lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 14 Apr 2020 12:36:09 +0200
From:   Alexandre Chartre <alexandre.chartre@...cle.com>
To:     x86@...nel.org
Cc:     linux-kernel@...r.kernel.org, jpoimboe@...hat.com,
        peterz@...radead.org, jthierry@...hat.com, tglx@...utronix.de,
        alexandre.chartre@...cle.com
Subject: [PATCH V3 0/9] objtool changes to check retpoline code

Hi,

This is version 3 of the patchset previously named "objtool changes to
remove all ANNOTATE_NOSPEC_ALTERNATIVE". This patchset proposes two
main changes:

 1. Add intra-function call support to objtool. This allows objtool
    to check code like retpoline and RSB stuffing. Such code is present
    in alternative and it is not currently checked because of
    ANNOTATE_NOSPEC_ALTERNATIVE directives.

 2. Add alternative code validation in objtool. For stack unwinding to
    work, Peter and Josh have clearly explained that alternative code
    should have the same stack change sequence as the original code.
    This patchset adds this capability to objtool.

After changes 1, we could remove the ANNOTATE_SPEC_ALTERNATIVE directives
from retpoline/RSB alternatives, and alternatives would be correclty checked
by objtool. But, because of changes 2, objtool would now report inconsistency
in alternatives, like this:

  AS      arch/x86/lib/retpoline.o
arch/x86/lib/retpoline.o: warning: objtool: __x86_indirect_thunk_rax()+0x0: error in alternative
arch/x86/lib/retpoline.o: warning: objtool: .altinstr_replacement+0x0: in alternative 1
arch/x86/lib/retpoline.o: warning: objtool: .altinstr_replacement+0x5: misaligned alternative state change
arch/x86/lib/retpoline.o: warning: objtool: .altinstr_replacement+0x11: in alternative 2
arch/x86/lib/retpoline.o: warning: objtool: .altinstr_replacement+0x14: misaligned alternative state change

So this pachset doesn't remove ANNOTATE_NOSPEC_ALTERNATIVE directives
(unlike v1 and v2). But it makes objtool able to detect inconsistent
alternatives. Then such alternative will need to be refactored to
have stack unwinding information compatible with the original code.
For example, here is Peter suggestion for retpoline code:
  https://lkml.org/lkml/2020/4/8/905


Changes:

v2->v3:
 - rebase on v5.7-rc1
 - add alternative code validation in objtool
 - add return address unwind hints
 - track return address to correctly handle ret with intra-function call
 - remove inclusion of PeterZ UNWIND_HINT_RET_OFFSET patch
 - move alt_group changes to appropriate patch
 - move stack changes for calls to INSN_CALL decode

v1->v2:
 - replace RETPOLINE_RET with PeterZ UNWIND_HINT_RET_OFFSET
 - make objtool intra-function call action architecture dependent
 - objtool now automatically detects and validates all intra-function
   calls but it issues a warning if the call was not explicitly tagged
 - change __FILL_RETURN_BUFFER to work with objtool
 - add generic ANNOTATE_INTRA_FUNCTION_CALL macro
 - remove all ANNOTATE_SPEC_ALTERNATIVE (even for __FILL_RETURN_BUFFER)

Thanks,

alex.

-----

Alexandre Chartre (9):
  objtool: is_fentry_call() crashes if call has no destination
  objtool: Allow branches within the same alternative.
  objtool: Add support for intra-function calls
  objtool: Handle return instruction with intra-function call
  objtool: Add return address unwind hints
  objtool: Report inconsistent stack changes in alternative
  x86/speculation: Change __FILL_RETURN_BUFFER to work with objtool
  x86/speculation: Add return address unwind hints to retpoline and RSB
    stuffing
  x86/speculation: Annotate intra-function calls

 arch/x86/include/asm/nospec-branch.h          |  42 +-
 arch/x86/include/asm/orc_types.h              |   2 +
 arch/x86/include/asm/unwind_hints.h           |  23 +
 include/linux/frame.h                         |  11 +
 tools/arch/x86/include/asm/orc_types.h        |   2 +
 .../Documentation/stack-validation.txt        |   8 +
 tools/objtool/arch/x86/decode.c               |  13 +
 tools/objtool/check.c                         | 480 ++++++++++++++++--
 tools/objtool/check.h                         |   8 +-
 9 files changed, 545 insertions(+), 44 deletions(-)

-- 
2.18.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ