> From: "Theo de Raadt" <dera...@openbsd.org> > Date: Tue, 25 Jul 2023 08:23:14 -0600 > > Christian Weisgerber <na...@mips.inka.de> wrote: > > > Mark Kettenis: > > > > > This port has some infrastructure to use an optimized function that > > > uses a function pointer. Not sure why for arm64 it actually uses that > > > infrastructure, since the only alternative is the generic C > > > implementation. But adding a BTI instruction is the easiest fix. > > > > ok naddy@ > > > > The question is whether there are any others hiding in there. How > > did you find this in the first place? It broke on the M2?
Yes, it broke on the M2. Very few people are actually running packages on M2, so there may be more packages that are broken. > > Because amd64 should suffer from the same problem: > > > > fr->cpu_opts.the_dct36 = dct36_avx; > > ... > > fr->cpu_opts.the_dct36 = dct36_x86_64; > > > > dct36_avx and dct36_x86_64 are assembly routines that lack the > > endbr64 landing pad. And yet, on my IBT-enabled amd64 laptop, > > mpg123 plays just fine with both the avx and x86_64 decoders. > > Maybe it requires specific files to go via those code paths? > > Ayways, how will we know all the locations? I think we will eventually > know based upon user reports. > > It feels like there is a compilers or linker option missing to proactively > identify these problems. Please don't bring up LTO. Well, this is probably the wrong place to bring this up, but... ...the most likely reason why this doesn't break is because we enable repolines by default. If you look at the retpoline implementation: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/retpoline-branch-target-injection-mitigation.html you'll see that it replaces an indirect branch ("jmp *%rax") with a sequence that effectively pushes the address to the stack and returns to that address. I'm not sure to what extent this makes IBT less effective. Can the retpolines be used as gadgets to bypass IBT? Should we stop enabling retpolines by default? What *is* obvious is that retpolines are incompatible wuth shadow stacks. Is there an alternative that doesn't replace the indirect branch with a return instruction? I mentioned the retpolines at some point before but I don't think the right people saw that, so adding tech@ and guenther@.
