Re: [PATCH v2 0/5] Usermode Indirect Branch Tracking

Next message: Ian Rogers: "[PATCH v11 4/5] perf test: Add inject ASLR test"
Previous message: Ian Rogers: "[PATCH v11 3/5] perf inject/aslr: Implement sample address remapping"
In reply to: Richard Patel: "[PATCH v2 3/5] x86: expose user IBT via PR_CFI_BRANCH_LANDING_PADS"
Next in thread: Florian Weimer: "Re: [PATCH v2 0/5] Usermode Indirect Branch Tracking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Peter Zijlstra

Date: Fri Jun 05 2026 - 15:04:56 EST

On Fri, Jun 05, 2026 at 06:47:11PM +0000, Richard Patel wrote:

> The above sequence does not crash.
>
> With IBT, it should crash at the nop (because an endr64 is expected there).
> The IBT state (WAIT_FOR_ENDBR in IA32_U_CET MSR) is not backed up to the
> signal frame though. So, when userland does a sigreturn, the CPU has
> forgotten that it was doing an indirect branch before the signal.
> (This specifically only occurs with signal handlers that sigreturn.)
>
> This is because IA32_U_CET is part of XSAVE 'supervisor' state, so
> regular XSAVE/XRSTOR can't access it. Doing a manual backup is tricky.

WAIT_FOR_ENDBR should be part of the exception frame with FRED, so if
you're on FRED hardware, this should be fixed IIRC.