| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Nov 2017 15:19:29 -0600
From: Josh Poimboeuf <jpoimboe@...hat.com>
To: Juergen Gross <jgross@...e.com>
Cc: x86@...nel.org, linux-kernel@...r.kernel.org,
Andy Lutomirski <luto@...nel.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Sasha Levin <alexander.levin@...izon.com>,
live-patching@...r.kernel.org, Jiri Slaby <jslaby@...e.cz>,
Ingo Molnar <mingo@...nel.org>,
"H. Peter Anvin" <hpa@...or.com>,
Peter Zijlstra <peterz@...radead.org>,
Mike Galbraith <efault@....de>,
Chris Wright <chrisw@...s-sol.org>,
Alok Kataria <akataria@...are.com>,
Rusty Russell <rusty@...tcorp.com.au>,
virtualization@...ts.linux-foundation.org,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
xen-devel@...ts.xenproject.org,
Thomas Gleixner <tglx@...utronix.de>,
Borislav Petkov <bp@...en8.de>
Subject: Re: [PATCH 10/13] x86/alternative: Support indirect call replacement
On Wed, Oct 25, 2017 at 01:25:02PM +0200, Juergen Gross wrote:
> On 04/10/17 17:58, Josh Poimboeuf wrote:
> > Add alternative patching support for replacing an instruction with an
> > indirect call. This will be needed for the paravirt alternatives.
> >
> > Signed-off-by: Josh Poimboeuf <jpoimboe@...hat.com>
> > ---
> > arch/x86/kernel/alternative.c | 22 +++++++++++++++-------
> > 1 file changed, 15 insertions(+), 7 deletions(-)
> >
> > diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
> > index 3344d3382e91..81c577c7deba 100644
> > --- a/arch/x86/kernel/alternative.c
> > +++ b/arch/x86/kernel/alternative.c
> > @@ -410,20 +410,28 @@ void __init_or_module noinline apply_alternatives(struct alt_instr *start,
> > insnbuf_sz = a->replacementlen;
> >
> > /*
> > - * 0xe8 is a relative jump; fix the offset.
> > - *
> > - * Instruction length is checked before the opcode to avoid
> > - * accessing uninitialized bytes for zero-length replacements.
> > + * Fix the address offsets for call and jump instructions which
> > + * use PC-relative addressing.
> > */
> > if (a->replacementlen == 5 && *insnbuf == 0xe8) {
> > + /* direct call */
> > *(s32 *)(insnbuf + 1) += replacement - instr;
> > - DPRINTK("Fix CALL offset: 0x%x, CALL 0x%lx",
> > + DPRINTK("Fix direct CALL offset: 0x%x, CALL 0x%lx",
> > *(s32 *)(insnbuf + 1),
> > (unsigned long)instr + *(s32 *)(insnbuf + 1) + 5);
> > - }
> >
> > - if (a->replacementlen && is_jmp(replacement[0]))
> > + } else if (a->replacementlen == 6 && *insnbuf == 0xff &&
> > + *(insnbuf+1) == 0x15) {
> > + /* indirect call */
> > + *(s32 *)(insnbuf + 2) += replacement - instr;
> > + DPRINTK("Fix indirect CALL offset: 0x%x, CALL *0x%lx",
> > + *(s32 *)(insnbuf + 2),
> > + (unsigned long)instr + *(s32 *)(insnbuf + 2) + 6);
> > +
> > + } else if (a->replacementlen && is_jmp(replacement[0])) {
>
> Is this correct? Without your patch this was:
>
> if (*insnbuf == 0xe8) ...
> if (is_jmp(replacement[0])) ...
>
> Now you have:
>
> if (*insnbuf == 0xe8) ...
> else if (*insnbuf == 0xff15) ...
> else if (is_jmp(replacement[0])) ...
>
> So only one or none of the three variants will be executed. In the past
> it could be none, one or both.
It can't be a call *and* a jump. It's either one or the other.
Maybe it's a little confusing that the jump check uses replacement[0]
while the other checks use *insnbuf? They have the same value, so the
same variable should probably be used everywhere for consistency. I can
make them more consistent.
--
Josh
Powered by blists - more mailing lists