From: Andi Kleen
> Sent: 08 January 2018 20:16
>
> [This is on top of David's retpoline branch, as of 08-01 this morning]
>
> This patch further hardens retpoline
>
> CPUs have return buffers which store the return address for
> RET to predict function returns. Some CPUs (Skylake, some Broadwells)
> can fall back to indirect branch prediction on return buffer underflow.
>
> With retpoline we want to avoid uncontrolled indirect branches,
> which could be poisoned by ring 3, so we need to avoid uncontrolled
> return buffer underflows in the kernel.
>
> This can happen when we're context switching from a shallower to a
> deeper kernel stack. The deeper kernel stack would eventually underflow
> the return buffer, which again would fall back to the indirect branch
> predictor.
...
Is that really a usable attack vector?
Isn't it actually more likely to leak kernel addresses to userspace
in the return stack buffer - which might be usable to get around KASR.
David
