| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Jan 2021 13:33:13 -0600
From: Josh Poimboeuf <jpoimboe@...hat.com>
To: Mark Brown <broonie@...nel.org>
Cc: linux-kernel@...r.kernel.org, Mark Rutland <mark.rutland@....com>,
Jiri Kosina <jikos@...nel.org>,
Joe Lawrence <joe.lawrence@...hat.com>,
Jonathan Corbet <corbet@....net>,
Miroslav Benes <mbenes@...e.cz>,
Petr Mladek <pmladek@...e.com>, linux-doc@...r.kernel.org,
live-patching@...r.kernel.org
Subject: Re: [PATCH] Documentation: livepatch: document reliable stacktrace
On Wed, Jan 13, 2021 at 04:57:43PM +0000, Mark Brown wrote:
> From: Mark Rutland <mark.rutland@....com>
>
> Add documentation for reliable stacktrace. This is intended to describe
> the semantics and to be an aid for implementing architecture support for
> HAVE_RELIABLE_STACKTRACE.
>
> Unwinding is a subtle area, and architectures vary greatly in both
> implementation and the set of concerns that affect them, so I've tried
> to avoid making this too specific to any given architecture. I've used
> examples from both x86_64 and arm64 to explain corner cases in more
> detail, but I've tried to keep the descriptions sufficient for those who
> are unfamiliar with the particular architecture.
>
> I've tried to give rationale for all the recommendations/requirements,
> since that makes it easier to spot nearby issues, or when a check
> happens to catch a few things at once. I believe what I have written is
> sound, but as some of this was reverse-engineered I may have missed
> things worth noting.
>
> I've made a few assumptions about preferred behaviour, notably:
>
> * If you can reliably unwind through exceptions, you should (as x86_64
> does).
>
> * It's fine to omit ftrace_return_to_handler and other return
> trampolines so long as these are not subject to patching and the
> original return address is reported. Most architectures do this for
> ftrace_return_handler, but not other return trampolines.
>
> * For cases where link register unreliability could result in duplicate
> entries in the trace or an inverted trace, I've assumed this should be
> treated as unreliable. This specific case shouldn't matter to
> livepatching, but I assume that that we want a reliable trace to have
> the correct order.
Thanks to you and Mark for getting this documented properly!
I think it's worth mentioning a little more about objtool. There are a
few passing mentions of objtool's generation of metadata (i.e. ORC), but
objtool has another relevant purpose: stack validation. That's
particularly important when it comes to frame pointers.
For some architectures like x86_64 and arm64 (but not powerpc/s390),
it's far too easy for a human to write asm and/or inline asm which
violates frame pointer protocol, silently causing the violater's callee
to get skipped in the unwind. Such architectures need objtool
implemented for CONFIG_STACK_VALIDATION.
> +There are several ways an architecture may identify kernel code which is deemed
> +unreliable to unwind from, e.g.
> +
> +* Using metadata created by objtool, with such code annotated with
> + SYM_CODE_{START,END} or STACKFRAME_NON_STANDARD().
I'm not sure why SYM_CODE_{START,END} is mentioned here, but it doesn't
necessarily mean the code is unreliable, and objtool doesn't treat it as
such. Its mention can probably be removed unless there was some other
point I'm missing.
Also, s/STACKFRAME/STACK_FRAME/
--
Josh
Powered by blists - more mailing lists