible with shadow stack support, so the binary markerfor that needs to be removed.

I don't think this is the right approach at all. What is this trying toaccomplish? What kind of speculation barrier does this implement oncurrent CPUs? Isn't this *extremely* costly?

If we think this is a problem that needs to be fixed, we should removethe indirect call altogether, and have the dynamic linker generate adirect call at load time. There are few constraints associated withthat (4 GiB total application + DSO size, some SELinux users willunhappy, lack of lazy binding support), but at least it can be turned onin practice.


Thanks,
Florian

Follow-Ups:
- Re: Gold Linker Patch: Introduce the "retpoline" x86 mitigation technique for variant #2 of the speculative execution vulnerabilities disclosed today, specifically identified by CVE-2017-5715 and in some places called "spectre".
  - From: Ian Lance Taylor via binutils
- Re: Gold Linker Patch: Introduce the "retpoline" x86 mitigation technique for variant #2 of the speculative execution vulnerabilities disclosed today, specifically identified by CVE-2017-5715 and in some places called "spectre".
  - From: Cary Coutant

References:
- Re: Gold Linker Patch: Introduce the "retpoline" x86 mitigation technique for variant #2 of the speculative execution vulnerabilities disclosed today, specifically identified by CVE-2017-5715 and in some places called "spectre".
  - From: Cary Coutant

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]