On 05.08.2022 12:38, Andrew Cooper wrote: > There is a corner case where a VT-x guest which manages to reliably trigger > non-fatal #MC's could evade the rogue RSB speculation protections that were > supposed to be in place. > > This is a lack of defence in depth; Xen does not architecturally execute more > RET than CALL instructions, so an attacker would have to locate a different > gadget (e.g. SpectreRSB) first to execute a transient path of excess RET > instructions. > > Signed-off-by: Andrew Cooper <[email protected]>
Reviewed-by: Jan Beulich <[email protected]>
