lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Feb 2022 17:18:04 -0800 From: Joao Moreira <joao@...rdrivepizza.com> To: Peter Zijlstra <peterz@...radead.org> Cc: x86@...nel.org, hjl.tools@...il.com, jpoimboe@...hat.com, andrew.cooper3@...rix.com, linux-kernel@...r.kernel.org, ndesaulniers@...gle.com, keescook@...omium.org, samitolvanen@...gle.com, mark.rutland@....com, alyssa.milburn@...el.com Subject: Re: [PATCH 24/29] x86/text-patching: Make text_gen_insn() IBT aware > +#ifdef CONFIG_X86_IBT > + if (is_endbr(dest)) > + dest += 4; > +#endif Hi, FWIIW I saw this snippet trigger a bug in the jump_label infra where the target displacement would not fit in a JMP8 operand. The behavior was seen because clang, for whatever reason (probably a bug?) inlined an ENDBR function along with a function, thus the JMP8 target was incremented. I compared the faulty kernel to one compiled with GCC and the latter wont emit/inline the ENDBR. The displacement I'm using in my experimentation is a few bytes more than just 4, because I'm also adding extra instrumentation that should be skipped when not reached indirectly. Of course this is more prone to triggering the bug, but I don't think it is impossible to happen in the current implementation. For these cases perhaps we can verify if the displacement fits the operand and, if not, simply ignore and lose the decode cycle which may not be a huge problem and remains semantically correct. Seems more sensible than padding jump tables with nops. In the meantime I'll investigate clang's behavior and if it is really a bug, I'll work on a patch.
Powered by blists - more mailing lists