Gold Linker Patch: Introduce the "retpoline" x86 mitigation technique for variant #2 of the speculative execution vulnerabilities disclosed today, specifically identified by CVE-2017-5715 and in some places called "spectre".

Cary Coutant ccoutant@gmail.com
Sun Jan 7 23:14:00 GMT 2018


> We aren't patching linkers just because we can. ;]

Chandler, if I didn't know you personally, I'd take offense. Hmm,
maybe I took a wee bit of offense, even so. :-) Snark isn't going to
get you anywhere; it's more likely to close minds.

The details of these vulnerabilities are out there now, and your
little circle is much bigger. That means you're now exposed to people
with different experiences and possibly more expertise. Even if you've
already been down certain paths and answered certain questions, you're
going to need to do it again for the rest of us. People on this thread
are asking reasonable questions, and if you want help and cooperation,
those questions deserve serious answers. Together, we may even come up
with better solutions.

In particular, I'd like to know your answer to Alan's question about
the performance implications of deploying slow shared libraries where
not all applications need this mitigation, and the suggestion to just
compile secure apps statically. I'd like to know your answer to HJ's
suggestion to eliminate the PLT altogether (I have an answer to that,
but I'd like to know yours).

I've approved Sri's patch, in the hope that it's a short-term
mitigation strategy that we can retire in a reasonable short period of
time, and I'll be receptive to a follow-on patch that improves the
code sequences as discussed in the LLVM review thread. I really don't
want to get into the business of changing the ABI for this, though.

-cary



More information about the Binutils mailing list