From: David Woodhouse > Sent: 14 January 2018 17:04 > x86/retpoline: Fill RSB on context switch for affected CPUs > > On context switch from a shallow call stack to a deeper one, as the CPU > does 'ret' up the deeper side it may encounter RSB entries (predictions for > where the 'ret' goes to) which were populated in userspace. > > This is problematic if neither SMEP nor KPTI (the latter of which marks > userspace pages as NX for the kernel) are active, as malicious code in > userspace may then be executed speculatively. ...
Do we have a guarantee that all cpu actually detect the related RSB underflow? It wouldn't surprise me if at least some cpu just let it wrap. This would means that userspace would see return predictions based on the values the kernel 'stuffed' into the RSB to fill it. Potentially this leaks a kernel address to userspace. David