lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 19 Oct 2021 00:25:30 +0000
From:   Alexander Lobakin <alobakin@...me>
To:     Peter Zijlstra <peterz@...radead.org>
Cc:     Alexander Lobakin <alobakin@...me>, Borislav Petkov <bp@...en8.de>,
        x86@...nel.org, jpoimboe@...hat.com, andrew.cooper3@...rix.com,
        linux-kernel@...r.kernel.org, alexei.starovoitov@...il.com,
        ndesaulniers@...gle.com
Subject: Re: [PATCH 4/9] x86/alternative: Implement .retpoline_sites support

From: Alexander Lobakin <alobakin@...me>
Date: Mon, 18 Oct 2021 23:06:35 +0000

Sorry for double posting, should've include this from the start.

> Hi,
>
> Gave it a spin with Clang/LLVM, and
>
> > On Fri, Oct 15, 2021 at 04:24:08PM +0200, Borislav Petkov wrote:
> > > On Wed, Oct 13, 2021 at 02:22:21PM +0200, Peter Zijlstra wrote:
> > > > +static int patch_retpoline(void *addr, struct insn *insn, u8 *bytes)
> > > > +{
> > > > +	void (*target)(void);
> > > > +	int reg, i = 0;
> > > > +
> > > > +	if (cpu_feature_enabled(X86_FEATURE_RETPOLINE))
> > > > +		return -1;
> > > > +
> > > > +	target = addr + insn->length + insn->immediate.value;
> > > > +	reg = (target - &__x86_indirect_thunk_rax) /
> > > > +	      (&__x86_indirect_thunk_rcx - &__x86_indirect_thunk_rax);
>
> this triggers
>
> > > I guess you should compute those values once so that it doesn't have to
> > > do them for each function invocation. And it does them here when I look
> > > at the asm it generates.
> >
> > Takes away the simplicity of the thing. It can't know these values at
> > compile time (due to external symbols etc..) although I suppose LTO
> > might be able to fix that.
> >
> > Other than that, the above is the trivial form of reverse indexing an
> > array.
> >
> > > > +
> > > > +	if (WARN_ON_ONCE(reg & ~0xf))
> > > > +		return -1;
>
> this:
>
> WARN in patch_retpoline:408: addr pcibios_scan_specific_bus+0x196/0x200, op 0xe8, reg 0xb88ca
> WARN in patch_retpoline:408: addr xen_pv_teardown_msi_irqs+0x8d/0x120, op 0xe8, reg 0xb88ca
> WARN in patch_retpoline:408: addr __mptcp_sockopt_sync+0x7e/0x200, op 0xe8, reg 0xb88ca
> [...]
> (thousands of them, but op == 0xe8 && reg == 0xb88ca are always the same)

SMP alternatives: WARN in patch_retpoline:408: addr __strp_unpause+0x62/0x1b0/0xffffffff92d20a12, op 0xe8, reg 0xb88ca
SMP alternatives: insn->length: 5, insn->immediate.value: 0xffae0989
SMP alternatives: target: 0xffffffff928013a0/__x86_indirect_thunk_r11+0x0/0x20
SMP alternatives: rax: 0xffffffff9223cd50, target - rax: 0x5c4650
SMP alternatives: rcx - rax: 0x8

Imm value and addr are different each time, the rest are the same.
target is correct and even %pS works on it, but this distance
between r11 and rax thunks (0x5c4650) doesn't look fine, as well as
rcx - rax being 0x8. Thunks are 0x11 sized + alignment, should be
0x20, and it is, according to vmlinux.map. Weird. Amps/&s?

> I know this reg calculation is about to be replaced, but anyway ;)
>
> > > Sanity-checking the alignment of those thunks?
> >
> > Nah, the target address of the instruction; if that's not a retpoline
> > thunk (for whatever raisin) then the computation will not result in a
> > valid reg and we should bail.
> >
> > > > +
> > > > +	i = emit_indirect(insn->opcode.bytes[0], reg, bytes);
> > > > +	if (i < 0)
> > > > +		return i;
> > > > +
> > > > +	for (; i < insn->length;)
> > > > +		bytes[i++] = BYTES_NOP1;
> > >
> > > Why not:
> > >
> > >         nop_len = insn->length - i;
> > >         if (nop_len) {
> > >                 memcpy(&bytes[i], x86_nops[nop_len], nop_len);
> > >                 i += nop_len;
> > >         }
> > >
> > > and then you save yourself the optimize_nops() call because it'll take
> > > the right-sized NOP directly.
> >
> > That's not immediately safe; if for some reason or other the original
> > instrucion is 15 bytes long, and we generated 2 bytes, then we need 13
> > nop bytes, the above will then do an out-of-bound array access (due to
> > the nops array only doing 8 byte nops at max).
> >
> > I wanted this code to be simple and obvious.
>
> Thanks,
> Al

Thanks,
Al

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ