| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 Feb 2013 23:05:12 +0100
From: Borislav Petkov <bp@...en8.de>
To: LKML <linux-kernel@...r.kernel.org>
Cc: "H. Peter Anvin" <hpa@...or.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Borislav Petkov <bp@...e.de>
Subject: [PATCH] scripts/decodecode: Make faulting insn ptr more robust
From: Borislav Petkov <bp@...e.de>
It can accidentally happen that the faulting insn (the exact instruction
bytes) is repeated a little further on in the trace. This causes that
same instruction to be tagged twice, see example below.
What we want to do, however, is to track back from the end of the whole
disassembly so many lines as the slice which starts with the faulting
instruction is long. This leads us to the actual faulting instruction
and *then* we tag it.
While we're at it, we can drop the sed "g" flag because we address only
this one line.
Also, if we point to an instruction which changes decoding depending
on the slice being objdumped, like a Jcc insn, for example, we do not
even tag it as a faulting instruction because the instruction decode
changes in the second slice but we use that second format as a regex on
the fsrst disassembled buffer and more often than not that instruction
doesn't match.
Again, simply tag the line which is deduced from the original "<>"
marking we've received from the kernel.
This also solves the pathologic issue of multiple tagging like this:
29:* 0f 0b ud2 <-- trapping instruction
2b:* 0f 0b ud2 <-- trapping instruction
2d:* 0f 0b ud2 <-- trapping instruction
Double tagging example:
Code: 34 dd 40 30 ad 81 48 c7 c0 80 f6 00 00 48 8b 3c 30 48 01 c6 b8 ff ff ff ff 48 8d 57 f0 48 39 f7 74 2f 49 8b 4c 24 08 48 8b 47 f0 <48> 39 48 08 75 0e eb 2a 66 90 48 8b 40 f0 48 39 48 08 74 1e 48
All code
========
0: 34 dd xor $0xdd,%al
2: 40 30 ad 81 48 c7 c0 xor %bpl,-0x3f38b77f(%rbp)
9: 80 f6 00 xor $0x0,%dh
c: 00 48 8b add %cl,-0x75(%rax)
f: 3c 30 cmp $0x30,%al
11: 48 01 c6 add %rax,%rsi
14: b8 ff ff ff ff mov $0xffffffff,%eax
19: 48 8d 57 f0 lea -0x10(%rdi),%rdx
1d: 48 39 f7 cmp %rsi,%rdi
20: 74 2f je 0x51
22: 49 8b 4c 24 08 mov 0x8(%r12),%rcx
27: 48 8b 47 f0 mov -0x10(%rdi),%rax
2b:* 48 39 48 08 cmp %rcx,0x8(%rax) <-- trapping instruction
2f: 75 0e jne 0x3f
31: eb 2a jmp 0x5d
33: 66 90 xchg %ax,%ax
35: 48 8b 40 f0 mov -0x10(%rax),%rax
39:* 48 39 48 08 cmp %rcx,0x8(%rax) <-- trapping instruction
3d: 74 1e je 0x5d
3f: 48 rex.W
Signed-off-by: Borislav Petkov <bp@...e.de>
---
scripts/decodecode | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/scripts/decodecode b/scripts/decodecode
index 4f8248d5a11f..d8824f37acce 100755
--- a/scripts/decodecode
+++ b/scripts/decodecode
@@ -89,10 +89,16 @@ echo $code >> $T.s
disas $T
cat $T.dis >> $T.aa
+# (lines of whole $T.oo) - (lines of $T.aa, i.e. "Code starting") + 3,
+# i.e. the title + the "===..=" line (sed is counting from 1, 0 address is
+# special)
+faultlinenum=$(( $(wc -l $T.oo | cut -d" " -f1) - \
+ $(wc -l $T.aa | cut -d" " -f1) + 3))
+
faultline=`cat $T.dis | head -1 | cut -d":" -f2-`
faultline=`echo "$faultline" | sed -e 's/\[/\\\[/g; s/\]/\\\]/g'`
-cat $T.oo | sed -e "s/\($faultline\)/\*\1 <-- trapping instruction/g"
+cat $T.oo | sed -e "${faultlinenum}s/^\(.*:\)\(.*\)/\1\*\2\t\t<-- trapping instruction/"
echo
cat $T.aa
cleanup
--
1.8.1.3.535.ga923c31
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists