[PATCH 1/2] i386: Generate lfence with load/indirect branch/ret [CVE-2020-0551]
Jan Beulich
jbeulich@suse.com
Thu Apr 23 09:15:20 GMT 2020
On 23.04.2020 10:53, Hongtao Liu wrote:
> On Thu, Apr 23, 2020 at 2:59 PM Jan Beulich <jbeulich@suse.com> wrote:
>>
>> On 23.04.2020 04:53, Hongtao Liu wrote:
>>> On Wed, Apr 22, 2020 at 4:47 PM Jan Beulich <jbeulich@suse.com> wrote:
>>>> On 22.04.2020 05:33, Hongtao Liu wrote:
>>>>> + bfd_boolean has_rexw = i.prefix[REX_PREFIX] & REX_W;
>>>>> + char prefix = 0x0;
>>>>> + /* Default operand size for far return is 32 bits,
>>>>> + 64 bits for near return. */
>>>>> + if (has_rexw)
>>>>> + prefix = 0x48;
>>>>> else
>>>>> + prefix = i.prefix[DATA_PREFIX]
>>>>> + ? 0x66
>>>>> + : !lret && flag_code == CODE_64BIT ? 0x48 : 0x0;
>>>>
>>>> Aiui the workaround is specifically for Intel CPUs. Intel CPUs
>>>> ignore operand size overrides on near RET. (Sorry, I should
>>>> have pointed out this fact earlier already.)
>>>
>>> I don't quite understand your point, could you give a testcase to show that?
>>
>> Please see commit aeab2b26dbea. But of course creating a testcase
>> to try out is pretty easy - just encode RET with a 0x66 prefix
>> and observe the different behavior on Intel vs AMD systems.
>
> operand size for near ret under Cpu64 for Intel CPUs is always 64 bits, right?
Yes.
Jan
More information about the Binutils
mailing list