| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 Jan 2021 16:10:51 -0600
From: "Madhavan T. Venkataraman" <madvenka@...ux.microsoft.com>
To: Mark Brown <broonie@...nel.org>,
Mark Rutland <mark.rutland@....com>,
Julien Thierry <jthierry@...hat.com>,
Josh Poimboeuf <jpoimboe@...hat.com>
Cc: Ard Biesheuvel <ardb@...nel.org>,
Michal Marek <michal.lkml@...kovi.net>,
Peter Zijlstra <peterz@...radead.org>,
Catalin Marinas <catalin.marinas@....com>,
Masahiro Yamada <masahiroy@...nel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
linux-efi <linux-efi@...r.kernel.org>,
linux-hardening@...r.kernel.org, live-patching@...r.kernel.org,
Will Deacon <will@...nel.org>,
Linux ARM <linux-arm-kernel@...ts.infradead.org>,
Kees Cook <keescook@...omium.org>
Subject: Re: [RFC PATCH 00/17] objtool: add base support for arm64
Hi,
I sent this suggestion to linux-arm-kernel in response to the Reliable Stacktrace RFC from Mark Brown
and Mark Rutland. I am repeating it here for two reasons:
- It involves objtool.
- There are many more recipients in this thread that may be interested in this topic.
Please let me know if this suggestion is acceptable. If it is not, please let me know why.
Thanks.
Also, I apologize to all of you who have received this more than once.
FP and no-FP functions
=====================
I have a suggestion for objtool and the unwinder for ARM64.
IIUC, objtool is responsible for walking all the code paths (except unreachable
and ignored ones) and making sure that every function has proper frame pointer
code (prolog, epilog, etc). If a function is found to not have it, the kernel
build is failed. Is this understanding correct?
If so, can we take a different approach for ARM64?
Instead of failing the kernel build, can we just mark the functions as:
FP Functions that have proper FP code
no-FP Functions that don't
May be, we can add an "FP" flag in the symbol table entry for this.
Then, the unwinder can check the functions it encounters in the stack trace and
inform the caller if it found any no-FP functions. The caller of the unwinder can
decide what he wants to do with that information.
- the caller can ignore it
- the caller can print the stack trace with a warning that no-FP functions
were found
- if the caller is livepatch, the caller can retry until the no-FP functions
disappear from the stack trace. This way, we can have live patching even
when some of the functions in the kernel are no-FP.
Does this make any sense? Is this acceptable? What are the pitfalls?
If we can do this, the unwinder could detect cases such as:
- If gcc thinks that a function is a leaf function but the function contains
inline assembly code that calls another function.
- If a call to a function bounces through some intermediate code such as a
trampoline.
- etc.
For specific no-FP functions, the unwinder might be able to deduce the original
caller. In these cases, the stack trace would still be reliable. For all the others,
the stack trace would be considered unreliable.
Compiler instead of objtool
===========================
If the above suggestion is acceptable, I have another suggestion.
It is a lot of work for every new architecture to add frame pointer verification
support in objtool. Can we get some help from the compiler?
The compiler knows which C functions it generates the FP prolog and epilog for. It can
mark those functions as FP. As for assembly functions, kernel developers could manually
annotate functions that have proper FP code. The compiler/assembler would mark them
as FP. Only a small subset of assembly functions would even have FP prolog and epilog.
Is this acceptable? What are the pitfalls?
This can be implemented easily for all architectures for which the compiler generates
FP code.
Can this be implemented using a GCC plugin? I know squat about GCC plugins.
Thanks!
Madhavan
Powered by blists - more mailing lists