lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 5 May 2020 16:27:44 -0400 (EDT)
From:   Mathieu Desnoyers <>
To:     ndesaulniers <>
Cc:     Linus Torvalds <>,
        Peter Zijlstra <>,
        Rasmus Villemoes <>,
        x86 <>,
        linux-kernel <>,
        rostedt <>,
        Masami Hiramatsu <>,
        bristot <>, jbaron <>,
        Thomas Gleixner <>,
        Ingo Molnar <>, Nadav Amit <>,
        "H. Peter Anvin" <>,
        Andy Lutomirski <>,
        Ard Biesheuvel <>,
        Josh Poimboeuf <>,
        Paolo Bonzini <>,
        "H.J. Lu" <>,
        clang-built-linux <>
Subject: Re: [PATCH v4 14/18] static_call: Add static_cond_call()

----- On May 5, 2020, at 3:57 PM, ndesaulniers wrote:

> On Tue, May 5, 2020 at 12:00 PM Mathieu Desnoyers
> <> wrote:
>> ----- On May 5, 2020, at 2:48 PM, Linus Torvalds
>> wrote:
>> [...]
>> >
>> > Your initial reaction that "you can't compile away the read and the
>> > test of NULL" was correct, I think.
>> I suspect this pattern of "if (func != NULL) func(...)" could be semantically
>> changed to just invoking an empty function which effectively does nothing.
>> This would remove the need to do a pointer check in the first place. But maybe
>> I'm missing something subtle about why it has not been done in this context.
> Good idea, this eliminates the check:
> but you still have an indirect tail call (I think a direct tail call
> is the desired solution?)

Actually, if the goal is to do code patching of the call, I wonder
what makes it OK to "guess" all the call patterns generated by the compiler ?
AFAIU this is not an ABI in any way. For instance, a new compiler version could
choose to add some no-op instructions within this pattern just because it feels
like it.

For static jumps, we worked with the compiler people to add "asm goto ()" so
we could express a jump in assembly which would branch outside of the asm.
Emitting the jump in assembly allows us to control the exact code pattern,
which can then be patched, and the asm goto operands allow the compiler to
be in control of all the allowed branch targets.

I'm again possibly missing something, but it looks like this proposal of static_call()
(especially the static_cond_call part) is trying to just assume the common call
patterns generated by the compilers, and patch those. What is the expected behavior
if a compiler ends up generating unknown code patterns in future versions ?

I would think a more robust approach would be to, again, work with the compiler people
and introduce something like:

asm call ("asm goes here" : : : funcA, funcB, funcC )

which would allow patching the call emitted _in assembly_ between the various
available targets. Bonus points if the compiler can let the asm know whether
it's a standard call or tail-call.

Then once we have that, we can start doing fun stuff like adding a conditional
within the assembly, but I don't see why the conditional should be the same
variable as the actual function pointer: each can be changed independently as
long as the function pointer always points to a "valid" function (not NULL).



Mathieu Desnoyers
EfficiOS Inc.

Powered by blists - more mailing lists