| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190611162128.GK3463@hirez.programming.kicks-ass.net>
Date: Tue, 11 Jun 2019 18:21:28 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: Steven Rostedt <rostedt@...dmis.org>
Cc: x86@...nel.org, linux-kernel@...r.kernel.org,
Ard Biesheuvel <ard.biesheuvel@...aro.org>,
Andy Lutomirski <luto@...nel.org>,
Ingo Molnar <mingo@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Masami Hiramatsu <mhiramat@...nel.org>,
Jason Baron <jbaron@...mai.com>, Jiri Kosina <jkosina@...e.cz>,
David Laight <David.Laight@...LAB.COM>,
Borislav Petkov <bp@...en8.de>,
Julia Cartwright <julia@...com>, Jessica Yu <jeyu@...nel.org>,
"H. Peter Anvin" <hpa@...or.com>, Nadav Amit <namit@...are.com>,
Rasmus Villemoes <linux@...musvillemoes.dk>,
Edward Cree <ecree@...arflare.com>,
Daniel Bristot de Oliveira <bristot@...hat.com>
Subject: Re: [PATCH 08/15] x86/alternatives: Teach text_poke_bp() to emulate
instructions
On Tue, Jun 11, 2019 at 05:52:48PM +0200, Peter Zijlstra wrote:
> On Tue, Jun 11, 2019 at 11:14:10AM -0400, Steven Rostedt wrote:
> > On Wed, 05 Jun 2019 15:08:01 +0200
> > Peter Zijlstra <peterz@...radead.org> wrote:
> >
> > > -void text_poke_bp(void *addr, const void *opcode, size_t len, void *handler)
> > > +void text_poke_bp(void *addr, const void *opcode, size_t len, const void *emulate)
> > > {
> > > unsigned char int3 = 0xcc;
> > >
> > > - bp_int3_handler = handler;
> > > + bp_int3_opcode = emulate ?: opcode;
> > > bp_int3_addr = (u8 *)addr + sizeof(int3);
> > > bp_patching_in_progress = true;
> > >
> > > lockdep_assert_held(&text_mutex);
> > >
> > > /*
> > > + * poke_int3_handler() relies on @opcode being a 5 byte instruction;
> > > + * notably a JMP, CALL or NOP5_ATOMIC.
> > > + */
> > > + BUG_ON(len != 5);
> >
> > If we have a bug on here, why bother with passing in len at all? Just
> > force it to be 5.
>
> Masami said the same.
>
> > We could make it a WARN_ON() and return without doing anything.
> >
> > This also prevents us from ever changing two byte jmps.
>
> It doesn't; that is, we'd need to add emulation for the 3 byte jump, but
> that'd be pretty trivial.
I can't find a 3 byte jump on x86_64, I could only find a 2 byte one.
But something like so should work I suppose, although at this point I'm
thinking we should just used the instruction decode we have instead of
playing iffy games with packed structures.
diff --git a/arch/x86/include/asm/text-patching.h b/arch/x86/include/asm/text-patching.h
index e1a4bb42eb92..abb9615dcb1d 100644
--- a/arch/x86/include/asm/text-patching.h
+++ b/arch/x86/include/asm/text-patching.h
@@ -57,6 +57,9 @@ static inline void int3_emulate_jmp(struct pt_regs *regs, unsigned long ip)
#define JMP_INSN_SIZE 5
#define JMP_INSN_OPCODE 0xE9
+#define JMP8_INSN_SIZE 2
+#define JMP8_INSN_OPCODE 0xEB
+
static inline void int3_emulate_push(struct pt_regs *regs, unsigned long val)
{
/*
diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
index 5d0123a8183b..5df6c74a0b08 100644
--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -924,13 +924,18 @@ static void do_sync_core(void *info)
static bool bp_patching_in_progress;
static const void *bp_int3_opcode, *bp_int3_addr;
+struct poke_insn {
+ u8 opcode;
+ union {
+ s8 rel8;
+ s32 rel32;
+ };
+} __packed;
+
int poke_int3_handler(struct pt_regs *regs)
{
long ip = regs->ip - INT3_INSN_SIZE + CALL_INSN_SIZE;
- struct opcode {
- u8 insn;
- s32 rel;
- } __packed opcode;
+ struct poke_insn insn;
/*
* Having observed our INT3 instruction, we now must observe
@@ -950,15 +955,19 @@ int poke_int3_handler(struct pt_regs *regs)
if (user_mode(regs) || regs->ip != (unsigned long)bp_int3_addr)
return 0;
- opcode = *(struct opcode *)bp_int3_opcode;
+ insn = *(struct poke_insn *)bp_int3_opcode;
- switch (opcode.insn) {
+ switch (insn.opcode) {
case CALL_INSN_OPCODE:
- int3_emulate_call(regs, ip + opcode.rel);
+ int3_emulate_call(regs, ip + insn.rel32);
break;
case JMP_INSN_OPCODE:
- int3_emulate_jmp(regs, ip + opcode.rel);
+ int3_emulate_jmp(regs, ip + insn.rel32);
+ break;
+
+ case JMP8_INSN_OPCODE:
+ int3_emulate_jmp(regs, ip + insn.rel8);
break;
default: /* assume NOP */
@@ -992,7 +1001,8 @@ NOKPROBE_SYMBOL(poke_int3_handler);
*/
void text_poke_bp(void *addr, const void *opcode, size_t len, const void *emulate)
{
- unsigned char int3 = 0xcc;
+ unsigned char int3 = INT3_INSN_OPCODE;
+ unsigned char opcode;
bp_int3_opcode = emulate ?: opcode;
bp_int3_addr = (u8 *)addr + sizeof(int3);
@@ -1001,10 +1011,26 @@ void text_poke_bp(void *addr, const void *opcode, size_t len, const void *emulat
lockdep_assert_held(&text_mutex);
/*
- * poke_int3_handler() relies on @opcode being a 5 byte instruction;
- * notably a JMP, CALL or NOP5_ATOMIC.
+ * Verify we support the actual instruction in poke_int3_handler().
*/
- BUG_ON(len != 5);
+ opcode = *(unsigned char *)bp_int3_opcode;
+ switch (opcode) {
+ case CALL_INSN_OPCODE:
+ BUG_ON(len != CALL_INSN_SIZE);
+ break;
+
+ case JMP_INSN_OPCODE:
+ BUG_ON(len != JMP_INSN_SIZE);
+ break;
+
+ case JMP8_INSN_OPCODE:
+ BUG_ON(len != JMP8_INSN_SIZE);
+ break;
+
+ default: /* assume NOP5_ATOMIC */
+ BUG_ON(len != 5);
+ break;
+ }
/*
* Corresponding read barrier in int3 notifier for making sure the
Powered by blists - more mailing lists