freebsd-skq/contrib
dim eae4eb0a6c Upgrade our copies of clang, llvm, lld, lldb, compiler-rt and libc++ to
6.0.0 (branches/release_60 r324090).

This introduces retpoline support, with the -mretpoline flag.  The
upstream initial commit message (r323155 by Chandler Carruth) contains
quite a bit of explanation.  Quoting:

  Introduce the "retpoline" x86 mitigation technique for variant #2 of
  the speculative execution vulnerabilities disclosed today,
  specifically identified by CVE-2017-5715, "Branch Target Injection",
  and is one of the two halves to Spectre.

  Summary:
  First, we need to explain the core of the vulnerability. Note that
  this is a very incomplete description, please see the Project Zero
  blog post for details:
  https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

  The basis for branch target injection is to direct speculative
  execution of the processor to some "gadget" of executable code by
  poisoning the prediction of indirect branches with the address of
  that gadget. The gadget in turn contains an operation that provides a
  side channel for reading data. Most commonly, this will look like a
  load of secret data followed by a branch on the loaded value and then
  a load of some predictable cache line. The attacker then uses timing
  of the processors cache to determine which direction the branch took
  *in the speculative execution*, and in turn what one bit of the
  loaded value was. Due to the nature of these timing side channels and
  the branch predictor on Intel processors, this allows an attacker to
  leak data only accessible to a privileged domain (like the kernel)
  back into an unprivileged domain.

  The goal is simple: avoid generating code which contains an indirect
  branch that could have its prediction poisoned by an attacker. In
  many cases, the compiler can simply use directed conditional branches
  and a small search tree. LLVM already has support for lowering
  switches in this way and the first step of this patch is to disable
  jump-table lowering of switches and introduce a pass to rewrite
  explicit indirectbr sequences into a switch over integers.

  However, there is no fully general alternative to indirect calls. We
  introduce a new construct we call a "retpoline" to implement indirect
  calls in a non-speculatable way. It can be thought of loosely as a
  trampoline for indirect calls which uses the RET instruction on x86.
  Further, we arrange for a specific call->ret sequence which ensures
  the processor predicts the return to go to a controlled, known
  location. The retpoline then "smashes" the return address pushed onto
  the stack by the call with the desired target of the original
  indirect call. The result is a predicted return to the next
  instruction after a call (which can be used to trap speculative
  execution within an infinite loop) and an actual indirect branch to
  an arbitrary address.

  On 64-bit x86 ABIs, this is especially easily done in the compiler by
  using a guaranteed scratch register to pass the target into this
  device.  For 32-bit ABIs there isn't a guaranteed scratch register
  and so several different retpoline variants are introduced to use a
  scratch register if one is available in the calling convention and to
  otherwise use direct stack push/pop sequences to pass the target
  address.

  This "retpoline" mitigation is fully described in the following blog
  post: https://support.google.com/faqs/answer/7625886

  We also support a target feature that disables emission of the
  retpoline thunk by the compiler to allow for custom thunks if users
  want them.  These are particularly useful in environments like
  kernels that routinely do hot-patching on boot and want to hot-patch
  their thunk to different code sequences. They can write this custom
  thunk and use `-mretpoline-external-thunk` *in addition* to
  `-mretpoline`. In this case, on x86-64 thu thunk names must be:
  ```
    __llvm_external_retpoline_r11
  ```
  or on 32-bit:
  ```
    __llvm_external_retpoline_eax
    __llvm_external_retpoline_ecx
    __llvm_external_retpoline_edx
    __llvm_external_retpoline_push
  ```
  And the target of the retpoline is passed in the named register, or in
  the case of the `push` suffix on the top of the stack via a `pushl`
  instruction.

  There is one other important source of indirect branches in x86 ELF
  binaries: the PLT. These patches also include support for LLD to
  generate PLT entries that perform a retpoline-style indirection.

  The only other indirect branches remaining that we are aware of are
  from precompiled runtimes (such as crt0.o and similar). The ones we
  have found are not really attackable, and so we have not focused on
  them here, but eventually these runtimes should also be replicated for
  retpoline-ed configurations for completeness.

  For kernels or other freestanding or fully static executables, the
  compiler switch `-mretpoline` is sufficient to fully mitigate this
  particular attack. For dynamic executables, you must compile *all*
  libraries with `-mretpoline` and additionally link the dynamic
  executable and all shared libraries with LLD and pass `-z
  retpolineplt` (or use similar functionality from some other linker).
  We strongly recommend also using `-z now` as non-lazy binding allows
  the retpoline-mitigated PLT to be substantially smaller.

  When manually apply similar transformations to `-mretpoline` to the
  Linux kernel we observed very small performance hits to applications
  running typic al workloads, and relatively minor hits (approximately
  2%) even for extremely syscall-heavy applications. This is largely
  due to the small number of indirect branches that occur in
  performance sensitive paths of the kernel.

  When using these patches on statically linked applications,
  especially C++ applications, you should expect to see a much more
  dramatic performance hit. For microbenchmarks that are switch,
  indirect-, or virtual-call heavy we have seen overheads ranging from
  10% to 50%.

  However, real-world workloads exhibit substantially lower performance
  impact. Notably, techniques such as PGO and ThinLTO dramatically
  reduce the impact of hot indirect calls (by speculatively promoting
  them to direct calls) and allow optimized search trees to be used to
  lower switches. If you need to deploy these techniques in C++
  applications, we *strongly* recommend that you ensure all hot call
  targets are statically linked (avoiding PLT indirection) and use both
  PGO and ThinLTO. Well tuned servers using all of these techniques saw
  5% - 10% overhead from the use of retpoline.

  We will add detailed documentation covering these components in
  subsequent patches, but wanted to make the core functionality
  available as soon as possible. Happy for more code review, but we'd
  really like to get these patches landed and backported ASAP for
  obvious reasons. We're planning to backport this to both 6.0 and 5.0
  release streams and get a 5.0 release with just this cherry picked
  ASAP for distros and vendors.

  This patch is the work of a number of people over the past month:
  Eric, Reid, Rui, and myself. I'm mailing it out as a single commit
  due to the time sensitive nature of landing this and the need to
  backport it. Huge thanks to everyone who helped out here, and
  everyone at Intel who helped out in discussions about how to craft
  this. Also, credit goes to Paul Turner (at Google, but not an LLVM
  contributor) for much of the underlying retpoline design.

  Reviewers: echristo, rnk, ruiu, craig.topper, DavidKreitzer

  Subscribers: sanjoy, emaste, mcrosier, mgorny, mehdi_amini, hiraditya, llvm-commits

  Differential Revision: https://reviews.llvm.org/D41723

MFC after:	3 months
X-MFC-With:	r327952
PR:		224669
2018-02-02 22:28:12 +00:00
..
amd
apr
apr-util
atf atf-sh(3): document atf_init_test_cases(3) fully 2017-06-30 05:49:12 +00:00
binutils Merge ^/head r327150 through r327164. 2017-12-24 16:53:55 +00:00
blacklist Extend libblacklist support with new action types 2017-05-23 19:03:07 +00:00
bmake Update to bmake-20171028 2017-11-02 20:08:00 +00:00
bsnmp Rename "index" variable to "idx" since gcc complains that it shadows 2018-01-19 20:33:47 +00:00
byacc MFV: r319352 2017-05-31 19:37:23 +00:00
bzip2
com_err
compiler-rt Upgrade our copies of clang, llvm, lld, lldb, compiler-rt and libc++ to 2018-02-01 21:41:15 +00:00
cortex-strings Work around a bug in QEMU when loading data with a load pair instruction 2017-08-26 15:08:27 +00:00
dialog
diff
dma Split body of mails not respecting RFC2822 2017-12-06 22:08:35 +00:00
dtc
ee
elftoolchain elfcopy: copy raw (untranslated) contents to binary output 2018-01-02 14:07:55 +00:00
expat
file MFV r323678: file 5.32 2017-09-17 19:14:38 +00:00
flex
gcc Revert r280909 "unwind-d2 build workaround for arm64" 2018-01-12 20:03:24 +00:00
gcclibs
gdb
gdtoa
gperf
hyperv/tools hyperv: Add VF bringup scripts and devd rules. 2017-07-31 07:18:15 +00:00
ipfilter loadpoolfile() implements a -R (NORESOLVE) option which is not listed 2017-08-05 06:46:06 +00:00
jemalloc Account for the fact that jemalloc 5.0.0 dropped STATIC_PAGE_SHIFT 2018-01-31 21:56:23 +00:00
ldns
ldns-host
less less(1): diff reduction vs upstream 2017-12-12 17:34:35 +00:00
libarchive MFV r328323,328324: 2018-01-24 14:24:17 +00:00
libbegemot
libc-pwcache
libc-vis Update vis(3) the latest from NetBSD. 2017-11-28 01:35:28 +00:00
libc++ Pull in r321963 from upstream libc++ trunk (by me): 2018-01-07 18:33:19 +00:00
libcxxrt
libdivsufsort
libexecinfo
libgnuregex
libpcap Clear clang warning: 2017-07-03 19:49:25 +00:00
libreadline
libstdc++
libucl
libxo Update from libxo-0.8.1 to 0.8.4: 2017-08-03 15:47:42 +00:00
llvm Upgrade our copies of clang, llvm, lld, lldb, compiler-rt and libc++ to 2018-02-02 22:28:12 +00:00
lua Gross hack to omit printing hex floating point when the lua number 2018-01-26 17:56:20 +00:00
mdocml mdoc(7): Update .Dd for previous commit 2017-12-05 23:06:15 +00:00
mknod
mtree
ncurses
netbsd-tests Update limits on makecontext() arguments in the setcontext_link test. 2018-01-31 18:03:40 +00:00
netcat
ngatm
ntp
nvi
ofed ofed: Define barriers for mips and arm. 2017-12-11 11:59:45 +00:00
one-true-awk Don't display empty error context. 2017-09-24 05:04:06 +00:00
openbsm Commit the 64-bit inode project. 2017-05-23 09:29:05 +00:00
openpam
openresolv
opie Revert r328492: 2018-01-28 03:16:54 +00:00
pam_modules/pam_passwdqc
pf
pjdfstest Pull down pjdfstest 0.1 2017-06-28 09:22:45 +00:00
pnpinfo
sendmail
serf
smbfs Fix SMBFS when saved passwords are greater than 18 characters 2017-06-08 00:48:26 +00:00
sqlite3 Update from sqlite3-3.14.1 to sqlite3-3.20.0. This is a private lib. 2017-08-11 00:00:01 +00:00
subversion Add Pull Request to the Subversion commit template 2018-01-09 21:02:39 +00:00
tcp_wrappers remove bogus declaration of malloc from tcp_wrappers 2017-06-20 16:40:31 +00:00
tcpdump Update tcpdump to 4.9.2 2017-12-06 02:21:11 +00:00
tcsh
telnet Fix memory leak in edithost 2017-06-01 19:21:30 +00:00
tnftp ftp(1): Use closefrom() instead of individual close()s. 2018-01-29 01:05:57 +00:00
top top: use __mips__ and __NetBSD__ for consistency 2017-08-23 17:56:55 +00:00
traceroute When using SCTP for sending probe packets, use INIT chunks for payloads 2018-01-27 19:23:42 +00:00
tzcode
tzdata Import tzdata 2018c 2018-01-24 06:48:42 +00:00
unbound Merge upstream r4302 to support multiple concurrently valid anchors. 2017-08-31 12:02:14 +00:00
unvis
vis
wpa Update wpa_supplicant/hostapd for 2017-01 vulnerability release. 2017-10-17 17:22:36 +00:00
xz Merge ^/head r319480 through r319547. 2017-06-03 18:21:50 +00:00
zlib MFV: r323381 2017-09-10 01:25:15 +00:00