lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20231011074142.GK14330@noisy.programming.kicks-ass.net>
Date:   Wed, 11 Oct 2023 09:41:42 +0200
From:   Peter Zijlstra <peterz@...radead.org>
To:     Josh Poimboeuf <jpoimboe@...nel.org>
Cc:     Borislav Petkov <bp@...en8.de>,
        David Kaplan <david.kaplan@....com>, x86@...nel.org,
        luto@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/3] Revert "x86/retpoline: Remove
 .text..__x86.return_thunk section"

On Tue, Oct 10, 2023 at 02:22:54PM -0700, Josh Poimboeuf wrote:

> From: Josh Poimboeuf <jpoimboe@...nel.org>
> Subject: [PATCH] objtool: Fix return thunk patching in retpolines
> 
> With CONFIG_RETHUNK enabled, the compiler replaces every RET with a tail
> call to a return thunk ('JMP __x86_return_thunk').  Objtool annotates
> all such return sites so they can be patched during boot by
> apply_returns().
> 
> The implementation of __x86_return_thunk() is just a bare RET.  It's
> only meant to be used temporarily until apply_returns() patches all
> return sites with either a JMP to another return thunk or an actual RET.
> 
> The following commit
> 
>   e92626af3234 ("x86/retpoline: Remove .text..__x86.return_thunk section") retpolines
> 
> broke objtool's detection of return sites in retpolines.  Since
> retpolines and return thunks are now in the same section, the compiler
> no longer uses relocations for the intra-section jumps between the
> retpolines and the return thunk, causing objtool to overlook them.
> 
> As a result, none of the retpolines' return sites get patched.  Each one
> stays at 'JMP __x86_return_thunk', effectively a bare RET.
> 
> Fix it by teaching objtool to detect when a non-relocated jump target is
> a return thunk.
> 
> Fixes: e92626af3234 ("x86/retpoline: Remove .text..__x86.return_thunk section")
> Reported-by: David Kaplan <david.kaplan@....com>
> Signed-off-by: Josh Poimboeuf <jpoimboe@...nel.org>
> ---
>  tools/objtool/check.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/tools/objtool/check.c b/tools/objtool/check.c
> index e308d1ba664e..556469db4239 100644
> --- a/tools/objtool/check.c
> +++ b/tools/objtool/check.c
> @@ -1610,6 +1610,15 @@ static int add_jump_destinations(struct objtool_file *file)
>  			return -1;
>  		}
>  
> +		/*
> +		 * Since retpolines are in the same section as the return
> +		 * thunk, they might not use a relocation when branching to it.
> +		 */
> +		if (jump_dest->sym && jump_dest->sym->return_thunk) {
> +			add_return_call(file, insn, true);
> +			continue;
> +		}

*urgh*... I mean, yes, that obviously works, but should we not also have
the retpoline thingy for consistency? That case makes less sense though
:/

Perhaps warn about this instead of fixing it? Forcing people to play the
section game?

I dunno.. no real strong opinions.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ