lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5c77889ca6b988b0dff65136264bd1fb@overdrivepizza.com>
Date:   Wed, 23 Feb 2022 17:18:04 -0800
From:   Joao Moreira <joao@...rdrivepizza.com>
To:     Peter Zijlstra <peterz@...radead.org>
Cc:     x86@...nel.org, hjl.tools@...il.com, jpoimboe@...hat.com,
        andrew.cooper3@...rix.com, linux-kernel@...r.kernel.org,
        ndesaulniers@...gle.com, keescook@...omium.org,
        samitolvanen@...gle.com, mark.rutland@....com,
        alyssa.milburn@...el.com
Subject: Re: [PATCH 24/29] x86/text-patching: Make text_gen_insn() IBT aware

> +#ifdef CONFIG_X86_IBT
> +	if (is_endbr(dest))
> +		dest += 4;
> +#endif

Hi, FWIIW I saw this snippet trigger a bug in the jump_label infra where 
the target displacement would not fit in a JMP8 operand. The behavior 
was seen because clang, for whatever reason (probably a bug?) inlined an 
ENDBR function along with a function, thus the JMP8 target was 
incremented. I compared the faulty kernel to one compiled with GCC and 
the latter wont emit/inline the ENDBR.

The displacement I'm using in my experimentation is a few bytes more 
than just 4, because I'm also adding extra instrumentation that should 
be skipped when not reached indirectly. Of course this is more prone to 
triggering the bug, but I don't think it is impossible to happen in the 
current implementation.

For these cases perhaps we can verify if the displacement fits the 
operand and, if not, simply ignore and lose the decode cycle which may 
not be a huge problem and remains semantically correct. Seems more 
sensible than padding jump tables with nops. In the meantime I'll 
investigate clang's behavior and if it is really a bug, I'll work on a 
patch.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ