| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20231012081656.GK6307@noisy.programming.kicks-ass.net>
Date: Thu, 12 Oct 2023 10:16:56 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: Josh Poimboeuf <jpoimboe@...nel.org>
Cc: Borislav Petkov <bp@...en8.de>,
David Kaplan <david.kaplan@....com>, x86@...nel.org,
luto@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] objtool: Fix return thunk patching in retpolines
On Wed, Oct 11, 2023 at 07:47:37PM -0700, Josh Poimboeuf wrote:
> With CONFIG_RETHUNK enabled, the compiler replaces every RET with a tail
> call to a return thunk ('JMP __x86_return_thunk'). Objtool annotates
> all such return sites so they can be patched during boot by
> apply_returns().
>
> The implementation of __x86_return_thunk() is just a bare RET. It's
> only meant to be used temporarily until apply_returns() patches all
> return sites with either a JMP to another return thunk or an actual RET.
>
> The following commit
>
> e92626af3234 ("x86/retpoline: Remove .text..__x86.return_thunk section") retpolines
>
> broke objtool's detection of return sites in retpolines. Since
> retpolines and return thunks are now in the same section, the compiler
> no longer uses relocations for the intra-section jumps between the
> retpolines and the return thunk, causing objtool to overlook them.
>
> As a result, none of the retpolines' return sites get patched. Each one
> stays at 'JMP __x86_return_thunk', effectively a bare RET.
>
> Fix it by teaching objtool to detect when a non-relocated jump target is
> a return thunk (or retpoline).
>
> Fixes: e92626af3234 ("x86/retpoline: Remove .text..__x86.return_thunk section")
> Reported-by: David Kaplan <david.kaplan@....com>
> Signed-off-by: Josh Poimboeuf <jpoimboe@...nel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@...radead.org>
> ---
> tools/objtool/check.c | 16 ++++++++++++++++
> 1 file changed, 16 insertions(+)
>
> diff --git a/tools/objtool/check.c b/tools/objtool/check.c
> index e308d1ba664e..e94756e09ca9 100644
> --- a/tools/objtool/check.c
> +++ b/tools/objtool/check.c
> @@ -1610,6 +1610,22 @@ static int add_jump_destinations(struct objtool_file *file)
> return -1;
> }
>
> + /*
> + * An intra-TU jump in retpoline.o might not have a relocation
> + * for its jump dest, in which case the above
> + * add_{retpoline,return}_call() didn't happen.
> + */
> + if (jump_dest->sym && jump_dest->offset == jump_dest->sym->offset) {
> + if (jump_dest->sym->retpoline_thunk) {
> + add_retpoline_call(file, insn);
> + continue;
> + }
> + if (jump_dest->sym->return_thunk) {
> + add_return_call(file, insn, true);
> + continue;
> + }
> + }
> +
> /*
> * Cross-function jump.
> */
> --
> 2.41.0
>
Powered by blists - more mailing lists