| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20190410123258.37f182cf@mschwideX1>
Date: Wed, 10 Apr 2019 12:32:58 +0200
From: Martin Schwidefsky <schwidefsky@...ibm.com>
To: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
Cc: heiko carstens <heiko.carstens@...ibm.com>,
gor <gor@...ux.ibm.com>, libc-alpha <libc-alpha@...rceware.org>,
linux-kernel <linux-kernel@...r.kernel.org>,
"Carlos O'Donell" <carlos@...hat.com>
Subject: Re: rseq/s390: choosing code signature
On Tue, 9 Apr 2019 15:32:22 -0400 (EDT)
Mathieu Desnoyers <mathieu.desnoyers@...icios.com> wrote:
> Hi,
>
> We are about to include the code signature required prior to restartable
> sequences abort handlers into glibc, which will make this ABI choice final.
> We need architecture maintainer input on that signature value.
>
> That code signature is placed before each abort handler, so the kernel can
> validate that it is indeed jumping to an abort handler (and not some
> arbitrary attacker-chosen code). The signature is never executed.
>
> The current discussion thread on the glibc mailing list leads us towards
> using a trap with uncommon immediate operand, which simplifies integration
> with disassemblers, emulators, makes it easier to debug if the control
> flow gets redirected there by mistake, and is nicer for some architecture's
> speculative execution.
>
> We can have different signatures for each sub-architecture, as long as they
> don't have to co-exist within the same process. We can special-case with
> #ifdef for each sub-architecture and endianness if need be. If the architecture
> has instruction set extensions that can co-exist with the architecture
> instruction set within the same process, we need to take into account to which
> instruction the chosen signature value would map (and possibly decide if we
> need to extend rseq to support many signatures).
>
> Here is an example of rseq signature definition template:
>
> /*
> * TODO: document trap instruction objdump output on each sub-architecture
> * instruction sets, as well as instruction set extensions.
> */
> #define RSEQ_SIG 0x########
>
> Ideally we'd need a patch on top of the Linux kernel
> tools/testing/selftests/rseq/rseq-s390.h file that updates
> the signature value, so I can then pick it up for the glibc
> patchset.
The trap4 instruction is a suitable one. The patch would look like this
--
commit 2ee28f6d1de968a71f074ab150384b90b4121216
Author: Martin Schwidefsky <schwidefsky@...ibm.com>
Date: Wed Apr 10 12:28:41 2019 +0200
s390/rseq: use trap4 for RSEQ_SIG
Use trap4 as the guard instruction for the restartable sequence abort
handler.
Signed-off-by: Martin Schwidefsky <schwidefsky@...ibm.com>
diff --git a/tools/testing/selftests/rseq/rseq-s390.h b/tools/testing/selftests/rseq/rseq-s390.h
index 1069e85258ce..d4c8e1147d86 100644
--- a/tools/testing/selftests/rseq/rseq-s390.h
+++ b/tools/testing/selftests/rseq/rseq-s390.h
@@ -1,6 +1,13 @@
/* SPDX-License-Identifier: LGPL-2.1 OR MIT */
-#define RSEQ_SIG 0x53053053
+/*
+ * RSEQ_SIG uses the trap4 instruction. As Linux does not make use of the
+ * access-register mode nor the linkage stack this instruction will always
+ * cause a special-operation exception (the trap-enabled bit in the DUCT
+ * is and will stay 0). The instruction pattern is
+ * b2 ff 0f ff trap4 4095(%r0)
+ */
+#define RSEQ_SIG 0xB2FF0FFF
#define rseq_smp_mb() __asm__ __volatile__ ("bcr 15,0" ::: "memory")
#define rseq_smp_rmb() rseq_smp_mb()
--
blue skies,
Martin.
"Reality continues to ruin my life." - Calvin.
Powered by blists - more mailing lists