| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20190306172453.GE13351@linux.ibm.com>
Date: Wed, 6 Mar 2019 09:24:53 -0800
From: "Paul E. McKenney" <paulmck@...ux.ibm.com>
To: Akira Yokosawa <akiyks@...il.com>
Cc: Peter Zijlstra <peterz@...radead.org>,
Borislav Petkov <bp@...en8.de>,
Andrea Parri <andrea.parri@...rulasolutions.com>,
linux-kernel@...r.kernel.org, linux-arch@...r.kernel.org,
Alan Stern <stern@...land.harvard.edu>,
Will Deacon <will.deacon@....com>,
Boqun Feng <boqun.feng@...il.com>,
Nicholas Piggin <npiggin@...il.com>,
David Howells <dhowells@...hat.com>,
Jade Alglave <j.alglave@....ac.uk>,
Luc Maranget <luc.maranget@...ia.fr>,
Daniel Lustig <dlustig@...dia.com>
Subject: Re: [RFC PATCH] tools/memory-model: Remove (dep ; rfi) from ppo
On Thu, Mar 07, 2019 at 12:46:05AM +0900, Akira Yokosawa wrote:
> On Tue, 26 Feb 2019 16:04:50 +0100, Peter Zijlstra wrote:
> > On Tue, Feb 26, 2019 at 06:28:45AM -0800, Paul E. McKenney wrote:
> >
> >> Yes, this all is a bit on the insane side from a kernel viewpoint.
> >> But the paper you found does not impose this; it has instead been there
> >> for about 20 years, back before C and C++ admitted to the existence
> >> of concurrency. But of course compilers are getting more aggressive,
> >> and yes, some of the problems show up in single-threaded code.
> >
> > But that paper is from last year!! It has Peter Sewell on, I'm sure he's
> > heard of concurrency.
> >
> >> The usual response is "then cast the pointers to intptr_t!" but of
> >> course that breaks type checking.
> >
> > I tried laundering the pointer through intptr_t, but I can't seem to
> > unbreak it.
> >
> >
> > root@...-ep:~/tmp# gcc-8 -O2 -fno-strict-aliasing -o ptr ptr.c ; ./ptr
> > p=0x55aacdc80034 q=0x55aacdc80034
> > x=1 y=2 *p=11 *q=2
> > root@...-ep:~/tmp# cat ptr.c
> > #include <stdio.h>
> > #include <string.h>
> > #include <stdint.h>
> > int y = 2, x = 1;
> > int main (int argc, char **argv) {
> > intptr_t P = (intptr_t)&x;
> > intptr_t Q = (intptr_t)&y;
> > P += sizeof(int);
> > int *q = &y;
> > printf("p=%p q=%p\n", (int*)P, (int*)Q);
> > if (P == Q) {
> > int *p = (int *)P;
> > *p = 11;
> > printf("x=%d y=%d *p=%d *q=%d\n", x, y, *p, *q);
> > }
> > }
> >
>
> So, I'm looking at the macro RELOC_HIDE() defined in include/linux/compiler-gcc.h.
>
> It says:
>
> --------
> /*
> * This macro obfuscates arithmetic on a variable address so that gcc
> * shouldn't recognize the original var, and make assumptions about it.
> *
> * This is needed because the C standard makes it undefined to do
> * pointer arithmetic on "objects" outside their boundaries and the
> * gcc optimizers assume this is the case. In particular they
> * assume such arithmetic does not wrap.
> *
> [...]
> */
> #define RELOC_HIDE(ptr, off) \
> ({ \
> unsigned long __ptr; \
> __asm__ ("" : "=r"(__ptr) : "0"(ptr)); \
> (typeof(ptr)) (__ptr + (off)); \
> })
> --------
>
> Looks like this macro has existed ever since the origin of Linus' git repo.
>
> And the optimization "bug" discussed in this thread can be suppressed by
> this macro.
>
> For example,
>
> $ gcc -O2 -o reloc_hide reloc_hide.c; ./reloc_hide
> x=1 y=11 *p=11 *q=11
> $ cat reloc_hide.c
> #include <stdio.h>
> #include <stdint.h>
>
> #define RELOC_HIDE(ptr, off) \
> ({ \
> uintptr_t __ptr; \
> __asm__ ("" : "=r"(__ptr) : "0"(ptr)); \
> (typeof(ptr)) (__ptr + (off)); \
> })
>
> int y = 2, x = 1;
> int main (int argc, char **argv) {
> int *p = RELOC_HIDE(&x, sizeof(*p));
> int *q = RELOC_HIDE(&y, 0);
> if (p == q) {
> *p = 11;
> printf("x=%d y=%d *p=%d *q=%d\n", x, y, *p, *q);
> }
> }
>
> Note that "uintptr_t" is used in this version of RELOC_HIDE() for user-land
> code.
>
> Am I the only one who was not aware of this gcc-specific macro?
I have seen it before, but had forgotten it. ;-)
But people on the committee seem to agree that inline assembly should
"launder" pointers, along with atomic and volatile accesses. The case
of revalidating pointers fetched during a previous critical section for
a given lock is very much in play, but then again, we don't have any
known good use cases identified.
Thanx, Paul
Powered by blists - more mailing lists