lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <608558890.3157.1554911260089.JavaMail.zimbra@efficios.com>
Date:   Wed, 10 Apr 2019 11:47:40 -0400 (EDT)
From:   Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
To:     Peter Zijlstra <peterz@...radead.org>
Cc:     Thomas Gleixner <tglx@...utronix.de>,
        Andy Lutomirski <luto@...capital.net>,
        "H. Peter Anvin" <hpa@...or.com>, Andi Kleen <andi@...stfloor.org>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        libc-alpha <libc-alpha@...rceware.org>,
        linux-kernel <linux-kernel@...r.kernel.org>,
        carlos <carlos@...hat.com>, x86 <x86@...nel.org>
Subject: Re: rseq/x86: choosing rseq code signature

----- On Apr 10, 2019, at 2:54 AM, Peter Zijlstra peterz@...radead.org wrote:

> On Tue, Apr 09, 2019 at 04:43:42PM -0400, Mathieu Desnoyers wrote:
>> +/*
>> + * RSEQ_SIG is used with the following privileged instructions, which trap in
>> user-space:
>> + * x86-32:    0f 01 3d 53 30 05 53      invlpg 0x53053053
>> + * x86-64:    0f 01 3d 53 30 05 53      invlpg 0x53053053(%rip)
>> + */
> 
> Right, and the alternative is: 0f b9 3d $SIG, which decodes to:
> 
>  UD1 $SIG(%rip),%edi
> 
> which will trap unconditionally. The only problem is that gas will not
> actually assemble it, but since we're .byte coding it, it doesn't
> matter.
> 
> UD1 is specified by both AMD and Intel to take a ModR/M, unlike UD0
> where they disagree on the ModR/M.

UD1 is even better from a code emulator perspective. It won't have to
try to emulate invlpg if it sees it.

Byte coding UD1 as your example above gives the following objdump output,
is it expected ?

objdump --version
GNU objdump (GNU Binutils for Debian) 2.28

x86-32:

  14:	0f b9                	ud1    
  16:	3d 53 30 05 53       	cmp    $0x53053053,%eax

x86-64:

   b:	0f b9                	ud1    
   d:	3d 53 30 05 53       	cmp    $0x53053053,%eax

Thanks!

Mathieu


-- 
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ