lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 10 Apr 2019 14:05:50 -0400 (EDT)
From:   Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
To:     Peter Zijlstra <peterz@...radead.org>
Cc:     Thomas Gleixner <tglx@...utronix.de>,
        Andy Lutomirski <luto@...capital.net>,
        "H. Peter Anvin" <hpa@...or.com>, Andi Kleen <andi@...stfloor.org>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        libc-alpha <libc-alpha@...rceware.org>,
        linux-kernel <linux-kernel@...r.kernel.org>,
        carlos <carlos@...hat.com>, x86 <x86@...nel.org>
Subject: Re: rseq/x86: choosing rseq code signature

----- On Apr 10, 2019, at 1:57 PM, Peter Zijlstra peterz@...radead.org wrote:

> On Wed, Apr 10, 2019 at 11:47:40AM -0400, Mathieu Desnoyers wrote:
>> ----- On Apr 10, 2019, at 2:54 AM, Peter Zijlstra peterz@...radead.org wrote:
>> 
>> > On Tue, Apr 09, 2019 at 04:43:42PM -0400, Mathieu Desnoyers wrote:
>> >> +/*
>> >> + * RSEQ_SIG is used with the following privileged instructions, which trap in
>> >> user-space:
>> >> + * x86-32:    0f 01 3d 53 30 05 53      invlpg 0x53053053
>> >> + * x86-64:    0f 01 3d 53 30 05 53      invlpg 0x53053053(%rip)
>> >> + */
>> > 
>> > Right, and the alternative is: 0f b9 3d $SIG, which decodes to:
>> > 
>> >  UD1 $SIG(%rip),%edi
>> > 
>> > which will trap unconditionally. The only problem is that gas will not
>> > actually assemble it, but since we're .byte coding it, it doesn't
>> > matter.
>> > 
>> > UD1 is specified by both AMD and Intel to take a ModR/M, unlike UD0
>> > where they disagree on the ModR/M.
>> 
>> UD1 is even better from a code emulator perspective. It won't have to
>> try to emulate invlpg if it sees it.
> 
> Some emulators terminate on UD2, not aware of any special UD1 behaviour.
> 
>> Byte coding UD1 as your example above gives the following objdump output,
>> is it expected ?
>> 
>> objdump --version
>> GNU objdump (GNU Binutils for Debian) 2.28
>> 
>> x86-32:
>> 
>>   14:	0f b9                	ud1
>>   16:	3d 53 30 05 53       	cmp    $0x53053053,%eax
>> 
>> x86-64:
>> 
>>    b:	0f b9                	ud1
>>    d:	3d 53 30 05 53       	cmp    $0x53053053,%eax
> 
> GNU objdump (GNU Binutils for Debian) 2.31.1
> 
>     0f b9 3d 78 56 34 12    ud1    0x12345678(%rip),%edi
> 
> So I suppose your objdump is too old :/

Well at least it decodes _something_ which matches the overall instruction
length of 7 bytes, which I think should be OK. So let's use ud1 unless anyone
objects.

Thanks,

Mathieu


-- 
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ