| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 6 Oct 2020 11:43:14 +0100
From: Dave Martin <Dave.Martin@....com>
To: Catalin Marinas <catalin.marinas@....com>
Cc: herbert@...dor.apana.org.au, linux-kernel@...r.kernel.org,
Jeremy Linton <jeremy.linton@....com>, davem@...emloft.net,
broonie@...nel.org, linux-crypto@...r.kernel.org,
Will Deacon <will@...nel.org>, ardb@...nel.org,
linux-arm-kernel@...ts.infradead.org
Subject: Re: [BUG][PATCH] crypto: arm64: Avoid indirect branch to bti_c
On Tue, Oct 06, 2020 at 11:25:11AM +0100, Catalin Marinas wrote:
> On Tue, Oct 06, 2020 at 11:01:21AM +0100, Dave P Martin wrote:
> > On Tue, Oct 06, 2020 at 09:27:48AM +0100, Will Deacon wrote:
> > > On Mon, Oct 05, 2020 at 10:48:54PM -0500, Jeremy Linton wrote:
> > > > The AES code uses a 'br x7' as part of a function called by
> > > > a macro. That branch needs a bti_j as a target. This results
> > > > in a panic as seen below. Instead of trying to replace the branch
> > > > target with a bti_jc, lets replace the indirect branch with a
> > > > bl/ret, bl sequence that can target the existing bti_c.
> > > >
> > > > Bad mode in Synchronous Abort handler detected on CPU1, code 0x34000003 -- BTI
> > > > CPU: 1 PID: 265 Comm: cryptomgr_test Not tainted 5.8.11-300.fc33.aarch64 #1
> > > > pstate: 20400c05 (nzCv daif +PAN -UAO BTYPE=j-)
> > > > pc : aesbs_encrypt8+0x0/0x5f0 [aes_neon_bs]
> > > > lr : aesbs_xts_encrypt+0x48/0xe0 [aes_neon_bs]
> > > > sp : ffff80001052b730
> > > >
> > > > aesbs_encrypt8+0x0/0x5f0 [aes_neon_bs]
> > > > __xts_crypt+0xb0/0x2dc [aes_neon_bs]
> > > > xts_encrypt+0x28/0x3c [aes_neon_bs]
> > > > crypto_skcipher_encrypt+0x50/0x84
> > > > simd_skcipher_encrypt+0xc8/0xe0
> > > > crypto_skcipher_encrypt+0x50/0x84
> > > > test_skcipher_vec_cfg+0x224/0x5f0
> > > > test_skcipher+0xbc/0x120
> > > > alg_test_skcipher+0xa0/0x1b0
> > > > alg_test+0x3dc/0x47c
> > > > cryptomgr_test+0x38/0x60
> > > >
> > > > Fixes: commit 0e89640b640d ("crypto: arm64 - Use modern annotations for assembly functions")
> > >
> > > nit: the "commit" string shouldn't be here, and I think the linux-next
> > > scripts will yell at us if we don't remove it.
> > >
> > > > Signed-off-by: Jeremy Linton <jeremy.linton@....com>
> > > > ---
> > > > arch/arm64/crypto/aes-neonbs-core.S | 6 +++---
> > > > 1 file changed, 3 insertions(+), 3 deletions(-)
> > > >
> > > > diff --git a/arch/arm64/crypto/aes-neonbs-core.S b/arch/arm64/crypto/aes-neonbs-core.S
> > > > index b357164379f6..32f53ebe5e2c 100644
> > > > --- a/arch/arm64/crypto/aes-neonbs-core.S
> > > > +++ b/arch/arm64/crypto/aes-neonbs-core.S
> > > > @@ -788,7 +788,7 @@ SYM_FUNC_START_LOCAL(__xts_crypt8)
> > > >
> > > > 0: mov bskey, x21
> > > > mov rounds, x22
> > > > - br x7
> > > > + ret
> >
> > Dang, replied on an old version.
>
> Which I ignored (by default, when the kbuild test robot complains ;)).
>
> > Since this is logically a tail call, could we simply be using br x16 or
> > br x17 for this?
> >
> > The architecture makes special provision for that so that the compiler
> > can generate tail-calls.
>
> So a "br x16" is compatible with a bti_c landing pad. I think it makes
> more sense to keep it as a tail call.
Just to be clear, I'm happy either way, but I thought it would make
sense to point this out.
Normally, "bti j" would be used just for weird stuff like jump tables,
but .S files all count as "weird stuff" to some extent -- so there are
no hard and fast rules.
Cheers
---Dave
Powered by blists - more mailing lists