| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <360d5f88-d840-837a-4520-81bc087a9444@suse.com>
Date: Fri, 17 Nov 2017 06:46:59 +0100
From: Juergen Gross <jgross@...e.com>
To: Josh Poimboeuf <jpoimboe@...hat.com>
Cc: x86@...nel.org, linux-kernel@...r.kernel.org,
Andy Lutomirski <luto@...nel.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Sasha Levin <alexander.levin@...izon.com>,
live-patching@...r.kernel.org, Jiri Slaby <jslaby@...e.cz>,
Ingo Molnar <mingo@...nel.org>,
"H. Peter Anvin" <hpa@...or.com>,
Peter Zijlstra <peterz@...radead.org>,
Mike Galbraith <efault@....de>,
Chris Wright <chrisw@...s-sol.org>,
Alok Kataria <akataria@...are.com>,
Rusty Russell <rusty@...tcorp.com.au>,
virtualization@...ts.linux-foundation.org,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
xen-devel@...ts.xenproject.org,
Thomas Gleixner <tglx@...utronix.de>,
Borislav Petkov <bp@...en8.de>
Subject: Re: [PATCH 10/13] x86/alternative: Support indirect call replacement
On 16/11/17 22:19, Josh Poimboeuf wrote:
> On Wed, Oct 25, 2017 at 01:25:02PM +0200, Juergen Gross wrote:
>> On 04/10/17 17:58, Josh Poimboeuf wrote:
>>> Add alternative patching support for replacing an instruction with an
>>> indirect call. This will be needed for the paravirt alternatives.
>>>
>>> Signed-off-by: Josh Poimboeuf <jpoimboe@...hat.com>
>>> ---
>>> arch/x86/kernel/alternative.c | 22 +++++++++++++++-------
>>> 1 file changed, 15 insertions(+), 7 deletions(-)
>>>
>>> diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
>>> index 3344d3382e91..81c577c7deba 100644
>>> --- a/arch/x86/kernel/alternative.c
>>> +++ b/arch/x86/kernel/alternative.c
>>> @@ -410,20 +410,28 @@ void __init_or_module noinline apply_alternatives(struct alt_instr *start,
>>> insnbuf_sz = a->replacementlen;
>>>
>>> /*
>>> - * 0xe8 is a relative jump; fix the offset.
>>> - *
>>> - * Instruction length is checked before the opcode to avoid
>>> - * accessing uninitialized bytes for zero-length replacements.
>>> + * Fix the address offsets for call and jump instructions which
>>> + * use PC-relative addressing.
>>> */
>>> if (a->replacementlen == 5 && *insnbuf == 0xe8) {
>>> + /* direct call */
>>> *(s32 *)(insnbuf + 1) += replacement - instr;
>>> - DPRINTK("Fix CALL offset: 0x%x, CALL 0x%lx",
>>> + DPRINTK("Fix direct CALL offset: 0x%x, CALL 0x%lx",
>>> *(s32 *)(insnbuf + 1),
>>> (unsigned long)instr + *(s32 *)(insnbuf + 1) + 5);
>>> - }
>>>
>>> - if (a->replacementlen && is_jmp(replacement[0]))
>>> + } else if (a->replacementlen == 6 && *insnbuf == 0xff &&
>>> + *(insnbuf+1) == 0x15) {
>>> + /* indirect call */
>>> + *(s32 *)(insnbuf + 2) += replacement - instr;
>>> + DPRINTK("Fix indirect CALL offset: 0x%x, CALL *0x%lx",
>>> + *(s32 *)(insnbuf + 2),
>>> + (unsigned long)instr + *(s32 *)(insnbuf + 2) + 6);
>>> +
>>> + } else if (a->replacementlen && is_jmp(replacement[0])) {
>>
>> Is this correct? Without your patch this was:
>>
>> if (*insnbuf == 0xe8) ...
>> if (is_jmp(replacement[0])) ...
>>
>> Now you have:
>>
>> if (*insnbuf == 0xe8) ...
>> else if (*insnbuf == 0xff15) ...
>> else if (is_jmp(replacement[0])) ...
>>
>> So only one or none of the three variants will be executed. In the past
>> it could be none, one or both.
>
> It can't be a call *and* a jump. It's either one or the other.
>
> Maybe it's a little confusing that the jump check uses replacement[0]
> while the other checks use *insnbuf? They have the same value, so the
Right, I was fooled by that.
> same variable should probably be used everywhere for consistency. I can
> make them more consistent.
>
I'd appreciate that. :-)
Juergen
Powered by blists - more mailing lists