Re: [PATCH 1/2] i386: Generate lfence with load/indirect branch/ret [CVE-2020-0551]

public inbox for binutils@sourceware.org
 help / color / mirror / Atom feed

From: Jan Beulich <jbeulich@suse.com>
To: Hongtao Liu <crazylht@gmail.com>
Cc: "H.J. Lu" <hjl.tools@gmail.com>,
	Binutils <binutils@sourceware.org>,
	"Lu, Hongjiu" <hongjiu.lu@intel.com>
Subject: Re: [PATCH 1/2] i386: Generate lfence with load/indirect branch/ret [CVE-2020-0551]
Date: Thu, 26 Mar 2020 10:12:25 +0100	[thread overview]
Message-ID: <f7e4b053-2c94-bd23-b2eb-c71e92e0328e@suse.com> (raw)
In-Reply-To: <CAMZc-bwKhwx-J0j8vgeW6nw2XVzePRN3NASWKRON1z09GYYcZA@mail.gmail.com>

On 26.03.2020 03:23, Hongtao Liu wrote:
> On Wed, Mar 25, 2020 at 6:03 PM Jan Beulich <jbeulich@suse.com> wrote:
>> On 25.03.2020 10:27, Hongtao Liu wrote:
>>> On Thu, Mar 12, 2020 at 12:17 AM H.J. Lu <hjl.tools@gmail.com> wrote:
>>>> On Wed, Mar 11, 2020 at 3:55 AM Jan Beulich <jbeulich@suse.com> wrote:
>>>>> On 10.03.2020 17:05, H.J. Lu wrote:
>>>>>> +  if (lfence_before_ret != lfence_before_ret_none
>>>>>> +      && (i.tm.base_opcode == 0xc2
>>>>>> +       || i.tm.base_opcode == 0xc3
>>>>>> +       || i.tm.base_opcode == 0xca
>>>>>> +       || i.tm.base_opcode == 0xcb))
>>>>>> +    {
>>>>>> +      if (last_insn.kind != last_insn_other
>>>>>> +       && last_insn.seg == now_seg)
>>>>>> +     {
>>>>>> +       as_warn_where (last_insn.file, last_insn.line,
>>>>>> +                      _("`%s` skips -mlfence-before-ret on `%s`"),
>>>>>> +                      last_insn.name, i.tm.name);
>>>>>> +       return;
>>>>>> +     }
>>>>>> +      if (lfence_before_ret == lfence_before_ret_or)
>>>>>> +     {
>>>>>> +       /* orl: 0x830c2400.  */
>>>>>> +       p = frag_more ((flag_code == CODE_64BIT ? 1 : 0) + 4 + 3);
>>>>>> +       if (flag_code == CODE_64BIT)
>>>>>> +         *p++ = 0x48;
>>>>>
>>>>> Shouldn't this depend on RET's operand size? Likewise wouldn't you
>>>>> also need to insert 0x66/0x67 in certain cases?
>>>>
>>>> Hongtao, can you look into it?
>>>
>>> I suppose you mean OR's operand size?
>>
>> Not exactly - I mean RET's operand size ought to affect the one
>> chosen for OR.
>>
>> Jan
> 
>>> I wonder whether this shouldn't also enable a safe lfence_before_ret
>>> mode (i.e. not the OR one), for RET also being an indirect branch. Of
>>> course care would need to be taken to avoid clobbering an already set
>>> lfence_before_ret mode.
> 
> Also for this part, maybe i'll add some comments to indicate
> -mlfence-before-indirect-branch doesn't include ret. Orelse it would
> be weird for user when clobber happens, Is it ok for you?

Well, extending the description / comments to be more precise is one
solution, but only the the 2nd best one. I continue to think that
there would better be an implication as the one suggested.

Jan

next prev parent reply	other threads:[~2020-03-26  9:12 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-10 16:05 [PATCH 0/2] x86: Add assembler mitigation for CVE-2020-0551 H.J. Lu
2020-03-10 16:05 ` [PATCH 1/2] i386: Generate lfence with load/indirect branch/ret [CVE-2020-0551] H.J. Lu
2020-03-11 10:55   ` Jan Beulich
2020-03-11 16:17     ` H.J. Lu
2020-03-25  9:27       ` Hongtao Liu
2020-03-25 10:03         ` Jan Beulich
2020-03-26  2:23           ` Hongtao Liu
2020-03-26  9:12             ` Jan Beulich [this message]
2020-04-16  5:34               ` Hongtao Liu
2020-04-16  8:33                 ` Jan Beulich
2020-04-20  7:20                   ` Hongtao Liu
2020-04-20  7:34                     ` Jan Beulich
2020-04-21  2:24                       ` Hongtao Liu
2020-04-21  6:30                         ` Jan Beulich
2020-04-22  3:33                           ` Hongtao Liu
2020-04-22  8:47                             ` Jan Beulich
2020-04-23  2:53                               ` Hongtao Liu
2020-04-23  6:59                                 ` Jan Beulich
2020-04-23  8:53                                   ` Hongtao Liu
2020-04-23  9:15                                     ` Jan Beulich
2020-04-24  5:30                                     ` Hongtao Liu
2020-04-24  6:00                                       ` Jan Beulich
2020-04-24  7:29                                         ` Hongtao Liu
2020-04-24 13:00                                           ` H.J. Lu
2020-04-26  2:03                                             ` Hongtao Liu
2020-04-26  3:26                                               ` H.J. Lu
2020-03-10 16:05 ` [PATCH 2/2] i386: Add tests for lfence with load/indirect branch/ret H.J. Lu
2020-03-10 16:33 ` [PATCH 0/2] x86: Add assembler mitigation for CVE-2020-0551 Jan Beulich
2020-03-10 16:36   ` H.J. Lu
2020-03-12  0:32     ` Fangrui Song

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f7e4b053-2c94-bd23-b2eb-c71e92e0328e@suse.com \
    --to=jbeulich@suse.com \
    --cc=binutils@sourceware.org \
    --cc=crazylht@gmail.com \
    --cc=hjl.tools@gmail.com \
    --cc=hongjiu.lu@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).