[PATCH] D41723: Introduce the "retpoline" x86 mitigation technique for variant #2 of the speculative execution vulnerabilities disclosed today, specifically identified by CVE-2017-5715, "Branch Target Injection", and is one of the two halves to Spectre..

Chandler Carruth via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Thu Jan 4 09:19:10 PST 2018

chandlerc added a comment.

Comment for Rui about the 32-bit PLT sequence...

Comment at: lld/ELF/Arch/X86.cpp:491
+      0x83, 0xc4, 0x04,             // next: add $4, %esp
+      0x87, 0x04, 0x24,             //   xchg %eax, (%esp)
+      0xc3,                         //   ret
Does it make sense to use something like the `pushl` sequence Reid came up with here? In the non-PLT case it looks like:

  addl $4, %esp
  pushl 4(%esp)
  pushl 4(%esp)
  popl 8(%esp)
  popl (%esp)

So it would potentially need to be done a touch differently to work here, but maybe something like that rather than `xchg`?

Even if the alternative is a lot more instructions, the `xchg` instruction is a locked instruction on x86 and so this will actually create synchronization overhead on the cache line of the top of the stack.


More information about the llvm-commits mailing list