"Retbleed" Published As Arbitrary Speculative Execution With Return Instructions
In particular, Retbleed can beat existing return trampolines "retpolines" defenses even though when devised just four years ago the belief was that returns weren't susceptible / too impractical to BTI attacks. Retbleed now proves that return instructions can be practically exploited.
The security researchers found that Retbleed impacts AMD Zen 1/1+/2 and Intel Core 6th through 8th Gen processors.
This does come with added performance cost, from today's disclosure, "Mitigating Retbleed in the Linux kernel required a substantial effort, involving changes to 68 files, 1783 new lines and 387 removed lines. Our performance evaluation shows that mitigating Retbleed has unfortunately turned out to be expensive: we have measured between 14% and 39% overhead with the AMD and Intel patches respectively."
More details about Retbleed on the new Retbleed site.
The Retbleed mitigation work was merged this morning into the Linux kernel. I'll have up Retbleed mitigation benchmarks shortly.
Update: Intel's statement on the matter mailed to us comes down to: "Intel worked with our industry mitigation partners, the Linux community and VMM vendors to make mitigations available to customers. Windows systems are not affected as they already have these mitigations by default." They also went on to add that they take these issues very seriously but don't believe Retbleed is practical outside of a lab environment.