Searched hist:abfd092aa19f9c0251e3d5551e2d68a9ebcfec8a (Results 1 – 1 of 1) sorted by relevance
| /optee_os/core/arch/arm/kernel/ |
| H A D | thread_a64.S | abfd092aa19f9c0251e3d5551e2d68a9ebcfec8a Mon Dec 23 15:15:22 UTC 2019 Anthony Steinhauser <asteinhauser@google.com> core: arm64: fix speculative execution past ERET vulnerability
Even though ERET always causes a jump to another address, aarch64 CPUs
speculatively execute following instructions as if the ERET
instruction was not a jump instruction.
The speculative execution does not cross privilege-levels (to the jump
target as one would expect), but it continues on the kernel privilege
level as if the ERET instruction did not change the control flow -
thus execution anything that is accidentally linked after the ERET
instruction. Later, the results of this speculative execution are
always architecturally discarded, however they can leak data using
microarchitectural side channels. This speculative execution is very
reliable (seems to be unconditional) and it manages to complete even
relatively performance-heavy operations (e.g. multiple dependent
fetches from uncached memory).
It was fixed by Linux [1], FreeBSD [2] and OpenBSD [3]. The misbehavior
is demonstrated in [4] and [5].
Link: [1] https://github.com/torvalds/linux/commit/679db70801da9fda91d26caf13bf5b5ccc74e8e8
Link: [2] https://github.com/freebsd/freebsd/commit/29fb48ace4186a41c409fde52bcf4216e9e50b61
Link: [3] https://github.com/openbsd/src/commit/3a08873ece1cb28ace89fd65e8f3c1375cc98de2
Link: [4] https://github.com/google/safeside/blob/master/demos/eret_hvc_smc_wrapper.cc
Link: [5] https://github.com/google/safeside/blob/master/kernel_modules/kmod_eret_hvc_smc/eret_hvc_smc_module.c
Signed-off-by: Anthony Steinhauser <asteinhauser@google.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|