This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
Re: Gold Linker Patch: Introduce the "retpoline" x86 mitigation technique for variant #2 of the speculative execution vulnerabilities disclosed today, specifically identified by CVE-2017-5715 and in some places called "spectre".
- From: Florian Weimer <fw at deneb dot enyo dot de>
- To: Cary Coutant <ccoutant at gmail dot com>
- Cc: Sriraman Tallam <tmsriram at google dot com>, binutils <binutils at sourceware dot org>, Chandler Carruth <chandlerc at google dot com>, Reid Kleckner <rnk at google dot com>, Eric Christopher <echristo at google dot com>, Rui Ueyama <ruiu at google dot com>, Brooks Moses <bmoses at google dot com>, Sidney Hummert <shummert at google dot com>, Xinliang David Li <davidxl at google dot com>
- Date: Mon, 08 Jan 2018 09:09:01 +0100
- Subject: Re: Gold Linker Patch: Introduce the "retpoline" x86 mitigation technique for variant #2 of the speculative execution vulnerabilities disclosed today, specifically identified by CVE-2017-5715 and in some places called "spectre".
- Authentication-results: sourceware.org; auth=none
- References: <CAAs8HmzJkLiGaUWf9czpNfEejM=uCP=zFvudADEuxsA2wHk+fQ@mail.gmail.com> <CAJimCsGGcXCxQUWD9XGmEHdJ+w01Tr0u29yowA9b16YGHHxMkA@mail.gmail.com> <17cb3295-626f-ba0f-7458-c13eaea24d2b@redhat.com> <CAJimCsE6bZ9VwKTfh9dFvT1HmNb==0Kxh6EJQQWXGoH-U=Epsg@mail.gmail.com>
* Cary Coutant:
> Supposedly, this strategy aims to disable branch prediction for all
> indirect branches in a piece of code, so that attackers cannot use
> branch predictor training to force the speculative execution of any
> available "gadgets" in the target code. I haven't yet seen any claims
> where branch predictor training by itself can be exploited -- it's
> simply one way to exploit the cache side channel vulnerabilities.
The “supposedly” bit irks me. Using RET for indirect jumps isn't new.
They have been used on in the i386 dynamic linker for a long, long
time because there is no reserved register which the PLT stub can use
to store the target address. (The GNU ABI supports three integer
register arguments, and the remining registers are either
special-purpose or callee-saved.) As a result, CPUs might already
have logic to recognize non-returning RETs.
It's also not clear to me why the PAUSE loop would be preferable to a
single UD2 or CPUID instruction.
In i386 mode, the CPU does not prefetch through far jumps. Does such
prefetching occur in x86-64 mode? If not, why not use a far jump?
Is there an expectation that the retpoline does something to the
caller or callee as far as return stack caching is concerned?
It's also not clear to me that a DSO boundar equals a trust boundary.
For a JIT, the indirect calls which need protecting are likely
someplace else, I assume.
> But, given that, I also don't really know whether it's really needed
> for user-level apps that may be dynamically linked, or only for the
> kernel, for which compiler changes should be sufficient.
I expect that compiler support for indirect branch rewriting together
with -fno-plt is sufficient. There is simply no need to put any code
into binutils at this point.