lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 Jul 2017 14:12:45 -0700 From: Matthias Kaehlcke <mka@...omium.org> To: Josh Poimboeuf <jpoimboe@...hat.com> Cc: Andrey Rybainin <ryabinin.a.a@...il.com>, Chris J Arges <chris.j.arges@...onical.com>, Borislav Petkov <bp@...e.de>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, "H . Peter Anvin" <hpa@...or.com>, x86@...nel.org, linux-kernel@...r.kernel.org, Douglas Anderson <dianders@...omium.org>, Michael Davidson <md@...gle.com>, Greg Hackmann <ghackmann@...gle.com>, Nick Desaulniers <ndesaulniers@...gle.com>, Stephen Hines <srhines@...gle.com>, Kees Cook <keescook@...omium.org>, Arnd Bergmann <arnd@...db.de>, Bernhard.Rosenkranzer@...aro.org Subject: Re: [PATCH] Revert "x86/uaccess: Add stack frame output operand in get_user() inline asm" El Thu, Jul 13, 2017 at 03:34:16PM -0500 Josh Poimboeuf ha dit: > On Thu, Jul 13, 2017 at 11:20:04PM +0300, Andrey Rybainin wrote: > > On 07/13/2017 09:47 PM, Matthias Kaehlcke wrote: > > > > > Thanks for your analysis! > > > > > >> What happens if you try the below patch instead of the revert? Any > > >> chance the offending instruction goes away? > > >> > > >> diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h > > >> index 11433f9..beac907 100644 > > >> --- a/arch/x86/include/asm/uaccess.h > > >> +++ b/arch/x86/include/asm/uaccess.h > > >> @@ -171,7 +171,7 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) > > >> might_fault(); \ > > >> asm volatile("call __get_user_%P4" \ > > >> : "=a" (__ret_gu), "=r" (__val_gu), "+r" (__sp) \ > > >> - : "0" (ptr), "i" (sizeof(*(ptr)))); \ > > >> + : "0" (ptr), "i" (sizeof(*(ptr))), "r" (__sp)); \ > > >> (x) = (__force __typeof__(*(ptr))) __val_gu; \ > > >> __builtin_expect(__ret_gu, 0); \ > > >> }) > > > > > > The generated code is basically the same, only that now the value from > > > the stack is stored in a register and written twice to RSP: > > > > > > > AFAIR clang works much better with global named registers. > > Could you check if the patch bellow helps? > > And yet another one to try (clobbering sp) :-) > > diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h > index 11433f9..21f0c39 100644 > --- a/arch/x86/include/asm/uaccess.h > +++ b/arch/x86/include/asm/uaccess.h > @@ -166,12 +166,12 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) > ({ \ > int __ret_gu; \ > register __inttype(*(ptr)) __val_gu asm("%"_ASM_DX); \ > - register void *__sp asm(_ASM_SP); \ > __chk_user_ptr(ptr); \ > might_fault(); \ > - asm volatile("call __get_user_%P4" \ > - : "=a" (__ret_gu), "=r" (__val_gu), "+r" (__sp) \ > - : "0" (ptr), "i" (sizeof(*(ptr)))); \ > + asm volatile("call __get_user_%P3" \ > + : "=a" (__ret_gu), "=r" (__val_gu) \ > + : "0" (ptr), "i" (sizeof(*(ptr))) \ > + : "sp"); \ > (x) = (__force __typeof__(*(ptr))) __val_gu; \ > __builtin_expect(__ret_gu, 0); \ > }) This compiles with both gcc and clang, clang does not corrupt the stack pointer. I wouldn't be able to tell though if it forces a stack frame if it doesn't already exist, as the original patch intends.
Powered by blists - more mailing lists