APPLIED: [PULL Jammy] LP: #1967579
Andrea Righi
andrea.righi at canonical.com
Tue Apr 5 15:35:41 UTC 2022
On Mon, Apr 04, 2022 at 10:48:57AM -0300, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
>
> Branch History Injection is made easier when all indirect calls are funneled
> through very few points where the retpolines were. By replacing the retpoline
> jumps by indirect calls whenever retpolines are disabled, BHI attacks are more
> difficult to execute as the BTB is not as fixed as before.
>
> [Fixes]
>
> The fixes here allow the kernel to rewrite the retpoline calls to indirect
> calls when retpolines are off and to preceed those with an lfence when
> retpoline,lfence is the mitigation of choice. BPF JITed programs will also
> respect the chosen mitigation.
>
> [Test]
> It was verified that a retpoline call was replaced with the lfence + indirect
> call when spectre_v2=retpoline,lfence was used.
>
> [Potential regressions]
> Indirect calls might be broken or vulnerable to speculative execution attacks.
Applied to jammy/linux.
Thanks,
-Andrea
More information about the kernel-team
mailing list