lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20160122103217.GA9306@pd.tnic>
Date:	Fri, 22 Jan 2016 11:32:17 +0100
From:	Borislav Petkov <bp@...e.de>
To:	"H. Peter Anvin" <hpa@...or.com>
Cc:	Andy Lutomirski <luto@...capital.net>,
	Brian Gerst <brgerst@...il.com>,
	the arch/x86 maintainers <x86@...nel.org>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Ingo Molnar <mingo@...nel.org>,
	Denys Vlasenko <dvlasenk@...hat.com>,
	Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH] x86: static_cpu_has_safe: discard dynamic check after
 init

On Thu, Jan 21, 2016 at 03:37:16PM -0800, H. Peter Anvin wrote:
> Maybe a label attribute would help, I don't know.

Here's another version which works, not really better though:

Change is this:

---
+       asm_volatile_goto(ALTERNATIVE("", "jmp %l[t_fixup_ss]",
+                                     X86_BUG_SYSRET_SS_ATTRS)
+                       : : : : t_fixup_ss);
+
+       return prev_p;
+
+t_fixup_ss:

	<snip comment>

+       savesegment(ss, ss_sel);
+       if (ss_sel != __KERNEL_DS)
+               loadsegment(ss, __KERNEL_DS);
 
        return prev_p;
---

with two "return prev_p" with the hope that gcc won't generate a second
JMP back to the frame restore and ret code. But, nah, it does.

vmlinux:

ffffffff8100472a:       90                      nop
ffffffff8100472b:       90                      nop
ffffffff8100472c:       90                      nop
ffffffff8100472d:       90                      nop
ffffffff8100472e:       90                      nop
ffffffff8100472f:       48 83 c4 18             add    $0x18,%rsp
ffffffff81004733:       4c 89 e0                mov    %r12,%rax
ffffffff81004736:       5b                      pop    %rbx
ffffffff81004737:       41 5c                   pop    %r12
ffffffff81004739:       41 5d                   pop    %r13
ffffffff8100473b:       41 5e                   pop    %r14
ffffffff8100473d:       41 5f                   pop    %r15
ffffffff8100473f:       5d                      pop    %rbp
ffffffff81004740:       c3                      retq

after patching on an X86_BUG_SYSRET_SS_ATTRS CPU:

[    0.264007] apply_alternatives: feat: 16*32+8, old: (ffffffff8100472a, len: 5), repl: (ffffffff81de4e05, len: 5), pad: 5
[    0.268005] ffffffff8100472a: old_insn: 90 90 90 90 90
[    0.273510] ffffffff81de4e05: rpl_insn: e9 68 f9 21 ff
[    0.277496] recompute_jump: target RIP: ffffffff81004772, new_displ: 0x48
[    0.280005] recompute_jump: final displ: 0x00000046, JMP 0xffffffff81004772
[    0.283159] ffffffff8100472a: final_insn: eb 46 0f 1f 00


ffffffff8100472a:       eb 46 0f 1f 00		jmp ffffffff81004772
ffffffff8100472f:       48 83 c4 18             add    $0x18,%rsp
ffffffff81004733:       4c 89 e0                mov    %r12,%rax
ffffffff81004736:       5b                      pop    %rbx
ffffffff81004737:       41 5c                   pop    %r12
ffffffff81004739:       41 5d                   pop    %r13
ffffffff8100473b:       41 5e                   pop    %r14
ffffffff8100473d:       41 5f                   pop    %r15
ffffffff8100473f:       5d                      pop    %rbp
ffffffff81004740:       c3                      retq

so a two-byte JMP jumping to:

ffffffff81004772:       66 8c d0                mov    %ss,%ax
ffffffff81004775:       66 83 f8 18             cmp    $0x18,%ax
ffffffff81004779:       74 b4                   je     ffffffff8100472f <__switch_to+0x2df>
ffffffff8100477b:       b8 18 00 00 00          mov    $0x18,%eax
ffffffff81004780:       8e d0                   mov    %eax,%ss
ffffffff81004782:       eb ab                   jmp    ffffffff8100472f <__switch_to+0x2df>

which does the fixup and jumps back to ...472f which restores the frame
and returns.

I wish I could be able to tell gcc to not jump back but add the function
return here too as we don't care about code size in that case.

And it's not like it is really better on !X86_BUG_SYSRET_SS_ATTRS CPUs -
there we have the 5-byte padding NOP being converted to 5-byte one:

[    0.293164] ffffffff8100472a: [0:5) optimized NOPs: 0f 1f 44 00 00

I need to talk to my gcc guy... :)

-- 
Regards/Gruss,
    Boris.

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
-- 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ