On Fri, 2018-01-26 at 09:59 -0800, Andi Kleen wrote: > On Fri, Jan 26, 2018 at 09:19:09AM -0800, Linus Torvalds wrote: > > > > On Fri, Jan 26, 2018 at 1:11 AM, David Woodhouse wrote: > > > > > > > > > Do we need to look again at the fact that we've disabled the RSB- > > > stuffing for SMEP? > > Absolutely. SMEP helps make people a lot less worried about things, > > but it doesn't fix the "BTB only contains partial addresses" case. > > > > But did we do that "disable stuffing with SMEP"? I'm not seeing it. In > > my tree, it's only conditional on X86_FEATURE_RETPOLINE. > > For Skylake we need RSB stuffing even with SMEP to avoid falling back to the > BTB on underflow. I am *actively* ignoring Skylake right now. This is about per-SKL userspace even with SMEP, because we think Intel's document lies to us. If the RSB only holds the low bits of the target, then a userspace attacker can populate an RSB entry which points to a kernel gadget of her choice, even with SMEP or KPTI enabled.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature