On Wed, 26 Sep 2018 at 19:32, Florian Weimer <fweimer@xxxxxxxxxx> wrote: > We recently discovered that our OpenSSH distribution binaries contain > retpoline thunks. It's due to this > > OSSH_CHECK_CFLAG_COMPILE([-mfunction-return=thunk]) # gcc > OSSH_CHECK_CFLAG_COMPILE([-mindirect-branch=thunk]) # gcc I was the one who added those. It was shortly after the disclosure of Spectre, and the concern was that ssh, sshd and particularly ssh-agent hold secrets where the disclosure of those across trust boundaries would be various levels of bad. The documentation at the time was pretty sparse and it's not much clearer now. What should a userspace program do for Spectre? > There have been other retpoline bugs in GCC which do not affect the > kernel (or affect only rarely used kernel features), but are potentially > visible in user space, so few distributions will backport those fixes to > their distribution compilers. Can we determine which versions are affected? If there's one known to work we can disable the check for versions prior to that. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev