IBT enforces that indirect branch targets land on an endbr instruction. The CPU enforces this by setting the 'WAIT_FOR_ENDBR' bit after executing an indirect branch/jump.
The only relevant edge case with user IBT is signal handling: When entering/leaving a signal handler, the WAIT_FOR_ENDBR bit must be backed up/restored. IBT is not implemented for 32-bit and cannot be enabled using a 32-bit syscall. However, a 64-bit thread could far jump into 32-bit. Therefore, 32-bit sigreturn must be banned until IBT supports that environment. Signed-off-by: Richard Patel <[email protected]> Based-on-patch-by: Yu-cheng Yu <[email protected]> Link: https://lwn.net/ml/linux-kernel/[email protected]/ --- arch/x86/kernel/signal_32.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/arch/x86/kernel/signal_32.c b/arch/x86/kernel/signal_32.c index e55cf19e68fe..7cb76d794366 100644 --- a/arch/x86/kernel/signal_32.c +++ b/arch/x86/kernel/signal_32.c @@ -143,6 +143,11 @@ static bool ia32_restore_sigcontext(struct pt_regs *regs, regs->ds = fixup_rpl(sc.ds); #endif +#ifdef CONFIG_X86_USER_IBT + if (current->thread.ibt) + return false; +#endif + return fpu__restore_sig(compat_ptr(sc.fpstate), 1); } -- 2.47.3
