Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 727610

Summary: <sys-devel/clang-11.0.0: Straight Line Speculation mitigation for ARMv8 (CVE-2020-13844)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: llvm, mgorny
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.llvm.org/pipermail/llvm-dev/2020-June/142109.html
Whiteboard: A4 [glsa? cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 727606    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-09 01:30:16 UTC 
Patches have been submitted by ARM to address the new Straight Line Speculation (SLS) vulnerability.

Patch series: https://lists.llvm.org/pipermail/llvm-dev/2020-June/142109.html

We are (obviously) not expecting maintainers to accept patches before they're accepted upstream, this is just to keep track.

"Please find patches for these mitigations on the below reviews:

1. https://reviews.llvm.org/D81399: [AArch64] Fix branch, terminator, etc properties for BRA* instructions.
2. https://reviews.llvm.org/D81400: [AArch64] Introduce AArch64SLSHardeningPass, which implements the hardening of RET and BR instructions.
3. https://reviews.llvm.org/D81401: [NFC] Refactor ThunkInserter to make it available for all targets.
4. https://reviews.llvm.org/D81402: [AArch64] Extend AArch64SLSHardeningPass to harden BLR instructions.
5. https://reviews.llvm.org/D81403: Work around GlobalISel limitation on Indirect Thunks.
6. https://reviews.llvm.org/D81404: [AArch64] Add clang command line support for -mharden-sls=
7. https://reviews.llvm.org/D81405: [AArch64] Avoid incompatibility between SLSBLR mitigation and BTI codegen, by only using X16 and X17 registers for BLRs."
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-06-20 07:34:32 UTC 
FWICS the patches are in master now but not in 10.0.x.  Upstream Bugzilla is broken, so I can't check whether they were requested for backporting already.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-11 17:00:21 UTC 
(In reply to Sam James from comment #0)
> Patches have been submitted by ARM to address the new Straight Line
> Speculation (SLS) vulnerability.
> 
> Patch series: https://lists.llvm.org/pipermail/llvm-dev/2020-June/142109.html
> 
> We are (obviously) not expecting maintainers to accept patches before
> they're accepted upstream, this is just to keep track.
> 
> "Please find patches for these mitigations on the below reviews:
> 
> 1. https://reviews.llvm.org/D81399: [AArch64] Fix branch, terminator, etc
> properties for BRA* instructions.
> 2. https://reviews.llvm.org/D81400: [AArch64] Introduce
> AArch64SLSHardeningPass, which implements the hardening of RET and BR
> instructions.
> 3. https://reviews.llvm.org/D81401: [NFC] Refactor ThunkInserter to make it
> available for all targets.
> 4. https://reviews.llvm.org/D81402: [AArch64] Extend AArch64SLSHardeningPass
> to harden BLR instructions.
> 5. https://reviews.llvm.org/D81403: Work around GlobalISel limitation on
> Indirect Thunks.
> 6. https://reviews.llvm.org/D81404: [AArch64] Add clang command line support
> for -mharden-sls=
> 7. https://reviews.llvm.org/D81405: [AArch64] Avoid incompatibility between
> SLSBLR mitigation and BTI codegen, by only using X16 and X17 registers for
> BLRs."

All of these are in clang-11.0.0 and onward.