[PATCH] D41723: Introduce the "retpoline" x86 mitigation technique for variant #2 of the speculative execution vulnerabilities disclosed today, specifically identified by CVE-2017-5715, "Branch Target Injection", and is one of the two halves to Spectre..
Rafael Avila de Espindola via llvm-commits
llvm-commits at lists.llvm.org
Thu Jan 4 19:27:11 PST 2018
Rafael Avila de Espindola <rafael.espindola at gmail.com> writes:
>> +template <class ELFT> void Retpoline<ELFT>::writePltHeader(uint8_t *Buf) const {
>> + const uint8_t Insn[] = {
>> + 0xff, 0x35, 0, 0, 0, 0, // pushq GOTPLT+8(%rip)
>> + 0x4c, 0x8b, 0x1d, 0, 0, 0, 0, // mov GOTPLT+16(%rip), %r11
>> + 0xe8, 0x0e, 0x00, 0x00, 0x00, // callq next
>> + 0xf3, 0x90, // loop: pause
>> + 0xeb, 0xfc, // jmp loop
>> + 0x0f, 0x1f, 0x44, 0x00, 0x00, // nop
>> + 0x0f, 0x1f, 0x44, 0x00, 0x00, // nop; .align 16
>
> The nops are never executed, right? Could we use traps?
>
>> +template <class ELFT>
>> +void Retpoline<ELFT>::writePlt(uint8_t *Buf, uint64_t GotPltEntryAddr,
>> + uint64_t PltEntryAddr, int32_t Index,
>> + unsigned RelOff) const {
>> + const uint8_t Insn[] = {
>> + 0x4c, 0x8b, 0x1d, 0, 0, 0, 0, // mov foo at GOTPLT(%rip), %r11
>> + 0xe8, 0x04, 0x00, 0x00, 0x00, // callq next
>> + 0xf3, 0x90, // loop: pause
>> + 0xeb, 0xfc, // jmp loop; .align 16
>> + 0x4c, 0x89, 0x1c, 0x24, // next: mov %r11, (%rsp)
>> + 0xc3, // ret
>
> This code sequence (mov + ret) exists in the header. Can't we jump there
> and reduce the size a bit?
I see that these have already been fixed. Thanks and sorry for the
noise.
Cheers,
Rafael
More information about the llvm-commits
mailing list