[PATCH 1/2] i386: Generate lfence with load/indirect branch/ret [CVE-2020-0551]

Jan Beulich jbeulich@suse.com
Thu Mar 26 09:12:25 GMT 2020 

On 26.03.2020 03:23, Hongtao Liu wrote:
> On Wed, Mar 25, 2020 at 6:03 PM Jan Beulich <jbeulich@suse.com> wrote:
>> On 25.03.2020 10:27, Hongtao Liu wrote:
>>> On Thu, Mar 12, 2020 at 12:17 AM H.J. Lu <hjl.tools@gmail.com> wrote:
>>>> On Wed, Mar 11, 2020 at 3:55 AM Jan Beulich <jbeulich@suse.com> wrote:
>>>>> On 10.03.2020 17:05, H.J. Lu wrote:
>>>>>> +  if (lfence_before_ret != lfence_before_ret_none
>>>>>> +      && (i.tm.base_opcode == 0xc2
>>>>>> +       || i.tm.base_opcode == 0xc3
>>>>>> +       || i.tm.base_opcode == 0xca
>>>>>> +       || i.tm.base_opcode == 0xcb))
>>>>>> +    {
>>>>>> +      if (last_insn.kind != last_insn_other
>>>>>> +       && last_insn.seg == now_seg)
>>>>>> +     {
>>>>>> +       as_warn_where (last_insn.file, last_insn.line,
>>>>>> +                      _("`%s` skips -mlfence-before-ret on `%s`"),
>>>>>> +                      last_insn.name, i.tm.name);
>>>>>> +       return;
>>>>>> +     }
>>>>>> +      if (lfence_before_ret == lfence_before_ret_or)
>>>>>> +     {
>>>>>> +       /* orl: 0x830c2400.  */
>>>>>> +       p = frag_more ((flag_code == CODE_64BIT ? 1 : 0) + 4 + 3);
>>>>>> +       if (flag_code == CODE_64BIT)
>>>>>> +         *p++ = 0x48;
>>>>>
>>>>> Shouldn't this depend on RET's operand size? Likewise wouldn't you
>>>>> also need to insert 0x66/0x67 in certain cases?
>>>>
>>>> Hongtao, can you look into it?
>>>
>>> I suppose you mean OR's operand size?
>>
>> Not exactly - I mean RET's operand size ought to affect the one
>> chosen for OR.
>>
>> Jan
> 
>>> I wonder whether this shouldn't also enable a safe lfence_before_ret
>>> mode (i.e. not the OR one), for RET also being an indirect branch. Of
>>> course care would need to be taken to avoid clobbering an already set
>>> lfence_before_ret mode.
> 
> Also for this part, maybe i'll add some comments to indicate
> -mlfence-before-indirect-branch doesn't include ret. Orelse it would
> be weird for user when clobber happens, Is it ok for you?

Well, extending the description / comments to be more precise is one
solution, but only the the 2nd best one. I continue to think that
there would better be an implication as the one suggested.

Jan

More information about the Binutils mailing list