lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 3 Nov 2021 12:32:20 -0700 From: Andy Lutomirski <luto@...nel.org> To: Peter Zijlstra <peterz@...radead.org> Cc: Kees Cook <keescook@...omium.org>, Ard Biesheuvel <ardb@...nel.org>, Sami Tolvanen <samitolvanen@...gle.com>, Mark Rutland <mark.rutland@....com>, the arch/x86 maintainers <x86@...nel.org>, Josh Poimboeuf <jpoimboe@...hat.com>, Nathan Chancellor <nathan@...nel.org>, Nick Desaulniers <ndesaulniers@...gle.com>, Sedat Dilek <sedat.dilek@...il.com>, Steven Rostedt <rostedt@...dmis.org>, linux-hardening@...r.kernel.org, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, llvm@...ts.linux.dev Subject: Re: [PATCH] static_call,x86: Robustify trampoline patching On 11/3/21 01:35, Peter Zijlstra wrote: > On Tue, Nov 02, 2021 at 05:20:05PM -0700, Andy Lutomirski wrote: >> I think that's a big mistake -- any sane ENDBR-using scheme would >> really prefer that ENDBR to be right next to the actual function body, >> and really any scheme would benefit due to better cache locality. > > Agreed, IBT/BTI want the landing pad in front of the actual function. > >> But, more importantly, IMO any sane ENDBR-using scheme wants to >> generate the indirect stub as part of code gen for the actual >> function. > > Sorta, I really want to be able to not have a landing pad for functions > whose address is never taken. At that point it doesn't matter if it gets > generated along with the function and then stripped/poisoned later, or > generated later. Stripping is conceptually straightforward even without LTO. foo.indirect: ENDBR foo: ... and the linker learns (using magic function sections?) that, if foo.indirect is not referenced, then it should not be generated. Or a very straightforward walk over all the relocations in an object to poison the unused .indirect entries could be done. Making this work with DSOs, EXPORT_SYMBOL, etc will be somewhat nontrivial, but not impossible. --Andy
Powered by blists - more mailing lists