| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Feb 2022 17:18:04 -0800
From: Joao Moreira <joao@...rdrivepizza.com>
To: Peter Zijlstra <peterz@...radead.org>
Cc: x86@...nel.org, hjl.tools@...il.com, jpoimboe@...hat.com,
andrew.cooper3@...rix.com, linux-kernel@...r.kernel.org,
ndesaulniers@...gle.com, keescook@...omium.org,
samitolvanen@...gle.com, mark.rutland@....com,
alyssa.milburn@...el.com
Subject: Re: [PATCH 24/29] x86/text-patching: Make text_gen_insn() IBT aware
> +#ifdef CONFIG_X86_IBT
> + if (is_endbr(dest))
> + dest += 4;
> +#endif
Hi, FWIIW I saw this snippet trigger a bug in the jump_label infra where
the target displacement would not fit in a JMP8 operand. The behavior
was seen because clang, for whatever reason (probably a bug?) inlined an
ENDBR function along with a function, thus the JMP8 target was
incremented. I compared the faulty kernel to one compiled with GCC and
the latter wont emit/inline the ENDBR.
The displacement I'm using in my experimentation is a few bytes more
than just 4, because I'm also adding extra instrumentation that should
be skipped when not reached indirectly. Of course this is more prone to
triggering the bug, but I don't think it is impossible to happen in the
current implementation.
For these cases perhaps we can verify if the displacement fits the
operand and, if not, simply ignore and lose the decode cycle which may
not be a huge problem and remains semantically correct. Seems more
sensible than padding jump tables with nops. In the meantime I'll
investigate clang's behavior and if it is really a bug, I'll work on a
patch.
Powered by blists - more mailing lists