From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jbeulich@suse.com>
Received: from mx2.suse.de (mx2.suse.de [195.135.220.15])
 by sourceware.org (Postfix) with ESMTPS id 9B353385DC0B
 for <binutils@sourceware.org>; Thu, 23 Apr 2020 06:59:38 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 9B353385DC0B
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=suse.com
Authentication-Results: sourceware.org;
 spf=pass smtp.mailfrom=jbeulich@suse.com
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (unknown [195.135.220.254])
 by mx2.suse.de (Postfix) with ESMTP id A967FAE38;
 Thu, 23 Apr 2020 06:59:36 +0000 (UTC)
Subject: Re: [PATCH 1/2] i386: Generate lfence with load/indirect branch/ret
 [CVE-2020-0551]
To: Hongtao Liu <crazylht@gmail.com>
Cc: "H.J. Lu" <hjl.tools@gmail.com>, Binutils <binutils@sourceware.org>,
 "Lu, Hongjiu" <hongjiu.lu@intel.com>
References: <20200310160528.303613-1-hjl.tools@gmail.com>
 <20200310160528.303613-2-hjl.tools@gmail.com>
 <6dcb50a3-d3ad-6abc-8a5f-703373df95a1@suse.com>
 <CAMe9rOpJR34mmRp2nmMEZK8g12MvpErid4H1XLm55aev0wfVEA@mail.gmail.com>
 <CAMZc-bw3vs4rDveap4-c3YBMp++UASzz6PSPgmd5uGj=Rfw0rg@mail.gmail.com>
 <70acc1ec-ce95-9df7-cdce-1d6c2305b1b4@suse.com>
 <CAMZc-bwKhwx-J0j8vgeW6nw2XVzePRN3NASWKRON1z09GYYcZA@mail.gmail.com>
 <f7e4b053-2c94-bd23-b2eb-c71e92e0328e@suse.com>
 <CAMZc-bwwttS=zBV3s0es7Qx+nTPZ5=XOkXTaN+mKNn34qZfsrg@mail.gmail.com>
 <7a1737f4-2371-e1c2-e1ce-1c35a76292a2@suse.com>
 <CAMZc-bzrA1rdw0B2YQewmPJRsP2uAy_0-CnY3cSG++gH5r2Pzw@mail.gmail.com>
 <e2bc266a-8327-026c-71c6-d6016f53a93a@suse.com>
 <CAMZc-bz-DG1_ww-oOxzroqgbq3qEStcaaEaTFRNqS9bLprG3Cg@mail.gmail.com>
 <3c0f0998-23f8-12ad-f095-27d4f7173b16@suse.com>
 <CAMZc-byVoTCrR1AOPW6tu-saxF8mgWGCk8j2GA6sk9FX-j9Vdw@mail.gmail.com>
 <70ee5f7f-a0a8-747a-a674-81424d8fc443@suse.com>
 <CAMZc-bxgUAT5f_PmHXhz16B7S0EZf=W278RXt5Rn9xL=b4GurA@mail.gmail.com>
From: Jan Beulich <jbeulich@suse.com>
Message-ID: <878893bb-3eca-7f7c-5662-ee8d753a3f39@suse.com>
Date: Thu, 23 Apr 2020 08:59:36 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101
 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <CAMZc-bxgUAT5f_PmHXhz16B7S0EZf=W278RXt5Rn9xL=b4GurA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-10.8 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS,
 RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: binutils@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Binutils mailing list <binutils.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/binutils>,
 <mailto:binutils-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/binutils/>
List-Post: <mailto:binutils@sourceware.org>
List-Help: <mailto:binutils-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/binutils>,
 <mailto:binutils-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2020 06:59:39 -0000

On 23.04.2020 04:53, Hongtao Liu wrote:
> On Wed, Apr 22, 2020 at 4:47 PM Jan Beulich <jbeulich@suse.com> wrote:
>> On 22.04.2020 05:33, Hongtao Liu wrote:
>>> +      bfd_boolean has_rexw = i.prefix[REX_PREFIX] & REX_W;
>>> +      char prefix = 0x0;
>>> +      /* Default operand size for far return is 32 bits,
>>> +         64 bits for near return.  */
>>> +      if (has_rexw)
>>> +        prefix = 0x48;
>>>        else
>>> +        prefix = i.prefix[DATA_PREFIX]
>>> +                 ? 0x66
>>> +                 : !lret && flag_code == CODE_64BIT ? 0x48 : 0x0;
>>
>> Aiui the workaround is specifically for Intel CPUs. Intel CPUs
>> ignore operand size overrides on near RET. (Sorry, I should
>> have pointed out this fact earlier already.)
> 
> I don't quite understand your point, could you give a testcase to show that?

Please see commit aeab2b26dbea. But of course creating a testcase
to try out is pretty easy - just encode RET with a 0x66 prefix
and observe the different behavior on Intel vs AMD systems.

Jan