lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1515053753.12987.70.camel@amazon.co.uk>
Date:   Thu, 4 Jan 2018 08:15:53 +0000
From:   "Woodhouse, David" <dwmw@...zon.co.uk>
To:     Andi Kleen <andi@...stfloor.org>,
        Thomas Gleixner <tglx@...utronix.de>
CC:     Alan Cox <gnomes@...rguk.ukuu.org.uk>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Greg Kroah-Hartman <gregkh@...ux-foundation.org>,
        Tim Chen <tim.c.chen@...ux.intel.com>,
        "Linux Kernel Mailing List" <linux-kernel@...r.kernel.org>,
        Dave Hansen <dave.hansen@...el.com>
Subject: Re: Avoid speculative indirect calls in kernel

On Wed, 2018-01-03 at 16:40 -0800, Andi Kleen wrote:
> > 
> > So you say, that we finally need a perl interpreter in the kernel
> > to do
> > alternative patching?
> I don't think perl or objtool makes sense. That would be just
> incredibly
> fragile because compilers can reorder and mix code. 
> 
> It could be done with a gcc change I suppose. That should be
> reliable.
> 
> But that would need to be developed first. We don't have it right
> now.
> 
> As the first step a compile time approach should be sufficient.
> We can add a CONFIG option so people can chose at compile time.
> 
> Then later we can investigate run time patching.

My original code, that Intel had included in the osv_v7.1 patch set,
already did runtime patching for all the explicit call sites:

+.macro JMP_THUNK reg:req
+#ifdef RETPOLINE
+       ALTERNATIVE __stringify(jmp __x86.indirect_thunk.\reg), __stringify(jmp *%\reg), X86_FEATURE_IBRS_ATT
+#else
+       jmp *\reg
+#endif
+.endm


.. and the thunks themselves were also using alternatives:

+ENTRY(__x86.indirect_thunk.\reg)
+       CFI_STARTPROC
+       ALTERNATIVE "call 2f", __stringify(jmp *%\reg), X86_FEATURE_IBRS_ATT
+1:
+       lfence
+       jmp     1b
+2:
+       mov     %\reg, (%\sp)
+       ret
+       CFI_ENDPROC
+ENDPROC(__x86.indirect_thunk.\reg)


So all you were left with was the single static jump in the call sites
which GCC emitted, which are basically harmless. It's not clear that it
makes sense to post-process GCC output just to eliminate those. 

Andi, you seem to have made a lot of changes, some cosmetic and some
make it look like you were working on an older version of the code.

For reference, here's my original version.
View attachment "0001-x86-Add-initial-retpoline-support-with-mindirect-bra.patch" of type "text/x-patch" (2469 bytes)

View attachment "0002-x86-Replace-indirect-branches-in-asm-with-CALL_THUNK.patch" of type "text/x-patch" (8359 bytes)

View attachment "0003-x86-Use-retpoline-for-calls-in-inline-asm.patch" of type "text/x-patch" (5961 bytes)

Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5210 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ