CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2020/03/11 01:27:08
Modified files:
sys/arch/amd64/include: codepatch.h
Log message:
Take a swing at blocking Load-Value-Injection attacks against the
kernel by using lfence in place of stac/clac on pre-SMAP CPUs.
To quote from
https://software.intel.com/security-software-guidance/insights/deep-dive-load-value-injection
"If the OS makes use of Supervisor Mode Access Prevention (SMAP)
on processors with SMAP enabled, then LVI on kernel load from
user pages will be mitigated. This is because the CLAC and STAC
instructions have LFENCE semantics on processors affected by LVI,
and this serves as a speculation fence around kernel loads from
user pages."
ok deraadt@
