| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 22 Jan 2016 11:32:17 +0100
From: Borislav Petkov <bp@...e.de>
To: "H. Peter Anvin" <hpa@...or.com>
Cc: Andy Lutomirski <luto@...capital.net>,
Brian Gerst <brgerst@...il.com>,
the arch/x86 maintainers <x86@...nel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Ingo Molnar <mingo@...nel.org>,
Denys Vlasenko <dvlasenk@...hat.com>,
Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH] x86: static_cpu_has_safe: discard dynamic check after
init
On Thu, Jan 21, 2016 at 03:37:16PM -0800, H. Peter Anvin wrote:
> Maybe a label attribute would help, I don't know.
Here's another version which works, not really better though:
Change is this:
---
+ asm_volatile_goto(ALTERNATIVE("", "jmp %l[t_fixup_ss]",
+ X86_BUG_SYSRET_SS_ATTRS)
+ : : : : t_fixup_ss);
+
+ return prev_p;
+
+t_fixup_ss:
<snip comment>
+ savesegment(ss, ss_sel);
+ if (ss_sel != __KERNEL_DS)
+ loadsegment(ss, __KERNEL_DS);
return prev_p;
---
with two "return prev_p" with the hope that gcc won't generate a second
JMP back to the frame restore and ret code. But, nah, it does.
vmlinux:
ffffffff8100472a: 90 nop
ffffffff8100472b: 90 nop
ffffffff8100472c: 90 nop
ffffffff8100472d: 90 nop
ffffffff8100472e: 90 nop
ffffffff8100472f: 48 83 c4 18 add $0x18,%rsp
ffffffff81004733: 4c 89 e0 mov %r12,%rax
ffffffff81004736: 5b pop %rbx
ffffffff81004737: 41 5c pop %r12
ffffffff81004739: 41 5d pop %r13
ffffffff8100473b: 41 5e pop %r14
ffffffff8100473d: 41 5f pop %r15
ffffffff8100473f: 5d pop %rbp
ffffffff81004740: c3 retq
after patching on an X86_BUG_SYSRET_SS_ATTRS CPU:
[ 0.264007] apply_alternatives: feat: 16*32+8, old: (ffffffff8100472a, len: 5), repl: (ffffffff81de4e05, len: 5), pad: 5
[ 0.268005] ffffffff8100472a: old_insn: 90 90 90 90 90
[ 0.273510] ffffffff81de4e05: rpl_insn: e9 68 f9 21 ff
[ 0.277496] recompute_jump: target RIP: ffffffff81004772, new_displ: 0x48
[ 0.280005] recompute_jump: final displ: 0x00000046, JMP 0xffffffff81004772
[ 0.283159] ffffffff8100472a: final_insn: eb 46 0f 1f 00
ffffffff8100472a: eb 46 0f 1f 00 jmp ffffffff81004772
ffffffff8100472f: 48 83 c4 18 add $0x18,%rsp
ffffffff81004733: 4c 89 e0 mov %r12,%rax
ffffffff81004736: 5b pop %rbx
ffffffff81004737: 41 5c pop %r12
ffffffff81004739: 41 5d pop %r13
ffffffff8100473b: 41 5e pop %r14
ffffffff8100473d: 41 5f pop %r15
ffffffff8100473f: 5d pop %rbp
ffffffff81004740: c3 retq
so a two-byte JMP jumping to:
ffffffff81004772: 66 8c d0 mov %ss,%ax
ffffffff81004775: 66 83 f8 18 cmp $0x18,%ax
ffffffff81004779: 74 b4 je ffffffff8100472f <__switch_to+0x2df>
ffffffff8100477b: b8 18 00 00 00 mov $0x18,%eax
ffffffff81004780: 8e d0 mov %eax,%ss
ffffffff81004782: eb ab jmp ffffffff8100472f <__switch_to+0x2df>
which does the fixup and jumps back to ...472f which restores the frame
and returns.
I wish I could be able to tell gcc to not jump back but add the function
return here too as we don't care about code size in that case.
And it's not like it is really better on !X86_BUG_SYSRET_SS_ATTRS CPUs -
there we have the 5-byte padding NOP being converted to 5-byte one:
[ 0.293164] ffffffff8100472a: [0:5) optimized NOPs: 0f 1f 44 00 00
I need to talk to my gcc guy... :)
--
Regards/Gruss,
Boris.
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
--
Powered by blists - more mailing lists