On 06/05/2018 06:14 PM, speck for Linus Torvalds wrote:
> 
> 
> On Tue, 5 Jun 2018, speck for Jiri Kosina wrote:
>>
>> speculative return address overwrite 
> 
> I don't believe in this one to begin with. 
> 
> The return address is always taken from the RSB.

For one thing, it's known that Intel has several different RSBs in their
designs - an architectural RSB and a speculative RSB (SRSB), plus they
will search the BTB at least on underflow. In the SRSB case, whenever
they detect a CALL during instruction decode, they'll stash the return
in the SRSB even if it's never executed. So you could minimally cause an
SRSB entry to be created that never matched with a call.

Jon.

-- 
Computer Architect | Sent from my Fedora powered laptop