lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20231012081656.GK6307@noisy.programming.kicks-ass.net>
Date:   Thu, 12 Oct 2023 10:16:56 +0200
From:   Peter Zijlstra <peterz@...radead.org>
To:     Josh Poimboeuf <jpoimboe@...nel.org>
Cc:     Borislav Petkov <bp@...en8.de>,
        David Kaplan <david.kaplan@....com>, x86@...nel.org,
        luto@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] objtool: Fix return thunk patching in retpolines

On Wed, Oct 11, 2023 at 07:47:37PM -0700, Josh Poimboeuf wrote:
> With CONFIG_RETHUNK enabled, the compiler replaces every RET with a tail
> call to a return thunk ('JMP __x86_return_thunk').  Objtool annotates
> all such return sites so they can be patched during boot by
> apply_returns().
> 
> The implementation of __x86_return_thunk() is just a bare RET.  It's
> only meant to be used temporarily until apply_returns() patches all
> return sites with either a JMP to another return thunk or an actual RET.
> 
> The following commit
> 
>   e92626af3234 ("x86/retpoline: Remove .text..__x86.return_thunk section") retpolines
> 
> broke objtool's detection of return sites in retpolines.  Since
> retpolines and return thunks are now in the same section, the compiler
> no longer uses relocations for the intra-section jumps between the
> retpolines and the return thunk, causing objtool to overlook them.
> 
> As a result, none of the retpolines' return sites get patched.  Each one
> stays at 'JMP __x86_return_thunk', effectively a bare RET.
> 
> Fix it by teaching objtool to detect when a non-relocated jump target is
> a return thunk (or retpoline).
> 
> Fixes: e92626af3234 ("x86/retpoline: Remove .text..__x86.return_thunk section")
> Reported-by: David Kaplan <david.kaplan@....com>
> Signed-off-by: Josh Poimboeuf <jpoimboe@...nel.org>

Acked-by: Peter Zijlstra (Intel) <peterz@...radead.org>

> ---
>  tools/objtool/check.c | 16 ++++++++++++++++
>  1 file changed, 16 insertions(+)
> 
> diff --git a/tools/objtool/check.c b/tools/objtool/check.c
> index e308d1ba664e..e94756e09ca9 100644
> --- a/tools/objtool/check.c
> +++ b/tools/objtool/check.c
> @@ -1610,6 +1610,22 @@ static int add_jump_destinations(struct objtool_file *file)
>  			return -1;
>  		}
>  
> +		/*
> +		 * An intra-TU jump in retpoline.o might not have a relocation
> +		 * for its jump dest, in which case the above
> +		 * add_{retpoline,return}_call() didn't happen.
> +		 */
> +		if (jump_dest->sym && jump_dest->offset == jump_dest->sym->offset) {
> +			if (jump_dest->sym->retpoline_thunk) {
> +				add_retpoline_call(file, insn);
> +				continue;
> +			}
> +			if (jump_dest->sym->return_thunk) {
> +				add_return_call(file, insn, true);
> +				continue;
> +			}
> +		}
> +
>  		/*
>  		 * Cross-function jump.
>  		 */
> -- 
> 2.41.0
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ