| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2074744632.3167.1554911856144.JavaMail.zimbra@efficios.com>
Date: Wed, 10 Apr 2019 11:57:36 -0400 (EDT)
From: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
To: schwidefsky <schwidefsky@...ibm.com>
Cc: heiko carstens <heiko.carstens@...ibm.com>,
gor <gor@...ux.ibm.com>, libc-alpha <libc-alpha@...rceware.org>,
linux-kernel <linux-kernel@...r.kernel.org>,
carlos <carlos@...hat.com>
Subject: Re: rseq/s390: choosing code signature
----- On Apr 10, 2019, at 11:52 AM, schwidefsky schwidefsky@...ibm.com wrote:
> On Wed, 10 Apr 2019 11:50:39 -0400 (EDT)
> Mathieu Desnoyers <mathieu.desnoyers@...icios.com> wrote:
>
>> ----- On Apr 10, 2019, at 6:32 AM, schwidefsky schwidefsky@...ibm.com wrote:
>>
>> > On Tue, 9 Apr 2019 15:32:22 -0400 (EDT)
>> > Mathieu Desnoyers <mathieu.desnoyers@...icios.com> wrote:
>> >
>> >> Hi,
>> >>
>> >> We are about to include the code signature required prior to restartable
>> >> sequences abort handlers into glibc, which will make this ABI choice final.
>> >> We need architecture maintainer input on that signature value.
>> >>
>> >> That code signature is placed before each abort handler, so the kernel can
>> >> validate that it is indeed jumping to an abort handler (and not some
>> >> arbitrary attacker-chosen code). The signature is never executed.
>> >>
>> >> The current discussion thread on the glibc mailing list leads us towards
>> >> using a trap with uncommon immediate operand, which simplifies integration
>> >> with disassemblers, emulators, makes it easier to debug if the control
>> >> flow gets redirected there by mistake, and is nicer for some architecture's
>> >> speculative execution.
>> >>
>> >> We can have different signatures for each sub-architecture, as long as they
>> >> don't have to co-exist within the same process. We can special-case with
>> >> #ifdef for each sub-architecture and endianness if need be. If the architecture
>> >> has instruction set extensions that can co-exist with the architecture
>> >> instruction set within the same process, we need to take into account to which
>> >> instruction the chosen signature value would map (and possibly decide if we
>> >> need to extend rseq to support many signatures).
>> >>
>> >> Here is an example of rseq signature definition template:
>> >>
>> >> /*
>> >> * TODO: document trap instruction objdump output on each sub-architecture
>> >> * instruction sets, as well as instruction set extensions.
>> >> */
>> >> #define RSEQ_SIG 0x########
>> >>
>> >> Ideally we'd need a patch on top of the Linux kernel
>> >> tools/testing/selftests/rseq/rseq-s390.h file that updates
>> >> the signature value, so I can then pick it up for the glibc
>> >> patchset.
>> >
>> > The trap4 instruction is a suitable one. The patch would look like this
>>
>> Great! I'm picking it up into my rseq tree if that's OK with you.
>
> Just added the patch to s390/linux:features for the next merge window as well.
Sounds good! I'll carry it in my tree to have a comprehensive up-to-date list of
rseq signatures for all architectures in a single tree. Worse-case the exact same
change will be pulled from both architecture and rseq trees, which I don't think
should be an issue, right ?
Thanks,
Mathieu
>
> --
> blue skies,
> Martin.
>
> "Reality continues to ruin my life." - Calvin.
--
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com
Powered by blists - more mailing lists