| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Oct 2017 13:25:02 +0200
From: Juergen Gross <jgross@...e.com>
To: Josh Poimboeuf <jpoimboe@...hat.com>, x86@...nel.org
Cc: linux-kernel@...r.kernel.org, Andy Lutomirski <luto@...nel.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Sasha Levin <alexander.levin@...izon.com>,
live-patching@...r.kernel.org, Jiri Slaby <jslaby@...e.cz>,
Ingo Molnar <mingo@...nel.org>,
"H. Peter Anvin" <hpa@...or.com>,
Peter Zijlstra <peterz@...radead.org>,
Mike Galbraith <efault@....de>,
Chris Wright <chrisw@...s-sol.org>,
Alok Kataria <akataria@...are.com>,
Rusty Russell <rusty@...tcorp.com.au>,
virtualization@...ts.linux-foundation.org,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
xen-devel@...ts.xenproject.org,
Thomas Gleixner <tglx@...utronix.de>,
Borislav Petkov <bp@...en8.de>
Subject: Re: [PATCH 10/13] x86/alternative: Support indirect call replacement
On 04/10/17 17:58, Josh Poimboeuf wrote:
> Add alternative patching support for replacing an instruction with an
> indirect call. This will be needed for the paravirt alternatives.
>
> Signed-off-by: Josh Poimboeuf <jpoimboe@...hat.com>
> ---
> arch/x86/kernel/alternative.c | 22 +++++++++++++++-------
> 1 file changed, 15 insertions(+), 7 deletions(-)
>
> diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
> index 3344d3382e91..81c577c7deba 100644
> --- a/arch/x86/kernel/alternative.c
> +++ b/arch/x86/kernel/alternative.c
> @@ -410,20 +410,28 @@ void __init_or_module noinline apply_alternatives(struct alt_instr *start,
> insnbuf_sz = a->replacementlen;
>
> /*
> - * 0xe8 is a relative jump; fix the offset.
> - *
> - * Instruction length is checked before the opcode to avoid
> - * accessing uninitialized bytes for zero-length replacements.
> + * Fix the address offsets for call and jump instructions which
> + * use PC-relative addressing.
> */
> if (a->replacementlen == 5 && *insnbuf == 0xe8) {
> + /* direct call */
> *(s32 *)(insnbuf + 1) += replacement - instr;
> - DPRINTK("Fix CALL offset: 0x%x, CALL 0x%lx",
> + DPRINTK("Fix direct CALL offset: 0x%x, CALL 0x%lx",
> *(s32 *)(insnbuf + 1),
> (unsigned long)instr + *(s32 *)(insnbuf + 1) + 5);
> - }
>
> - if (a->replacementlen && is_jmp(replacement[0]))
> + } else if (a->replacementlen == 6 && *insnbuf == 0xff &&
> + *(insnbuf+1) == 0x15) {
> + /* indirect call */
> + *(s32 *)(insnbuf + 2) += replacement - instr;
> + DPRINTK("Fix indirect CALL offset: 0x%x, CALL *0x%lx",
> + *(s32 *)(insnbuf + 2),
> + (unsigned long)instr + *(s32 *)(insnbuf + 2) + 6);
> +
> + } else if (a->replacementlen && is_jmp(replacement[0])) {
Is this correct? Without your patch this was:
if (*insnbuf == 0xe8) ...
if (is_jmp(replacement[0])) ...
Now you have:
if (*insnbuf == 0xe8) ...
else if (*insnbuf == 0xff15) ...
else if (is_jmp(replacement[0])) ...
So only one or none of the three variants will be executed. In the past
it could be none, one or both.
Juergen
Powered by blists - more mailing lists